Cannot redirect to custom authentication login page

[daniellwu]

By default, basic http authentication is used to protect the /oauth/authorize endpoint. I want to override it and supply my own custom login page. Should be simple right? But I cannot for the life of me get it to work in the context of spring-security-oauth. When calling the authorize endpoint (e.g. http://127.0.0.1:9898/sample/oauth/authorize?response_type=code&client_id=acme&redirect_uri=http://127.0.0.1:9898/sample/login/), a 401 and browser login popup is presented, instead of a redirect to /login.

Full source (skeleton project stripped down to bare minimums): https://github.com/daniellwu/sample-spring-oauth/blob/master/src/main/java/com/dwu/Application.java

@RestController
@EnableResourceServer
public class Application extends ResourceServerConfigurerAdapter{
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                    .anyRequest().authenticated()
                    .and()
                .formLogin().loginPage("/login").permitAll();
    }
    ...

I also confirmed that the login page itself is public by accessing it directly (http://127.0.0.1:9898/sample/login/). But calls to the /oauth/authorize endpoint doesn't redirect to it.

I saw there's a related issue that's resolved by a code fix, but I've confirmed that the version I'm running has this fix already. https://github.com/spring-projects/spring-security-oauth/issues/634

A related stackoverflow issue: http://stackoverflow.com/questions/35976631/how-does-spring-oauth2-login-redirect-work

My Versions: org.springframework.boot:spring-boot:1.3.5.RELEASE org.springframework.security.oauth:spring-security-oauth2:2.0.10.RELEASE org.springframework.security:spring-security-config:4.0.4.RELEASE org.springframework.security:spring-security-core:4.0.4.RELEASE org.springframework.security:spring-security-web:4.0.4.RELEASE

[daniellwu]

ok, I think I know what the problem is. Taking a closer look at the spring-boot-oauth2 tutorial, it shows

@Override
protected void configure(HttpSecurity http) throws Exception {
  http.antMatcher("/**")                                       (1)
    .authorizeRequests()
      .antMatchers("/", "/login**", "/webjars/**").permitAll() (2)
      .anyRequest().authenticated()                            (3)
    .and().exceptionHandling()
      .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/")) (4)
    ...
}

It appears that in spring-boot-oauth2, you have to explicitly add an exceptionHandler to redirect to the login page. This is in contrast with the vanilla spring security tutorial, where the redirection to the login page is automatic.

    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }

In the vanilla spring security tutorial, an unauthenticated request to the /hello page will redirect you to /login without an explicit exception handler.

So I guess this is more a feature request now. Can spring-security-oauth's ResourceServerConfiguration.java be changed somehow to support automatic redirection to the login page, like vanilla spring security?

[tkvangorder]

Thanks,

You saved me a lot of time...I have been struggling with this for a while after upgrading to Spring Boot 1.4.

[mdillenk]

daniellwu Thanks! This was exactly what I was looking for.