search

spring-attic / spring-security-oauth

Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.
http://github.com/spring-projects/spring-security-oauth
Apache License 2.0
4.69k stars 4.05k forks source link

Resource Server ignore Bearer token when deployed in the same app with Authorization Server #980

Open endymuhardin opened 7 years ago

endymuhardin commented 7 years ago

I am creating a Spring Boot app containing both Authorization Server and Resource Server with the following configuration

@EnableWebSecurity(debug = true)
public class KonfigurasiSecurity extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("endy").password("123").authorities("ADMIN").and()
                .withUser("anggi").password("123").authorities("CUSTOMER");
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests().antMatchers("/**").authenticated()
                .and().formLogin().permitAll()
                .and().logout().permitAll();
    }

    @Configuration
    @EnableAuthorizationServer
    protected static class KonfigurasiAuthServer extends AuthorizationServerConfigurerAdapter {

        @Autowired
        @Qualifier("authenticationManagerBean")
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints)
                throws Exception {
            endpoints.authenticationManager(authenticationManager);
        }

        @Override
        public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
            oauthServer.checkTokenAccess("hasAuthority('CLIENT')");
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients
                    .inMemory()
                    .withClient("clientapp")
                    .secret("123456")
                    .authorities("CLIENT")
                    .authorizedGrantTypes("authorization_code", "refresh_token", "password")
                    .scopes("read", "write")
                    .autoApprove(true)
                    .resourceIds("belajarsso");
        }
    }

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends
            ResourceServerConfigurerAdapter {

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) {
            resources
                    .resourceId("belajarsso");
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                    .requestMatchers()
                    .antMatchers("/api/**")
                    .and().authorizeRequests()
                    .antMatchers("/api/**")
                    .authenticated();
        }

    }
}

I also have a Controller 

@RestController
public class UserController {

    @RequestMapping({"/api/user", "/api/me"})
    public Authentication user(Authentication auth) {
        return auth;
    }
}

After access token is obtained (through usual login process and exchanging authcode), the controller can be accessed if the token is supplied in request parameter as such http://localhost:20000/api/user?access_token=blablabla-yadda-yadda-yadda

However, if access token is used in authorization header as such

curl -H 'Authorization: Bearer blablabla-yadda-yadda-yadda' http://localhost:10000/api/user

It will return 301 redirect to login page.

My suspicion is the @EnableResourceServer somehow either fail to register or misconfigure OAuth2AuthenticationProcessingFilter to conflict with BasicAuthenticationFilter.

Am I correct? How can I debug the exact sequence of installed filter? The debug log (I suppose) only display filters hit by request, not all installed/active filters.

Pls advise, thx

forbreak commented 7 years ago

Could you fix it? I have also encountered the same problem.

peah90 commented 7 years ago

Any updates on this? I am facing the same problem.

heyuxian commented 7 years ago

I am facing the same problem too. I'm using Spring Boot 1.5.2.RELEASE.

Jardo-51 commented 6 years ago

Same problem here. Spring Boot 1.5.6.RELEASE.

jolucama commented 6 years ago

Same problem here. 1.5.8.RELEASE. Cannot find anyway to put them together using JWT and RSA keys. I think one override the configuration of the other

jolucama commented 6 years ago

Hi guys,

I found the problem and it is working now for me. I think it is kind of what i said before so you need to add this annotation on top of your WebSecurityConfigurerAdapter:

@Configuration @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { ...

Regards Jose