0

With spring-cloud Angel.SR3 release I followed example in https://github.com/spring-cloud-samples/sso and things work fine with spring-boot 1.2.6.RELEASE.

However with spring-boot 1.3.0.RC1, the oauth2 stuff has moved into spring-boot itself, and the code below fails to compile because class OAuth2SsoConfigurerAdapter no longer exists.

What is the spring-boot only way to create equivalent configuration? 

public static void main(String[] args) {
    SpringApplication.run(MainAppApplication.class, args);
}

...

@Component
public static class LoginConfigurer extends OAuth2SsoConfigurerAdapter  {

    @Override
    public void match(RequestMatchers matchers) {
        matchers.antMatchers("/dashboard/**");
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/dashboard/**").authorizeRequests().anyRequest()
        .authenticated().and().csrf()
        .csrfTokenRepository(csrfTokenRepository()).and()
        .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
    }

    private Filter csrfHeaderFilter() {
        return new OncePerRequestFilter() {
    ...
        };
    }

    ...

}
lee
  • 121
  • 1
  • 13
  • You have to configure both authorization and resource server. Your LoginConfigurer is kind of what the resource server should be. Take a look at [this](https://github.com/spring-projects/spring-security-oauth/blob/master/tests/annotation/jdbc/src/main/java/demo/Application.java) example – jscherman Oct 26 '15 at 18:38
  • I have Authorization server and resource server configured. What I'm looking for is the Spring-Boot 1.3 equivalent of OAuth2SsoConfigurerAdapter class (which used to be in Angel.SR3 version of spring-cloud, but removed from Brixton.M1) – lee Oct 27 '15 at 02:46

2 Answers2

3

You just have to use org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter and carefully use this annotation org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso

I've written carefully because its behaviour depends on where you add it. As stated in the javadoc:

Enable OAuth2 Single Sign On (SSO). If there is an existing WebSecurityConfigurerAdapter provided by the user and annotated with @EnableOAuth2Sso, it is enhanced by adding an authentication filter and an authentication entry point. If the user only has @EnableOAuth2Sso but not on a WebSecurityConfigurerAdapter then one is added with all paths secured and with an order that puts it ahead of the default HTTP Basic security chain in Spring Boot.

Hope that helps!

tryingToLearn
  • 10,691
  • 12
  • 80
  • 114
HowHigH
  • 145
  • 1
  • 7
2

Turns out not special adapter needed, just the regular WebSecurityConfigurerAdapter does the trick. You cannot tell the code from below if oauth2 SSO is involved, more transparent, sort to speak.

@Configuration 
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {

    @Autowired
    private SecurityProperties security;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
        .authorizeRequests()
            .antMatchers("/", "/ssologout").permitAll()
            .anyRequest().fullyAuthenticated()
        .and()
            .formLogin()
                .loginPage("/login").failureUrl("/login?error")
            .permitAll()
        .and()
            .logout().permitAll();
        // @formatter:on
    }

}
lee
  • 121
  • 1
  • 13
  • btw I don't think you need the @Autowired and private property, Spring boot will auto inject it into the configure method – Eddie Jaoude Jan 10 '16 at 12:15