2

I am trying to use OAuth2 with spring security, with the following config xml:

    <http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="oauthUserAuthenticationManager"
      xmlns="http://www.springframework.org/schema/security">
    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
    <anonymous enabled="false"/>
    <http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
    <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER"/>
</http>
<http auto-config="true" pattern="/services/rest/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
      xmlns="http://www.springframework.org/schema/security">
    <anonymous enabled="false"/>
    <intercept-url pattern="/services/rest/**"/>
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER"/>
    <access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>

I successfully generated a token. Now while trying to access the secured resources, if I pass the token in header, everything works fine. But if I don't pass the token, the security is bypassed.

I checked the code of OAuth2AuthenticationProcessingFilter:

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
        ServletException {

    final boolean debug = logger.isDebugEnabled();
    final HttpServletRequest request = (HttpServletRequest) req;
    final HttpServletResponse response = (HttpServletResponse) res;

    try {

        Authentication authentication = tokenExtractor.extract(request);

        if (authentication == null) { // If token is null, do nothing
            if (debug) {
                logger.debug("No token in request, will continue chain.");
            }
        }
        else {
            request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_VALUE, authentication.getPrincipal());
            if (authentication instanceof AbstractAuthenticationToken) {
                AbstractAuthenticationToken needsDetails = (AbstractAuthenticationToken) authentication;
                needsDetails.setDetails(authenticationDetailsSource.buildDetails(request));                 
            }
            Authentication authResult = authenticationManager.authenticate(authentication);

            if (debug) {
                logger.debug("Authentication success: " + authResult);
            }

            SecurityContextHolder.getContext().setAuthentication(authResult);

        }
    }
    catch (OAuth2Exception failed) {
        SecurityContextHolder.clearContext();

        if (debug) {
            logger.debug("Authentication request failed: " + failed);
        }

        authenticationEntryPoint.commence(request, response,
                new InsufficientAuthenticationException(failed.getMessage(), failed));

        return;
    }

    chain.doFilter(request, response);
}

Any idea, why does this filter skips security if token is not present? Should I add some other filter to handle this case?

Sunny Agarwal
  • 1,451
  • 4
  • 18
  • 36

1 Answers1

2

Try

<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
Dave Syer
  • 56,583
  • 10
  • 155
  • 143
  • @Dave As you suggested, I added the access to my api intercept url and it worked. – Sunny Agarwal Sep 02 '14 at 05:28
  • Dave, can you explain the reason too. Facing the same issue – Dipanshu Verma Nov 13 '15 at 12:27
  • What do you mean? You want to know why access should be protected? That's really the point of having security configuration in the first place. We just need to tell Spring Security what level of access is required for each resource (the OP didn't do that). – Dave Syer Nov 13 '15 at 12:44
  • @Dave Syer, i have a similar issue: https://stackoverflow.com/questions/46354177/getting-404-after-oauth2-authentication-success-and-an-anonymous-token can you please advise about it – Mahmoud Saleh Sep 25 '17 at 12:53
  • @DaveSyer Can you please help me on https://stackoverflow.com/questions/48806722/can-i-append-some-information-in-oauth-check-token-endpoint-and-retrieve-it-at-a –  Feb 22 '18 at 12:05
  • @DaveSyer And https://stackoverflow.com/questions/48849961/can-we-add-custom-accessdecisionvoter-in-pure-authorization-server –  Feb 22 '18 at 12:06