8

I dont have reputation to comment, otherwise this post describes exactly the same issue.

I have successfully implemented spring security oauth2 2.0.5 in a spring 4 application. All works fine, i can generate tokens and api requests are properly authenticated. But the problem is that once an api is authenticated with an access token inside a browser based application, the subsequent calls dont need the access token because -it seems spring security relies on the sessionid instead to identify and authenticate the user. - the calls seem to validate even after the expiry of the access token.

So it appears spring relies on access token only for the first call, then it relies on the cookie/jsessionid. I tried to disable the behavior in the following way(learning from the sparklr2) -

Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.anonymous().disable();
        //oauth2 recommends that oauth token url should be only available to authorized clients
        http.requestMatchers().antMatchers("/oauth/token").and().authorizeRequests().anyRequest().fullyAuthenticated();
        http.httpBasic().authenticationEntryPoint(oAuth2AuthenticationEntryPoint()).and()
                .addFilterBefore(clientCredentialsTokenEndpointFilter(), BasicAuthenticationFilter.class)
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().exceptionHandling()
                .accessDeniedHandler(oAuth2AccessDeniedHandler);

    }

but that does not help. In the logs I can see -

Trying to match using Ant [pattern='/oauth/token'] Checking match of request : '/v1.0/printconfig/'; against '/oauth/token' Trying to match using Ant [pattern='/oauth/token_key'] Checking match of request : '/v1.0/printconfig/'; against '/oauth/token_key' Trying to match using Ant [pattern='/oauth/check_token'] Checking match of request : '/v1.0/printconfig/'; against '/oauth/check_token' No matches found Trying to match using Ant [pattern='/v1.0/'] Checking match of request : '/v1.0/printconfig/'; against '/v1.0/' matched /v1.0/printconfig/ at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' /v1.0/printconfig/ at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@bd392350: Authentication: org.springframework.security.oauth2.provider.OAuth2Authentication@bd392350: Principal: org.springframework.security.core.userdetails.User@6d: Username: m; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenValue=; Granted Authorities: ROLE_USER' /v1.0/printconfig/ at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter' Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6044b89b /v1.0/printconfig/ at position 4 of 10 in additional filter chain; firing Filter: 'LogoutFilter' Checking match of request : '/v1.0/printconfig/'; against '/logout' /v1.0/printconfig/ at position 5 of 10 in additional filter chain; firing Filter: > 'OAuth2AuthenticationProcessingFilter' Token not found in headers. Trying request parameters. Token not found in request parameters. Not an OAuth2 request. No token in request, will continue chain. /v1.0/printconfig/ at position 6 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' /v1.0/printconfig/ at position 7 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' /v1.0/printconfig/ at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter' /v1.0/printconfig/ at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' /v1.0/printconfig/ at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' Checking match of request : '/v1.0/printconfig/'; against '/v1.0/**' Secure object: FilterInvocation: URL: /v1.0/printconfig/; Attributes: [#oauth2.throwOnError(hasRole('ROLE_USER'))] Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication@bd392350: Principal: org.springframework.security.core.userdetails.User@6d: Username: m; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenValue=; Granted Authorities: ROLE_USER Voter: org.springframework.security.web.access.expression.WebExpressionVoter@5f574bdc, returned: 1 Authorization successful RunAsManager did not change Authentication object /v1.0/printconfig/ reached end of additional filter chain; proceeding with original chain Chain processed normally SecurityContextHolder now cleared, as request processing completed

As you can see oauth token headers werent present but still a different filter identified the session. I would love to disable the sessionId itself but it would be fine to just disable spring's authentication of the user itself. I want the access token to be the only identifier of the incoming requests.

Community
  • 1
  • 1
Peeyush
  • 95
  • 1
  • 4
  • in my case, i can see JSESSIONId at set-cookie, i dont want to use, How can i put token at header Authorization: Bearer like this instead overriding default jsseionid way oath2 – Ashish Kamble Apr 02 '20 at 07:18

1 Answers1

2

It looks to me like /v1.0/printconfig/ is an OAuth2 protected resource behind a OAuth2AuthenticationProcessingFilter, and your client sent a cookie instead of a token? If that is correct then the default behaviour in 2.0.5 is as you see (to accept the cookie, and let you control the access rule in your own configuration). The default changed in 2.0.6 (the cookie will not work unless the resource server is configured explicitly: https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/ResourceServerSecurityConfigurer.java#L94).

Dave Syer
  • 56,583
  • 10
  • 155
  • 143
  • Dave, I am using facebook login with oauth2 as per you project. Why does facebook login sets cookie, Any way I can change it to provide access token. FYI I have my own spring oauth server. – sanjay patel Feb 22 '17 at 16:29
  • I don't really understand the question. When you authenticate with Facebook you get a cookie. Pretty standard stuff, and not something you have any influence over. There's an auth server sample in the tutorial link above. Maybe that's what you mean by "provide access token"? – Dave Syer Feb 23 '17 at 08:00
  • I am creating rest services, my whole system works on access token and password grant. Now since I am including FB Login, FB Spring oauth sets cookies to track session, cookie can't be used in mobile app. Somehow I after succesull FB login I need to create access token for end user so my mobile apps are intact. Please let me know if you still have question. – sanjay patel Feb 24 '17 at 15:45
  • Password grant and facebook authentication don't really mix do they? You should probably reevaluate whether you need it. – Dave Syer Feb 25 '17 at 07:38
  • 1
    in my case, i can see JSESSIONId at set-cookie, i dont want to use, How can i put token at header Authorization: Bearer like this instead overriding default jsseionid way oath2 – Ashish Kamble Apr 02 '20 at 07:15
  • simple words, I dont want my app to be set cookie (its visible), i want to put token in header (Authorization: Bearer ) How to do like this??? – Ashish Kamble Apr 02 '20 at 07:18