I'm trying it set up a proof of concept using Spring Boot and OAuth2. I've set up some project very similar to the ones outlined here:
https://spring.io/guides/tutorials/spring-boot-oauth2/
and here: https://spring.io/guides/tutorials/spring-security-and-angular-js/
The main difference with mine is I've left out all the AngularJS stuff.
I have the following services:
- Authorization server
- Resource server (as protected OAuth2 client)
- UI server (as protected OAuth2 client)
All that I want to happen is this:
- Hit the UI server
- Get redirected to auth server and get prompted for credentials
- UI server will then fetch some text from resource server and display them
I can get this all to work fine with Basic authentication on the auth server. However I want to be able to replace the basic authentication with that from Active Directory.
I have a couple of other Spring Boot projects that can do the AD authentication and it works, however whenever I try and drop it into this things go wrong. I think it's to do with the security around the auth server endpoints, but I'm not sure what.
Also, it's not clear to me which endpoints should be secured by what protocol (OAuth2 v. Basic) in a production environment? The docs recommend some endpoints should be secured with Basic. Should all 'OAuth2 clients' somehow include these credentials in their requests?
Here's my auth server application (with bits for Active Directory added):
@EnableResourceServer
@EnableAuthorizationServer
@SpringBootApplication
@RestController
public class AuthServerLdapApplication {
public static void main(String[] args) {
SpringApplication.run(AuthServerLdapApplication.class, args);
}
@RequestMapping("/user")
public Principal user(Principal user) {
return user;
}
@Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)
@Configuration
protected static class ActiveDirectoryConfig extends WebSecurityConfigurerAdapter {
@Value("${activedirectory.url}")
private String activeDirectoryUrl;
@Value("${activedirectory.domain}")
private String getActiveDirectoryDomain;
@Autowired private AuthenticationManager authenticationManager;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider(getActiveDirectoryDomain,
activeDirectoryUrl);
provider.setConvertSubErrorCodesToExceptions(true);
provider.setUseAuthenticationRequestCredentials(true);
auth.authenticationProvider(provider);
auth.parentAuthenticationManager(authenticationManager);
}
}
}
Basically what then happens is that I get this when I hit the UI server:
<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>
If I do this against the authorization server:
curl -v http://localhost:9004/uaa/login
* Trying ::1...
* Connected to localhost (::1) port 9004 (#0)
> GET /uaa/login HTTP/1.1
> Host: localhost:9004
> User-Agent: curl/7.44.0
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Cache-Control: no-store
< Pragma: no-cache
< WWW-Authenticate: Bearer realm="null", error="unauthorized", error_description="Full authentication is required to access this resource"
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Tue, 01 Dec 2015 12:38:53 GMT
<
{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}* Connection #0 to host localhost left intact
It looks like the login endpoint now expects a bearer token? I'm not sure how to proceed now...
Any help/advice would be appreciated...
