0

I'am trying to setup Spring OAuth2 and using a custom WebSecurityConfigurerAdapter (@EnableWebSecurity).

As a base I copied the following two projects:

  • vanilla-sample
  • a client application with @EnableOAuth2Sso and the corresponding properties

This works as expected out-of-the-box.

But, when I try to add a WebSecurityConfigurerAdapter with @EnableWebSecurity to the Auto-Server (vanilla), it fails.

I'm getting a Authentication Failed: Could not obtain access token when redirect back after login and authorization at the login page of the client.

I have setup a security.oauth2.resource.userInfoUri which worked just fine without the WebSecurityConfigurerAdapter.

Any ideas how to configure oauth2 with a WebSecurityConfigurerAdapter?

Slava Semushin
  • 14,904
  • 7
  • 53
  • 69
cin
  • 155
  • 1
  • 10
  • what kind of OAuth2 security are you trying to create? Only oauth2 authorization server or auth server with resource server? Do you have somewhere on github your example? – bilak Oct 19 '16 at 13:29
  • I've uploaded a sample [here](https://github.com/menostos/spring-oauth2-demo). It is working how it's checked in. But if you've uncomment the CustomWebSecurity in auth-server/Application it does not work anymore. (Just start the auth-server and client through the main method and open http://localhost:8081/client/ in a Browser) – cin Oct 19 '16 at 19:35
  • if you enable websecurity probably /oauth/authorize and /oauth/confirm_access endpoints are not visible. – bilak Oct 19 '16 at 21:10
  • could you also provide more informations how are you testing that? I think it doesn't work with current setup. – bilak Oct 19 '16 at 21:18
  • If I start both applications as on github and open http://localhost:8081/client/ I correctly get redirected can login and authorize and also get redirect back, the client also requests the userInfoUri and authenticates the user. But if I uncomment the CustomWebSecurity and restart both applications, then the last step fails on the client application with "Authentication Failed: Could not obtain access token". – cin Oct 20 '16 at 19:57
  • Is there any example on usgin Spring OAuth2 Authserver with a @EnableOAuth2Sso client (not behind a zuul), where a custom WebSecurityConfigurerAdapter? – cin Oct 24 '16 at 07:22
  • I'm not sure. I was never using @EnableOAuth2Sso, only resource server and authorization server with corresponding configuration. – bilak Oct 24 '16 at 16:07

1 Answers1

0

Change your http security configuration to something like this:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .requestMatchers()
                .antMatchers("/", "/login", "/oauth/authorize", "/oauth/confirm_access")
                .and()
                .authorizeRequests()
                .anyRequest().authenticated();
    }
bilak
  • 4,526
  • 3
  • 35
  • 75