Using WebSecurityConfigurerAdapter with Spring OAuth2 and user-info-uri

Question

I have created an Authorization service as follows

@SpringBootApplication
@EnableAuthorizationServer
public class AuthorizationApplication {
   ...
}

With this application.properties.

server.port=9000
security.oauth2.client.client-id=monederobingo
security.oauth2.client.client-secret=monederobingosecret
security.oauth2.client.authorized-grant-types=authorization_code,refresh_token,password,client_credentials
security.oauth2.client.scope=company,client

Then, in a separate spring boot project I have created a Resource Server.

@SpringBootApplication
@EnableResourceServer
public class App {
   ...
}

With this application.properties.

server.port=9090
spring.application.name=app
security.oauth2.resource.user-info-uri=http://localhost:9000/user

Now, everything works fine if I send a request like this localhost:9090/api with the appropriate token that was retrieved by Authorization Service.

However, I don't want to send this token when sending requests to localhost:9090/login.

For this I have created this class in my Resource server spring boot app.

@Configuration
public class SpringConfig extends WebSecurityConfigurerAdapter {
    @Override protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()
                .antMatchers("/login")
                .permitAll()
                .antMatchers("/api/**")
                .authenticated();
    }

}

And now I don't need to send any token to send a request to /login.

However, I'm now geting the following message when sending request to /api with a valid token.

{
  "timestamp": 1496027102659,
  "status": 403,
  "error": "Forbidden",
  "message": "Access Denied",
  "path": "/api/v1/points_configuration/314"
}

How can configure security for only a few URL patterns in Spring Security OAuth2?

Add .antMatchers("/api/**") .authenticated(); in your resource server configuration, and try again — Afridi, May 29 '17 at 03:29
I am not talking about WebSecurityConfigurerAdapter extended class. Extends your 'App' class from ResourceServerConfigurerAdapter and then override this method: @Override public void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/api/**") .authenticated(); } — Afridi, May 29 '17 at 03:39
@That worked. Could you please add that as Answer and I'll mark it as accepted. Also, why did this work by using `ResourceServerConfigurerAdapter` instead of `WebSecurityConfigurerAdapter`? — alayor, May 29 '17 at 15:11

Afridi · Accepted Answer · 2017-05-30T03:35:56.483

Kindly follow this for more info regarding Spring OAuth security:Secure Spring REST Api with OAuth

In order to implement OAuth Security in Spring boot, you have to create Authorization & Resource server by extending them from AuthorizationServerConfigurerAdapter and ResourceServerConfigurerAdapter respectively.

Authorization Server

    @Configuration
    @EnableAuthorizationServer
    public class AuthorizationApplication extends AuthorizationServerConfigurerAdapter{

    @Autowired
    private UserDetailsService userDetailsService;
    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
                throws Exception {
            endpoints
                    .userDetailsService(userDetailsService)
                    .authenticationManager(this.authenticationManager).tokenStore(tokenStore()).approvalStoreDisabled();
        }

       @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients.withClientDetails(mongoClientDetailsService);
            /*inMemory()
                    .withClient(propertyResolver.getProperty(PROP_CLIENTID))
                    .scopes("read", "write")
                    .authorities("ROLE_CLIENT")
                    .authorizedGrantTypes("password", "refresh_token","client_credentials")
                    .secret(propertyResolver.getProperty(PROP_SECRET))
                    .accessTokenValiditySeconds(propertyResolver.getProperty(PROP_TOKEN_VALIDITY_SECONDS, Integer.class, 18000));*/
        }

//Do others stuff
    }

Resource Server

All the Url that you want to protect using OAuth should be mentioned in this server configuration. It enables a Spring Security filter that authenticates requests using an incoming OAuth2 token. While mostly WebSecurityConfigurerAdapter extended class is used for basic security configuration like adding filters, allowing un-secure url or implementing session policies etc.

@Configuration
@EnableResourceServer
public class App extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
    http.requestMatchers().antMatchers("/api/**").and().authorizeRequests()
                .antMatchers("/api/**").authenticated();
}
  //Do others stuff
}

userDetailsService(userDetailsService) is not available in **AuthorizationServerConfigurerAdapter** — wildthing81, Apr 30 '18 at 04:37
@wildthing81 I used `AuthorizationServerEndpointsConfigurer.userDetailsService(userDetailsService)` not `AuthorizationServerConfigurerAdapter.**` `endpoints.userDetailsService(userDetailsService)...` — Afridi, Apr 30 '18 at 12:01
my bad...I meant **AuthorizationServerEndpointsConfigurer**. the method doesn't exist — wildthing81, Apr 30 '18 at 12:17

Using WebSecurityConfigurerAdapter with Spring OAuth2 and user-info-uri

1 Answers1

Authorization Server

Resource Server

Linked