Spring Security OAuth2 Protected Resource not actually protected... Filters Not Working?

Question

Literally able to hit the endpoint: http://localhost:8080/oauth2-password/helloworld and still get the String "Hello World!".. Check out my configurations below and please tell me why. This is extremely frustrating.

AUTHORIZATION SERVER

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    AuthenticationManager authenticationManager; 

    @Primary
    @Bean
    InMemoryTokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
      endpoints.authenticationManager(this.authenticationManager).tokenStore(this.tokenStore());
    }


    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.checkTokenAccess("isAuthenticated()");
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
        .withClient("client")
        .resourceIds("app")
        .authorizedGrantTypes("password")
        .scopes("read", "write", "trust")
        .refreshTokenValiditySeconds(20000)
        .accessTokenValiditySeconds(600);
    }

}

RESOURCE SERVER

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Autowired
    AuthenticationManager authManager;

    @Autowired
    TokenStore tokenStore;

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/helloworld/**").authenticated();
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.resourceId("app").tokenStore(this.tokenStore).authenticationManager(this.authManager);
    }

}

WEB SECURITY CONFIG

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

}

Answer 1

Wow, surprised no one was able to catch this one. Extremely poorly documented but found the answer after days of searching.

For anyone who comes this way and finds they are configuring the ResourceServer, AuthorizationServer, and WebSecurityConfigurerAdapter correctly yet you are still hitting the endpoint perfectly fine as if the freaking filter weren't even alive, here is the answer:

Add an @Configuration annotated class in your classpath that implements AbstractSecurityWebApplicationInitializer. Call the class SecurityWebAppInitializer or whatever you would like that makes senes. Make sure to override all the methods and just leave them as their default implementations. Make sure you register this class into your Spring context (along with the other config classes).

Re-compile, re-start the server etc...

Boom. Works, just like that. Hit an endpoint and was unauthorized with a 401.

What this Abstract class does is register the DelegatingFilterProxy to use the springSecurityFilterChain before any other registered Filter. UGH. Something done so easily in XML when you register springSecurityFilterChain.