3

I am using oauth2, and I have an authorization server and a (separate) resource server. A client gets a token from the authorization server and then uses the token to make requests to the resource server. When the resource server fetches the SecurityContext from the authorization server, I would like to add additional info. At the moment it gets the username of the user and I would like to add the user ID too. In the authorization server I have the following setup:

public org.springframework.security.core.userdetails.UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//... more logic in here
return new CurrentUser(user.getId(), user.getUsername(), user.getPassword(), true, true, true, true, grantedAuthorities);

}

where CurrentUser is defined as follows:

public class CurrentUser extends org.springframework.security.core.userdetails.User {

private Long userId;

public CurrentUser(Long userId, String username, String password, boolean enabled, boolean accountNonExpired,
                   boolean credentialsNonExpired, boolean accountNonLocked,
                   Collection<? extends GrantedAuthority> authorities) {

    super(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);

    this.userId = userId;

}

}

In the resource server Im trying to cast the principal to CurrentUser but the principal is just a String. Looks like it is not being sent. Do you have an idea what am I missing?

Authentication a = SecurityContextHolder.getContext().getAuthentication();

CurrentUser user = (CurrentUser)a.getPrincipal(); //throws exception

The resource server (a separate application) is configured as follows:

@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class ResourceServerConfiguration extends 
ResourceServerConfigurerAdapter
{
   private static final String RESOURCE_ID = "my_id";

   @Override
   public void configure(ResourceServerSecurityConfigurer resources) 
{
    resources.resourceId(RESOURCE_ID).stateless(false);
}

@Override
public void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("...").access("...")
            .and()
            .exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
}
}

In the properties file of the resource server I have the necessary information where to validate the token:

security.oauth2.resource.token-info-uri=http://localhost:8000/auth-service/oauth/check_token
security.oauth2.client.client-id = my-client
security.oauth2.client.client-secret = password
patri
  • 59
  • 9
  • Only implementing User object is not enough. take a look here: https://stackoverflow.com/a/20449938/4423636 – Ataur Rahman Munna Nov 23 '17 at 05:26
  • In the link you gave me there are 2 different set of answers. The ones provided by Yogen/Alireza Fattahi/M. Deinum is what I have done so far (as shown in the original question), and in the Authorization Server, I can get the 'CurrentUser' with no problem. The problem is with the resource server (which is a separate executable). In the resource server, the principal being sent is the 'username' only. gpeche answer is a bit unclear on how I shall integrate 'MyAuthentication' into my configuration and Im unsure if it will do the trick. – patri Nov 23 '17 at 11:08
  • Then put your resource server configuration too. – Ataur Rahman Munna Nov 23 '17 at 11:13
  • You meant to put it in the resource server configuration? Can you give me an example on how do it please? In the resource server I have a class that extends ResourceServerConfigurerAdapter and Im overriding: public void configure(ResourceServerSecurityConfigurer resources) and public void configure(HttpSecurity http) – patri Nov 23 '17 at 12:55
  • Then why didn't put those code in your question? Please update your question and provide code. – Ataur Rahman Munna Nov 23 '17 at 17:05
  • updated as requested. – patri Nov 24 '17 at 08:24
  • @patri did you find any solution. I have the same question https://stackoverflow.com/questions/60239249/validate-the-user-in-the-resource-server-spring-security?noredirect=1#comment106555359_60239249 – Rajith K Feb 15 '20 at 18:16

0 Answers0