0

I'd like to override spring's default AuthorizationEndpoint and provide my own on /oauth/authorize. I wrote my own controller 

@RestController
@RequestMapping("oauth/authorize")
public class AuthorizationController {

    @RequestMapping
    public void authorize(@RequestParam Map<String, String> parameters, HttpServletResponse response) throws Exception {
     // todo   
    }

}

However it is not mapped as AuthorizationEndpoint maps to /oauth/authorize by default. How can I remove the standard implementation?

Bonus

The reason I want to provide my own implementation is because my rest api is stateless and does not provide sessions and/or web interface, standalone angular app does that for me and authorizes using passwrd grant to server. So what I want to do is redirect the user to my angular app's approoval page and implement a custom user_oauth_approval approveOrDeny endpoint which my client calls. I'm not sure if I can set that up with spring, and even if I could, custom implementation would probably be less hassle. I'd love to hear some insights

Ben
  • 3,989
  • 9
  • 48
  • 84
  • Don't do it, you get a big security problem. However, if you use password grant, the authorization endpoint is not used at all. Hence, there is no need to override the authorization endpoint. – dur Oct 28 '18 at 19:16
  • Did you find any solution for it? I too have the same scenario. Would be great if you can share it.Thanks – curious May 03 '19 at 02:38

1 Answers1

0

Inject your customAuthenticationManager in your new controller.

@Autowired
private AuthenticationManager authenticationManager;

@RequestMapping(value = "${jwt.route.authentication.path}", method = RequestMethod.POST)
    public ResponseEntity<?> createAuthenticationToken(@RequestBody JwtAuthenticationRequest authenticationRequest)
            throws AuthenticationException {

        Authentication customAuthentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(
                authenticationRequest.getUsername(), authenticationRequest.getPassword()));
        SecurityContextHolder.getContext().setAuthentication(authentication);

        return ResponseEntity
                .ok(new JwtAuthenticationResponse(customAuthentication.getToken(), customAuthentication.isActive()));

    }

Then overwrite default Spring AuthenticationManager + AuthenticationProvider

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private CustomAuthenticationProvider customAuthenticationProvider;

    @Autowired
    public void configureAuthentication(AuthenticationManagerBuilder authenticationManagerBuilder) {
        authenticationManagerBuilder.authenticationProvider(customAuthenticationProvider);
    }

    @Bean(name = BeanIds.AUTHENTICATION_MANAGER)
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }


import org.springframework.security.authentication.AuthenticationProvider;

@Component("customAuthenticationProvider")
public class CustomAuthenticationProvider implements AuthenticationProvider {
Ethan Nguyen
  • 104
  • 4