1

I have Spring Boot 2 based Security Gateway performing OAuth2 authentication sitting before GUI app and back-end. It is configured like

@Configuration
@EnableOAuth2Client
@EnableWebSecurity
public class SecurityGatewayConfig extends WebSecurityConfigurerAdapter{

    @Bean
    public SecurityGatewayAuthenticationFilter filter() {
        return new SecurityGatewayAuthenticationFilter("/login");
    }

    @Override
    public void configure(HttpSecurity http) {
        http
                .addFilterAfter(new OAuth2ClientContextFilter(), AbstractPreAuthenticatedProcessingFilter.class)
                .addFilterAfter(filter(), OAuth2ClientContextFilter.class)
                .httpBasic().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))
                .and()
...

It redirect requests to /login and SecurityGatewayAuthenticationFilter performs authentication against external OAuth2 provider.

It is good for GIU app. However, when accessing back-end services(they have /api/ in the path) I need different behaviour: If request is not authenticated, do not redirect, but immediately return 401 error.

Any idea, how to configure Spring Security for that?

Fedor
  • 559
  • 1
  • 7
  • 19

2 Answers2

0

If i got you questions right, what you can do is work with different ConfigurationAdapters. The basic idea looks like: 

    @Order(1)
    @Configuration
    @EnableOAuth2Sso
    public static class SecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        @Qualifier("defaultMatcher")
        private RequestMatcher defaultMatcher;

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.requestMatcher(defaultMatcher)...
        }
    }

    @Order(2)
    @Configuration
    public static class OtherConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.requestMatcher(yourRequestMatcher())...
        }

    }

Spring will evalutate each request in the order you add with Order() if you use @EnableResourceServer, this will always have Order(3)

You can then build your request matchers as example like this (in this example it matches all, but excludes explicitly some other): 

    @Bean
    public RequestMatcher defaultMatcher(@Qualifier("apiMatcher") RequestMatcher api, @Qualifier("anyother") RequestMatcher anyother) {
        final RequestMatcher all = new AntPathRequestMatcher("/**");
        final RequestMatcher nonApi = new NegatedRequestMatcher(new OrRequestMatcher(api, anyother));

        return new AndRequestMatcher(all, nonApi);
    }

Hope that helps.

best regards, WiPu

WiPU
  • 443
  • 2
  • 9
0

you need add entry point filter

@Component
public final class CustomAuthenticationEntryPoint implements 
        AuthenticationEntryPoint {
    @Override
    public void commence(final HttpServletRequest request, final 
            HttpServletResponse response, final AuthenticationException 
        authException) throws IOException {
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
    }
}

When a client accesses resources without authentication...

Krupan Kasam
  • 26
  • 4