1

I've seen several posts with this topic but I didn't see any solution. My cas is quite simple as I'm testing Spring Boot 2.1.6.RELEASE with Spring Security 2.1.5.RELEASE (there doesn't seem to be a Spring Security 2.1.6.RELEASE). The only specfific thing is that the app is deployed as a WAR on WebLogic 12.2.1.3. The OAuth2 config is as follows:

@Configuration
@EnableAuthorizationServer
public class RdfAuthorizationServerConfig extends AuthorizationServerConfigurerAdapter
{
  @Autowired
  private AuthenticationManager authenticationManager;

  @Autowired
  private UserDetailsService userDetailsService;

  @Override
  public void configure(ClientDetailsServiceConfigurer clients) throws Exception
  {
    clients.inMemory()
      .withClient("rdf")
      .secret("thisissecret")
      .authorizedGrantTypes("refresh_token", "password", "client_credentials")
      .scopes("webclient", "mobileclient");
  }

  @Override
  public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception
  {
    endpoints
      .authenticationManager(authenticationManager)
      .userDetailsService(userDetailsService);
  }
}

The security config is as follows:

@Configuration
@EnableWebSecurity
public class RdfWebSecurityConfig extends WebSecurityConfigurerAdapter
{
  @Override
  @Bean
  public AuthenticationManager authenticationManagerBean() throws Exception
  {
    return super.authenticationManagerBean();
  }

  @Override
  @Bean
  public UserDetailsService userDetailsServiceBean() throws Exception
  {
    return super.userDetailsServiceBean();
  }

  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception
  {
    auth
      .inMemoryAuthentication()
      .withUser("nicolas").password("password1").roles("USER,ADMIN");
  }

  @Override
  protected void configure(HttpSecurity httpSecurity) throws Exception
  {
    httpSecurity.authorizeRequests()
      .antMatchers("/").permitAll()
      .antMatchers("/**/add").access("hasRole('ADMIN')")
      .antMatchers("/**/market/**").access("hasRole('USER')");
    httpSecurity.csrf();
  }
}

With only these elements in place I should be able to POST to oauth/token, but I'm not as I get HTTP 401. Here is my Postman POST:

POST /rdf-security/oauth/token HTTP/1.1
Host: localhost:7001
Authorization: Basic cmRmOnRoaXNpc3NlY3JldA==
cache-control: no-cache
Postman-Token: 5bad77f5-8cf7-4d31-8370-78ca4814573c
Content-Type: multipart/form-data; boundary=----  WebKitFormBoundary7MA4YWxkTrZu0gW

Content-Disposition: form-data; name="grant_type"
password
Content-Disposition: form-data; name="scope"
webclient
Content-Disposition: form-data; name="username"
nicolas
Content-Disposition: form-data; name="password"
password1
Content-Disposition: form-data; name="role"
admin
------WebKitFormBoundary7MA4YWxkTrZu0gW--

And here is the response:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Draft//EN">
<HTML>
  <HEAD>
    <TITLE>Error 401--Unauthorized</TITLE>
  </HEAD>
  <BODY bgcolor="white">
    <FONT FACE=Helvetica>
        <BR CLEAR=all>
        <TABLE border=0 cellspacing=5>
            <TR>
                <TD>
                    <BR CLEAR=all>
                    <FONT FACE="Helvetica" COLOR="black" SIZE="3">
                        <H2>Error 401--Unauthorized</H2>
                    </FONT>
                </TD>
            </TR>
        </TABLE>
        <TABLE border=0 width=100% cellpadding=10>
            <TR>
                <TD VALIGN=top WIDTH=100% BGCOLOR=white>
                    <FONT FACE="Courier New">
                        <FONT FACE="Helvetica" SIZE="3">
                            <H3>From RFC 2068 
                                <i>Hypertext Transfer Protocol -- HTTP/1.1</i>:
                            </H3>
                        </FONT>
                        <FONT FACE="Helvetica" SIZE="3">
                            <H4>10.4.2 401 Unauthorized</H4>
                        </FONT>
                        <P>
                            <FONT FACE="Courier New">The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.</FONT>
                        </P>
                    </FONT>
                </TD>
            </TR>
        </TABLE>
    </BODY>
</HTML>

I'm doing the same with curl, with the same result:

nicolas@BEL20:~/rdf/rdf-security$ curl rdf:thisissecret@localhost:7001/rdf-security/oauth/token -d grant_type=password -d client_id=rdf -d client_secret=thisissecret -d username=nicolas   -d password=password1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Draft//EN">
<HTML>
  <HEAD>
    <TITLE>Error 401--Unauthorized</TITLE>
  </HEAD>
  ...

I'm using since a while WebLogic to deploy Spring applications without major issues. But this is the first time I'm trying to deploy Spring Security applications on WebLogic. However, I'm not doing yet any specific thing. Does anyone know why I can't get a token by posting to oauth/token ?

Many thanks in advance,

Nicolas

  • Just a short comment to mention that the same WAR deployed on Tomcat (stand-alone not embedded) works as expected. –  Jul 31 '19 at 13:14

1 Answers1

1

I finally found the solution to this issue here: What are the consequences when setting enforce-valid-basic-auth-credentials to false on weblogic server. So I modified my WebLogic server config as follows:

wls:/offline> connect ('user','password','localhost:7001')
...
wls:/base_domain/serverConfig/> edit()
...
wls:/base_domain/edit/ !> startEdit()
...
wls:/base_domain/edit/ !> cd('SecurityConfiguration/<your_domain_name_here>')
...
wls:/base_domain/edit/ !> set('EnforceValidBasicAuthCredentials', 'false')
wls:/base_domain/edit/SecurityConfiguration/base_domain !> save()
...
wls:/base_domain/edit/SecurityConfiguration/base_domain !> activate()

After that I rebooted the WebLogic server and then my test which consists to connect to /oauth/token in order to get a token worked exactly as it was working on Tomcat. Doing this disables the WebLogic basic authentication performed by the container allowing Spring Boot to perform it at the application level.

Probably not a wise thing to use production-ready Java EE relaible platforms to deploy on them SPring Boot application like on Tomcat, by disabling their main features. But hey, this is another topic !