1

Agenda: To create an authorization and resource server such that.

  1. Rest clients can authenticate and authorize and use tokens to fetch resources about the user.

    this worked. accessing resources defined at /rest/user endpoint is working fine

  2. Web clients can SSO using this authorization server

    I tried using @EnableOAuth2Sso and also using @EnableOAuth2Client. Both didn't work. When using EnableOAuth2Sso redirect to oauth server's login happened but redirection back to the app didn't happen.

  3. Users can directly log into the authorization server and see if they have an account.

    this is working but it is skipping authentication and authorization and the page is getting displayed immediately

I have a OAuth server with ResourceConfig and WebSecurityConfig

@Configuration
@EnableWebSecurity
@Order(1)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired private AuthenticationSuccessHandler authenticationSuccessHandler;
    @Autowired private AuthenticationFailureHandler authenticationFailureHandler;


    @Autowired
    @Qualifier("userAccountDetailsService")
    UserAccountDetailsService userAccountDetailsService;

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {

        // @formatter:off

        httpSecurity
        .csrf().disable()
        .anonymous().disable()

            .requestMatchers()
            .antMatchers("/login", "/oauth/authorize")
            .and()

        .authorizeRequests()
            .antMatchers("/**", "/css/**", "/js/**", "/images/**").permitAll()
            .antMatchers("/oauth/token").permitAll()
        .antMatchers("/userPage/*").hasAnyRole("USER", "HRADMIN")
        .antMatchers("/adminPage/*").hasRole("HRADMIN")

            .anyRequest().authenticated()
            .and()
            .formLogin()
            .loginPage("/")
            .loginProcessingUrl("/login")
            .failureHandler(authenticationFailureHandler)
            .successHandler(authenticationSuccessHandler)
            .and()
            .logout()
            .logoutUrl("/logout");

        // @formatter:on
    }

    @Autowired
    protected void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userAccountDetailsService).passwordEncoder(passwordEncoder());
    }

    @Bean
    PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

}

@Configuration
@EnableResourceServer
@Order(2)
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    private static final String RESOURCE_ID = "my_rest_api";

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources.resourceId(RESOURCE_ID).stateless(false);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.
                anonymous().disable()
                .authorizeRequests()
                .antMatchers("/rest/user/**").authenticated()
                .and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
    }

}

Isn't it possible to combine and use web resource and oauth resources in the same server?

I'm using Spring Boot: 2.2.0.BUILD-SNAPSHOT and Spring security-oauth2-autoconfigure: 2.1.3.RELEASE

The whole source is available in github

Authorization and Resource server: https://github.com/john77eipe/SpringSecurityDrills/tree/master/securestore-oauth

Spring Web client using EnableOAuth2Client: https://github.com/john77eipe/SpringSecurityDrills/tree/master/securestore-web-resource-1

Spring Web client using EnableOAuth2Sso: https://github.com/john77eipe/SpringSecurityDrills/tree/master/securestore-web-resource-2

John Eipe
  • 10,922
  • 24
  • 72
  • 114
  • You have only restricted `.antMatchers("/rest/user/**").authenticated()`, all other URLS are permitted by default. Add `anyRequest().authenticated()` to your configruation. – dur Aug 07 '19 at 11:12
  • But I do have that specified in the WebSecurityConfiguration right? – John Eipe Aug 07 '19 at 12:53
  • Your `WebSecurityConfiguration` is never called, because `ResourceServerConfig` has a lower order (AFAIK it is 3). – dur Aug 07 '19 at 13:10
  • adding `@Order` on these classes didn't help – John Eipe Aug 07 '19 at 19:41
  • I didn't say that it helps to add `@Order`. I just explained, why your `WebSecurityConfiguration` is behind your `ResourceServerConfig`. Where did you add `@Order`? What number did you set? I already explained that you need to restrict your URL. – dur Aug 07 '19 at 20:53
  • @dur as mentioned by you. I have added it and updated the code above. Still the same issue. Also added the complete source code link. – John Eipe Aug 09 '19 at 13:29

0 Answers0