1

I am trying to configure spring security for my application that is behind google OAuth2.

The problem is that I want to whitelist certain API calls coming in from Github and Bitbucket via webhooks, for which I have written custom authentication providers. I have added these authentication providers in the spring security chain but they don't seem to get invoked for these calls.

Requests for Google OAuth2 are working fine and I am able to login. However, all requests coming in from Github and Bitbucket are resulting in 401 without hitting the authentication providers.

Really need some help here.

Thanks in advance!

@Configuration
public class SecurityConfig  extends WebSecurityConfigurerAdapter {

  @Autowired
  private OAuth2UserServiceImpl oAuth2UserService;

  @Autowired
  private GithubIpAuthenticationProvider githubIpAuthenticationProvider;

  @Autowired
  private BitbucketIpAuthenticationProvider bitbucketIpAuthenticationProvider;

  protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests()
            .antMatchers("/api/*/applications/*/webhooks/github")
            .authenticated()
            .and()
            .authenticationProvider(githubIpAuthenticationProvider)
            .authorizeRequests()
            .antMatchers("/api/*/applications/*/webhooks/bitbucket")
            .authenticated()
            .and()
            .authenticationProvider(bitbucketIpAuthenticationProvider)
            .authorizeRequests()
            .antMatchers("/api/**")
            .authenticated()
            .and()
            .oauth2Login()
            .userInfoEndpoint()
            .userService(oAuth2UserService)
            .and()
            .and()
            .csrf().disable()
            .exceptionHandling()
            .authenticationEntryPoint(
                    (a,b,c) -> {b.sendError(HttpServletResponse.SC_UNAUTHORIZED);}
            )
            .and()
            .cors();
  }
}
coder006
  • 525
  • 1
  • 6
  • 15

0 Answers0