1

I know that there are some similar topics but they are about implementation difficulties, whereas my question is more architect wise. And it is generally not springframework related.

Let's say there is an application that implements both client\resource (in terms of OAuth2) behaviors. Also it supports Basic auth with for testing purposes (ans it has its own set of static\ldap users ). Auth provider is done as a separate application.

This "three-type" auth is reached by 

@Configuration
@Order(Ordered.HIGHEST_PRECEDENCE)
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .requestMatcher(request -> {
                    String auth = request.getHeader("Authorization");
                    return (auth != null && auth.startsWith("Basic"));
                })
                .authorizeRequests()
                .antMatchers("/", "/login**").permitAll()
                .anyRequest().authenticated()
                .and().csrf().disable()
                .httpBasic()
        ;
    }
    ....
}

then goes

@Configuration
@EnableResourceServer
public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter {
    private final static Logger logger = LoggerFactory.getLogger(OAuth2ResourceServerConfig.class);

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .requestMatcher(request -> {
                    String auth = request.getHeader("Authorization");
                    return (auth != null && auth.startsWith("Bearer"));
                })
                .authorizeRequests()
                .anyRequest().authenticated();
    }
    ....
}

and then 

@Configuration
@EnableOAuth2Sso
@Order(4)
public class OAuth2SsoConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/**").authorizeRequests()
                .antMatchers("/", "/login**").permitAll()
                .anyRequest().authenticated()
                .and().csrf().disable()
        ;
    }
    ....
}
  • all in one package (altogether with UI).

That works pretty well. But. Is that good at all to have it like that? Some systems which this app integrates with already have "client" behavior itself (like SalesForce), so UI and @EnableOAuth2Sso configuration seem to be dead weight.

Am I missing something in terms of security vulnerabilities? I was able to see that once one bearer token is accepted by app, it creates session and postman sends cookie back to the app on the next request and app manages this session even if another bearer token(for another user) has been applied to the Authorization header.

Does it make sense to customize this via maven profiles or via splitting it to the separate apps (pure UI&client and Resource API)?

Three options as I see it:

enter image description here

Thanks.

Olegdelone
  • 189
  • 4
  • 15

0 Answers0