Spring Sec 5 /Boot 2 + custom WebSecurityConfigurerAdapter -http.oauth2Login() - not configurable #91
Comments
|
On inspection of the traffic between Okta and my localhost I see the following and perhaps significantly the Upgrade-Insecure-Requests: 1 and multiple of the redirects below: HTTP/1.1 302 GET http://localhost:8082/callback |
|
I double checked the pom versions and dependencies and aligned with my own project. Having done that I no longer have the redirect problem. However I get an NPE from the /callback controller method related to the authentication reference. My last change was to the security config to follow the tutorial i.e to make use of OAuth2SsoDefaultConfiguration: @configuration } When I start the service I get the following stacktrace: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'resourceServerTokenServices' defined in class path resource [com/okta/spring/oauth/code/OktaOAuthCodeFlowConfiguration$LocalTokenValidationConfig.class]: Initialization of bean failed; nested exception is org.springframework.aop.framework.AopConfigException: Could not generate CGLIB subclass of class com.okta.spring.oauth.code.OktaOAuthCodeFlowConfiguration$Non500ErrorDefaultTokenServices: Common causes of this problem include using a final class or a non-visible class; nested exception is org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null |
|
The application starts without devtools in the pom although I still have the redirect issue |
|
Hey @fcbogle! I'm guessing you have Either way, you don't want to handle the callback directly, you would typically do this with a handler, take a look at the example in: spring-projects/spring-security#4472 |
|
Hi @bdemers many thanks for looking at my request! |
|
I'm guessing it is because of your |
|
I'll do that and come back if the handler doesn't resolve the problems. Out of interest, how is the Authentication created behind the scenes? The |
|
It's all handled by Spring Security directly. As far as GrantedAuthorties goes, are you trying to add them to the context or use them to protect your methods? |
|
I was planning on differentiating between admin/regular users. Not much more than that. I guess I would add preAuthorization protection on some methods |
|
Sure, but what is the source of the roles? accessToken claims? oauth scopes? or some external source? I can point you to examples for the first couple, and possibly the right direction for the last |
|
Hi @bdemers I would probably use access token claims. Regarding an earlier update, in order to make use of: @Override
protected void configure(HttpSecurity http) throws Exception {
http
//.antMatcher("/**")
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.oauth2Login()
.successHandler(new SsoAuthenticationSuccessHandler());
}I had to add: <dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
</dependency>to the pom. org.springframework.security.oauth2.client.resource.UserRedirectRequiredException: A redirect is required to get the users approval
at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.getRedirectForAuthorization(AuthorizationCodeAccessTokenProvider.java:359) ~[spring-security-oauth2-2.2.0.RELEASE.jar:na]
at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.obtainAccessToken(AuthorizationCodeAccessTokenProvider.java:205) ~[spring-security-oauth2-2.2.0.RELEASE.jar:na]
at org.springframework.security.oauth2.client.OAuth2RestTemplate.acquireAccessToken(OAuth2RestTemplate.java:221) ~[spring-security-oauth2-2.2.0.RELEASE.jar:na]
at org.springframework.security.oauth2.client.OAuth2RestTemplate.getAccessToken(OAuth2RestTemplate.java:173) ~[spring-security-oauth2-2.2.0.RELEASE.jar:na]
at org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter.attemptAuthentication(OAuth2ClientAuthenticationProcessingFilter.java:105) ~[spring-security-oauth2-2.2.0.RELEASE.jar:na]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.0.8.RELEASE.jar:5.0.8.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.8.RELEASE.jar:5.0.8.RELEASE]
at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:128) ~[spring-security-oauth2-client-5.0.8.RELEASE.jar:5.0.8.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.8.RELEASE.jar:5.0.8.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) ~[spring-security-web-5.0.8.RELEASE.jar:5.0.8.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.8.RELEASE.jar:5.0.8.RELEASE]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) ~[spring-security-web-5.0.8.RELEASE.jar:5.0.8.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.8.RELEASE.jar:5.0.8.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) ~[spring-security-web-5.0.8.RELEASE.jar:5.0.8.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.8.RELEASE.jar:5.0.8.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) ~[spring-security-web-5.0.8.RELEASE.jar:5.0.8.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.8.RELEASE.jar:5.0.8.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) ~[spring-security-web-5.0.8.RELEASE.jar:5.0.8.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.8.RELEASE.jar:5.0.8.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) ~[spring-security-web-5.0.8.RELEASE.jar:5.0.8.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) ~[spring-security-web-5.0.8.RELEASE.jar:5.0.8.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) ~[spring-web-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) ~[spring-web-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.34.jar:8.5.34]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) ~[spring-web-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.34.jar:8.5.34]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109) ~[spring-web-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.34.jar:8.5.34]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93) ~[spring-web-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.34.jar:8.5.34]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200) ~[spring-web-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) ~[tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.34.jar:8.5.34]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_144]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_144]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.34.jar:8.5.34]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_144]Thank you for spending time looking at this and your advice. |
|
Hi @bdemers I'm going to go back to the tutorial you published here: https://github.com/okta/samples-java-spring/blob/master/okta-hosted-login/src/main/java/com/okta/spring/example/CodeFlowExampleApplication.java |
|
@fcbogle taking one step back for a sec Is there anything specific you want to do in your success handler? (I ask because there might even be an easier way via Spring Security) |
|
Hi @bdemers nothing fancy, just redirect the user to an appropriate endpoint based on the claims within the access token. I'm trying to get a basic OAuth2 implementation running so I can break up a monolithic code base, thankfully already written in Java, to a more distributed and federated design. I will probably provide an access point to the resource servers via an OAuth2 Client application that can access services across a series of resource servers. Right now I want to identify the correct OAuth2 client design to use based on Okta, which will be responsible for primarily Authentication as well as some Authorisation based on the token claims. I would like to use the token claims as the basis to assigning Granted Authorities in the authentication success handler, much in the same way as the UserDetailsService. |
|
This actually had me a bit stumped. I think the root of the issue is Spring Securities's oauth properties have changed between 4 and 5. The older properties (which we are using project) still work when you have the correct dependencies, but I'd recommend using Spring Security directly, see: https://developer.okta.com/blog/2017/12/18/spring-security-5-oidc After that you can can configure the handler as expected, something like: @Configuration
static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// all requests
http.authorizeRequests().anyRequest().authenticated();
http.oauth2Login().successHandler((request, response, authentication) -> {
log.info("Authorities are: {}", authentication.getAuthorities());
// do something with the authorities
response.sendRedirect("/");
});
}
}I've been pretty excited to update this project to the latest Spring Sec version (but that is still a couple weeks out) |
bdemers
changed the title
|
Hi @bdemers once again thanks for your help on this work, greatly appreciated! |
|
In a recent blog post, I show how to use Spring Security OIDC to protect a Spring Boot API (it redirects when you hit http://localhost:8080 <http://localhost:8080/>) and to setup a resource server (so a client can talk to it by sending an Authorization header).
https://developer.okta.com/blog/2018/09/25/spring-webflux-websockets-react <https://developer.okta.com/blog/2018/09/25/spring-webflux-websockets-react>
… On Oct 3, 2018, at 1:40 PM, Frank Bogle ***@***.***> wrote:
Hi @bdemers <https://github.com/bdemers> once again thanks for your help on this work, greatly appreciated!
I have followed the link to the security 5 oidc tutorial and it working really well.
I notice in the link there is no need to use the @EnableAuth2Sso annotation and it got me thinking about integrating an OAuth2 client like this with one or more Resource servers. Can you please advise whether the yml file for a Resource Server needs to change and whether there is any advice about the use of Resource Servers that need to validate access_token assigned from am Okta Authorization Server - also local versus remote token validation - I have done this in the past using a public key, but not sure about how to configure that using Okta.
spring: thymeleaf: cache: false security: oauth2: client: registration: okta: client-id: {clientId} client-secret: {clientSecret} provider: okta: authorization-uri: https://{yourOktaDomain}/oauth2/default/v1/authorize token-uri: https://{yourOktaDomain}/oauth2/default/v1/token user-info-uri: https://{yourOktaDomain}/oauth2/default/v1/userinfo jwk-set-uri: https://{yourOktaDomain}/oauth2/default/v1/keys
Regards
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#91 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABF5NGIe9lNg_R9CQV8wk9GzOyabflSks5uhRKdgaJpZM4XBGEW>.
|
|
As of 1.0+ you should be able to override the defaults. Please leave a comment if run into any trouble! |
Hello,
I am working with Spring Boot 2.0.5 and Okta 0.6.0.
I am following a tutorial https://github.com/okta/samples-java-spring/blob/master/okta-hosted-login/src/main/java/com/okta/spring/example/CodeFlowExampleApplication.java but cannot get beyond an issue related to the redirect URI and too many redirects.
The redirect to Okta works successfully, the problems begin on the redirect back to localhost.
The UI I receive from my application is here:
I have set the redirect URI for my OIDC App to
localhost:8082/callbackand this is the configuration of my yml file:security:
oauth2:
client:
client-id: XXXX
client-secret: XXX
access-token-uri: https://dev-848116.oktapreview.com/oauth2/XXX/v1/token
user-authorization-uri: https://dev-848116.oktapreview.com/oauth2/XXX/v1/authorize
client-authentication-scheme: form
sso:
login-path: /callback
okta:
oauth2:
issuer: https://dev-848116.oktapreview.com/oauth2/XXX
The Security configuration I am using is here:
@configuration
@EnableOAuth2Sso
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
}
I have also tried the security configuration by extending the 'OAuth2SsoDefaultConfiguration
class however I can see this class implements theWebSecurityConfigurerAdapter` interface so perhaps no surprises it operates the same way.It appears to me the http security is being ignored or bypassed. The controller config is very simple, here is the /callback implementation:
@GetMapping("/callback")
public String callback(OAuth2Authentication authentication, Model model) {
logger.info("Returning principal page: " + authentication.getUserAuthentication().getName());
model.addAttribute("user", authentication.getUserAuthentication().getName());
return "home";
}
Can you please advise what I need to do to resolve this, I'm not sure I need a concrete implementation of the /callback endpoint.
The text was updated successfully, but these errors were encountered: