-
Notifications
You must be signed in to change notification settings - Fork 343
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Getting to work with Forms #11
Comments
Thanks for the feedback! I built this because I had run into the same issue. I wanted a basic sample app that integrated all these features. Regarding Spring Forms, that's out of scope for my goals with this app, but @rwinch may be able to provide some guidance. |
@kibbled If you can provide a more concrete example of what you have and what you are looking for I can certainly see if I can help. |
Basically this added to the working sample from this repo: @Configuration
@EnableWebSecurity
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().antMatchers("/app/**", "/css/**", "/img/**", "/js/**", "/bower_components/**").permitAll().and()
.formLogin().loginPage("/login").permitAll().and()
.logout().permitAll().and()
.authorizeRequests().anyRequest().fullyAuthenticated();//.and()
http.httpBasic();
http.csrf().disable();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("username").password("mypass").roles("USER", "ADMIN");
}
} |
I'm facing the same problem. Currently working on a website that has a fully working WebSecurityConfig like @kibbled with datasource and what not. I can't find a way to make it work with a ResourceServerConfigurerAdapter because :
This is my OAuth2ServerConfiguration class : @Configuration
public class OAuth2ServerConfiguration {
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
private static final String RESOURCE_ID = "restservice";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
// @formatter:off
resources.resourceId(RESOURCE_ID);
// @formatter:on
}
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
// http.authorizeRequests().anyRequest().authenticated();
http.authorizeRequests().antMatchers("/api/**").authenticated();
// @formatter:on
}
}
@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter { /*...*/ } Still trying to find a way to integrate both of them so that a user can login on the website www.example.com/login and still be able to send his token via an Android/iOS mobile app for REST calls to the server at www.example.com/api/getSomething. I'm able to do one or the other but not both in the same project. Do I have to create a seperate project for my RESTful web services? |
I think the issue is if two HttpSecurity configuartions are for the same path , otherwise if they are configured for different endpoints they work fine |
Two working configurations: @Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
// @formatter:off
resources
.resourceId(RESOURCE_ID);
// @formatter:on
}
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.requestMatchers()
.antMatchers("/resources/**","/greeting")
.and()
.authorizeRequests()
.antMatchers("/resources").access("#oauth2.hasScope('read') or hasRole('ROLE_USER')")
.antMatchers("/greeting").access("#oauth2.hasScope('read')");
}
} and @Configuration
@EnableWebSecurity
@EnableWebMvcSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private CustomUserDetailsService userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
@Override
@Bean
@Qualifier("authenticationManagerBean")
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests()
.antMatchers( "/user")
.authenticated()
.antMatchers("/**").access("hasRole('ROLE_ADMIN')")
.and()
.csrf().disable().formLogin();
}
} works as desired, I added above to the btw could someone tell me how to color code so it looks nice like yours |
Hi @mariubog, thanks for your reply! I'll give it a try later today. You can add java after the ``` when you wrap your code. ```java // code for coloring ``` ```html // code for coloring ``` ```js // code for coloring ``` ```css // code for coloring ``` // etc. |
I think the problem has to do with the filter chains, when we create above two, web security configuration and oauth configuration we get three filter chains : 1First filter chain it is default filter chain only difference between other two is that it uses 2 Second filter chain is the one that is our concern I guess, the difference from above is that it uses OAuth2AuthenticationProcessingFilter in place of BasicAuthenticationFilter
and the method used for checking against patterns is: @Override
public boolean matches(HttpServletRequest request) {
String requestPath = getRequestPath(request);
for (String path : mapping.getPaths()) {
if (requestPath.startsWith(path)) {
return false;
}
}
return true;
} from 3 this is the third filter chain that is last and has obviously widest range |
Ok so it's working with your solution! I think I understand now... By using the following in the ResourceServerConfiguration extends ResourceServerConfigurerAdapter @Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.requestMatchers().antMatchers("/api/**")
.and()
.authorizeRequests().antMatchers("/api/**").access("#oauth2.hasScope('read') and hasRole('ROLE_USER')");
// @formatter:on
} I'm able to use web security and Oauth security for the path /api/** I'm pretty sure it's because when it calls configure(HttpSecurity http) it gets the same HttpSecurity object (singleton I presume) and continues the configuration... so by adding matchers and giving them an .access("#oauth2.hasScope('read')") it doesn't override the previous web configurations that you did previously... What I was trying before was that I reconfigured the whole think by adding in that method .authorizeRequests().antMatchers("/api/**").authenticated() So with this new .authenticated() it overrided my previous configuration in FormSecurityConfig extends WebSecurityConfigurerAdapter |
I don think you can use both for the same path, it is the matter of the security filterchain selection so if they both use the same path it may be an issue, can you post both of your configurations? |
This is my Web config I also added an @order(Ordered.HIGHEST_PRECEDENCE) to my web configure(HttpSecurity) method to be sure my web config will load first. @Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
protected static class FormSecurityConfig extends WebSecurityConfigurerAdapter {
// code here
@Override
@Order(Ordered.HIGHEST_PRECEDENCE)
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests().antMatchers("/paths/**","/for","/everyone","/here").permitAll()
.and()
.authorizeRequests().antMatchers("/paths/**","/for","/admin","/here").hasRole("ADMIN")
.and()
.authorizeRequests().antMatchers("/paths/**","/for","/anonymous","/here").anonymous()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/dologin")
.successHandler(customAuthenticationSuccessHandler())
.failureHandler(customAuthenticationFailureHandler())
.authenticationDetailsSource(customAuthenticationDetailsSource())
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(customLogoutSuccessHandler())
.deleteCookies("JSESSIONID");
// @formatter:on
}
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId("id_here").tokenStore(tokenStore);
}
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.requestMatchers().antMatchers("/path_for_api/**")
.and()
.authorizeRequests().antMatchers("/path_for_api/**").access("#oauth2.hasScope('read') and hasRole('ROLE_USER')");
// @formatter:on
}
}
} |
Yup it works because you have different paths and they do not overlap |
Sorry for being late to the party I have been on Holiday. It looks like you got this figured out though? |
@rwinch yeah I got it working :) thanks! |
@kibbled thanks for the original question! Seems like the issues have been worked through in the discussion. I'm closing this issue, but anyone feel free to submit a PR if you feel there is something useful to add to the app. |
First thanks for this sample it was very helpful and one of the few working samples I could find with Spring Boot and OAuth2. Is there a way to get this to work alongside Spring Form authentication?
.formLogin().loginPage("/login").permitAll().and().logout().permitAll().and()
Getting the following error:
An Authentication object was not found in the SecurityContext
The text was updated successfully, but these errors were encountered: