OAuth2 security filter chain totally ignored #1076
Description
Hello all,
I am trying to setup a server that is both an Authorization and Resource server. The following are my configuration classes:
1: OAuth2ServerConfig.java
@Configuration
public class OAuth2ServerConfig {
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.and()
.requestMatchers().antMatchers("/admin/**")
.and()
.authorizeRequests()
.antMatchers("/admin/test").access("#oauth2.hasScope('admin')");
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources
.resourceId("test")
.stateless(false);
}
}
}2: WebSecurityConfig.java
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(
"/access-denied.html",
"/js/**",
"/css/**",
"/img/**",
"/oauth/uncache_approvals",
"/oauth/cache_approvals",
"/oauth/token_key"
);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.and()
.anonymous()
.principal("anonymous")
.and()
.authorizeRequests()
.antMatchers(
"/user/register",
"/password/reset",
"/verify/account",
"/verify/password/reset"
).anonymous()
.antMatchers("/login.html", "/password/expired", "/policies/**").permitAll()
.anyRequest().hasRole("USER")
.and()
.exceptionHandling()
.accessDeniedHandler(
new DelegatingAccessDeniedHandler(
new LinkedHashMap<Class<? extends AccessDeniedException>, AccessDeniedHandler>() {{
put(CsrfException.class, new CsrfAccessDeniedHandler());
}},
defaultAccessDeniedHandler()
)
)
.and()
.logout()
.logoutUrl("/logout")
.logoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET"))
.logoutSuccessUrl("/login.html")
.and()
.formLogin()
.loginProcessingUrl("/login")
.failureHandler(authenticationFailureHandler())
.loginPage("/login.html");
}
}When I try to hit the endpoint /admin/test I get redirected to the login page which suggests that the default spring security filter chain is being used. Upon debugging the AbstractSecurityInterceptor I can see that indeed the spring security filter chain is being used as the security attributes that are being fetched are hasRole('USER') (specified as one of the rules).
I commented the line .anyRequest().hasRole("USER") out to see if there is any effect but sadly, no. Instead, no spring security rules OAuth2 or otherwise are being applied. Requests appear to flow through without any access control.
I also tried reordering the configuration classes by using @Order(99) on the ResourceConfiguration class but that also did not work. I am not sure how to solve this issue after looking at many other issues with the same problem and applying the same recommendations. Your thoughts would be greatly appreciated @dsyer.