resource server security custom request matching ignored

[paskos]

It was hard to summarize this issue with a small amount of words, I'll use code instead.

My ResourceServer and AuthorizationServer are running in the same JVM.
My ResourceServer only protects "/rest/**" based urls, "/api-docs" url is not to be considered a protected resource.
My subclass of ResourceServerConfigurerAdapter defines

 @Override
    public void configure( HttpSecurity http ) throws Exception
    {
        http.requestMatchers().antMatchers("/rest/**" )
      [...]
    }

The problem is that when a request comes in with "/api-docs" path the security filter chain for the resource server is still triggered.
After debugging I found that my http.requestMatchers().antMatchers("/rest/**" )config is ignored because the actual RequestMatcheris a OrRequestMatcher combining NotOAuthRequestMatcher OR http.requestMatchers().antMatchers("/rest/**" ) which returns true in case of "/api-docs" incoming request.

I wonder is there a way or changing the OrRequestMatcher for an AndRequestMatcher using configuration ?

Thanks in advance

[paskos]

I found a quick workaround

@SuppressWarnings( "unchecked" )
protected void hackRequestMatcher( SecurityFilterChain chain )
{
    Optional< DefaultSecurityFilterChain > optSubChain = castIfPossible( chain , DefaultSecurityFilterChain.class );

    DefaultSecurityFilterChain subChain = optSubChain.orElseThrow( illegalState( "chain should be of type '%s'." ,
                                                                                     DefaultSecurityFilterChain.class.getName() ) );

    Optional< OrRequestMatcher > optOrMatcher = castIfPossible( subChain.getRequestMatcher() ,
                                                                    OrRequestMatcher.class );
    if ( !optOrMatcher.isPresent() )
    {
        debug( "RequestMatcher is not '%s', simply ignore." , OrRequestMatcher.class.getSimpleName() );
        return;
    }

    OrRequestMatcher orMatcher = optOrMatcher.get();

     List< RequestMatcher > matchers = getFieldValue( orMatcher , "requestMatchers" , List.class );
     List< AntPathRequestMatcher > restMatchers = matchers.stream()
                                                             .map( ifThen( m -> isInstanceAssignableFromClass( AntPathRequestMatcher.class ,
                                                                                                               m ) ,
                                                                           m -> cast( m , AntPathRequestMatcher.class ) ) )
                                                             .filter( m -> m != null )
                                                             .filter( m -> m.matches( request ) ).collect( toList() );

     if ( isEmpty( restMatchers ) )
     {
        debug( "No '%s' found for '%s' path, simply ignore." , AntPathRequestMatcher.class.getSimpleName() ,
                REST_ANY );
         return;
     }

    AndRequestMatcher andMatcher = new AndRequestMatcher( matchers );

    debug( "Replacing '%s' instance by '%s' instance." , OrRequestMatcher.class.getSimpleName() ,
            AndRequestMatcher.class.getSimpleName() );

    setFieldValue( subChain , "requestMatcher" , andMatcher );
}

[maxiwu]

I think we ran into same issue, I have similar project, which /device/* is oauth resource and /home is not. /home is protected by spring secrity. when I do a GET request to /home, the log shows NotOAuthRequestMatcher give a "Matched" result, which does not make any sense since /home is not even in resource server setting, only /device/* is. looking for a solution to this issue.

[paskos]

@maxiwu : I posted a workaround (java 8) where you can replace the OrRequestMatcherwith an instance of AndRequestMatcher

[dsyer]

Seems like this might be a bug. I'd have to do a bit of digging first to be sure, but I never had any trouble configuring a rest endpoint, so I'm cautious about labelling it right now. Probably the default should be NotOAuthRequestMatcher but that should not be used at all if the user provides their own.

What version of Spring Security are you using (maybe something changed there)?

[paskos]

spring-security-config: 4.0.2.RELEASE
spring-security-core: 4.0.2.RELEASE
spring-security-web: 4.0.2.RELEASE
spring-security-crypto: 4.0.2.RELEASE
spring-security-jwt: 1.0.3.RELEASE
spring-security-oauth2: 2.0.7.RELEASE

[dsyer]

This project depends on Spring Security 3.2 and hasn't really been tested with 4.0. Can you try with 3.2 and see if this is still a problem?

[paskos]

It will be hard for me to test with spring-security 3.2. We have many projects using the same bom which defines spring-security dependencies to 4.0.2.
It works with my workaround I'll wait then. Any ETA for spring-security-oauth2 compatible with spring-sec 4.0.x ?

[Chumper]

Same problem here with Spring Security 4.0.2.
To work around the issue i did:

class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

        @Autowired(required = false)
        private AuthorizationServerEndpointsConfiguration endpoints;

        @Override
        public void configure(HttpSecurity http) throws Exception {
            // @formatter:off
            http
                .requestMatcher(
                    new AndRequestMatcher(
                        new AntPathRequestMatcher("/clients/**"),
                        new NotOAuthRequestMatcher(endpoints.oauth2EndpointHandlerMapping())
                    )
                )
            ...
            // @formatter:on
        }
    }

So just copy the NotOAuthRequestMatcher and add it to the current file.
With this we don't need to hack the matcher but just override them

[kwongpan]

we ran into the same issue with Spring Security 3.2.8 and 3.2.9

[dsyer]

If you had a similar issue with Spring Security 3.2 I believe it was different. Spring Security 4 changed the behaviour of the requestMatchers() method. Should be fixed in 21fce68 (2.0.9).

[miguelfgar]

Hi,

@dsyer, I was running into the same issue with the login endpoint implementing the Authorization Code workflow.
My code with older versions works fine, and when I posted a form to authenticate the user (username, password) to login endpoint (default "/login") the UserNamePasswordAuthenticationFilter was sucessfully applied.
However, exactly the same code, only upgrading the dependencies behaves different and UserNamePasswordAuthenticationFilter is not applied when the username and password are posted to /login.
On the other hand, if I disable the ResourceManager, the login endpoint works fine and I obtain and authorization code that could be changed for an oauth2 token...

Might be the default "/login" endpoint affected by this issue?
I have tried the 2.0.9 SNAPSHOT and this is not working in my project.

Thank you

[dsyer]

Did you build from source? I don't think the snapshots are publishing correctly at the moment.

[miguelfgar]

Hi @dsyer

I compiled the source code and I can confirm the snapshot fixes the issue.
I thought the snapshots you have published would contain your commit with the fix because date is newer.
By the way, the tests didn't pass for me (branch master, last commit) so I had to build the artifact with -DskipTests.

Do you know roughly when will you release 2.0.9?

Thanks Dave for your help