Skip to content
This repository has been archived by the owner on May 31, 2022. It is now read-only.

Resource Server ignore Bearer token when deployed in the same app with Authorization Server #980

Open
endymuhardin opened this issue Feb 16, 2017 · 6 comments
Open

Resource Server ignore Bearer token when deployed in the same app with Authorization Server #980

endymuhardin opened this issue Feb 16, 2017 · 6 comments
Labels
status: waiting-for-triage

Comments

@endymuhardin
Copy link

I am creating a Spring Boot app containing both Authorization Server and Resource Server with the following configuration

@EnableWebSecurity(debug = true)
public class KonfigurasiSecurity extends WebSecurityConfigurerAdapter {
    
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("endy").password("123").authorities("ADMIN").and()
                .withUser("anggi").password("123").authorities("CUSTOMER");
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests().antMatchers("/**").authenticated()
                .and().formLogin().permitAll()
                .and().logout().permitAll();
    }
   
    @Configuration
    @EnableAuthorizationServer
    protected static class KonfigurasiAuthServer extends AuthorizationServerConfigurerAdapter {

        @Autowired
        @Qualifier("authenticationManagerBean")
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints)
                throws Exception {
            endpoints.authenticationManager(authenticationManager);
        }

        @Override
        public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
            oauthServer.checkTokenAccess("hasAuthority('CLIENT')");
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients
                    .inMemory()
                    .withClient("clientapp")
                    .secret("123456")
                    .authorities("CLIENT")
                    .authorizedGrantTypes("authorization_code", "refresh_token", "password")
                    .scopes("read", "write")
                    .autoApprove(true)
                    .resourceIds("belajarsso");
        }
    }
    
    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends
            ResourceServerConfigurerAdapter {

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) {
            resources
                    .resourceId("belajarsso");
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                    .requestMatchers()
                    .antMatchers("/api/**")
                    .and().authorizeRequests()
                    .antMatchers("/api/**")
                    .authenticated();
        }

    }
}

I also have a Controller

@RestController
public class UserController {

    @RequestMapping({"/api/user", "/api/me"})
    public Authentication user(Authentication auth) {
        return auth;
    }
}

After access token is obtained (through usual login process and exchanging authcode), the controller can be accessed if the token is supplied in request parameter as such
http://localhost:20000/api/user?access_token=blablabla-yadda-yadda-yadda

However, if access token is used in authorization header as such

curl -H 'Authorization: Bearer blablabla-yadda-yadda-yadda' http://localhost:10000/api/user

It will return 301 redirect to login page.

My suspicion is the @EnableResourceServer somehow either fail to register or misconfigure OAuth2AuthenticationProcessingFilter to conflict with BasicAuthenticationFilter.

Am I correct? How can I debug the exact sequence of installed filter? The debug log (I suppose) only display filters hit by request, not all installed/active filters.

Pls advise, thx
@forbreak
Copy link

Could you fix it? I have also encountered the same problem.

@peah90
Copy link

peah90 commented May 23, 2017

Any updates on this?
I am facing the same problem.

@heyuxian
Copy link

I am facing the same problem too.
I'm using Spring Boot 1.5.2.RELEASE.

@Jardo-51
Copy link

Same problem here. Spring Boot 1.5.6.RELEASE.

@jolucama
Copy link

Same problem here. 1.5.8.RELEASE. Cannot find anyway to put them together using JWT and RSA keys. I think one override the configuration of the other

@jolucama
Copy link

Hi guys,

I found the problem and it is working now for me. I think it is kind of what i said before so you need to add this annotation on top of your WebSecurityConfigurerAdapter:

@Configuration @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { ...

Regards
Jose

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
status: waiting-for-triage
Milestone
No milestone
Development

No branches or pull requests
7 participants
@endymuhardin @peah90 @Jardo-51 @forbreak @jolucama @spring-projects-issues @heyuxian