1

I'm pretty new with Spring, and I'm trying to build an OAuth Server using spring-security-oauth2.

I mainly refered to the sample and a tutorial given by spring.io.

https://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2 http://spring.io/guides/tutorials/spring-boot-oauth2/

However, I face some problems about HttpSecurity configuration.

My folder structure is as follow.

├─java │ └─com │ └─example │ Greeting.java │ GreetingController.java │ MvcConfig.java │ OAuth2ServerConfig.java │ SecurityConfig.java │ SocialApplication.java │ └─resources │ application.yml │ └─templates hello.html home.html login.html

I add some HttpSecurity configuration in SecurityConfig.java

@Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter{ @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/home").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .permitAll() .and() .logout() .permitAll(); } }

OK, it works fine. However, I want to protect the greeting api (which is a simple rest api I just copied from another demo) in my Resource Server. So I add some HttpSecurity configuration in OAuth2ServerConfig.java

@Configuration @EnableResourceServer protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter { @Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { resources.resourceId(RESOURCE_ID); } @Override public void configure(HttpSecurity http) throws Exception { // @formatter:off http .requestMatchers().antMatchers("/greeting") .and() .authorizeRequests() .anyRequest().access("#oauth2.hasScope('scope1')"); // @formatter:on } }

It seems that I only protect /greeting. However, when this was done, I can't even access / and /login. It said that Full authentication is required to access this resource.

Did I miss some configuration or do anything wrong?

Improve this question

4 Answers 4

Reset to default
3

Well, I find the solution. The situation is mentioned in this issue. It's a bug in Spring-Security 4.0.3.

The way to solve it is just use requestMatcher() instead of requestMatchers() when config your Resource Server. Here is an example.

@Override public void configure(HttpSecurity http) throws Exception { http .requestMatcher( new OrRequestMatcher( new AntPathRequestMatcher("/greeting"), new AntPathRequestMatcher("/greeting2") ) ) .authorizeRequests() .antMatchers("/greeting").access("#oauth2.hasScope('scope1')") .antMatchers("/greeting2").access("#oauth2.hasScope('scope2')"); }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

I've experienced the same issues before.

To solve it, I replaced requestMatchers().antMatchers(...).and() with antMatcher(...)

Please try the configuration below:

public void configure(HttpSecurity http) throws Exception { // @formatter:off http .antMatcher("/greeting") .authorizeRequests() .anyRequest().access("#oauth2.hasScope('scope1')"); // @formatter:on }
Improve this answer

1 Comment

Oh, it actually works! So if I want to protect a lot of resource, I just need to use .and() between each .antMatcher()?
0

Because of the anyRequest().access("#oauth2.hasScope('scope1')"); In your ResourceServerConfiguration every request needs to be authenticated with an OAuth scope, including / and /login (Because the OAuth security configuration comes after the normal configuration in the Spring Security Chain). If you want to protect /greeting with OAuth you should something like this in your ResourceServerConfiguration:

@Override public void configure(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .antMatchers("/greeting").authenticated(); // @formatter:on }
Improve this answer

3 Comments

I change the code as you said. /greeting is protected now, but my configuration in SecurityConfig.java doesn't work. I can access /hello without login.
And you couldn't before you added the OAuth configuration?
I couldn't, when I try to access /hello without login, it should redirect to /login, as I configured in SecurityConfig.java.
0

I experienced this same problem and the accepted answer did solve the issue. However, the current solution should be to use spring-security-oauth2 version 2.0.9.RELEASE. This version includes a fix that should work in both Spring Security 3.2 and 4.0.

Improve this answer

1 Comment

This should have been a comment under the answer, but thanks for letting the community know.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.