I have converted an app to use spring and spring security I am using version 5.2. When I try and login my CustomAuthProvider doesn't get called. It does hit the security endpoint 'login' in the jsp and has an anonymous role. Below are the relevant configs.
#ComponentScan(basePackages = {"com.example"})
#Import({com.example.Configuration.class, WebSecurityConfig.class})
public class AppConfig {
servletContext.addFilter("springSecurityFilterChain", new DelegatingFilterProxy("springSecurityFilterChain"))
.addMappingForUrlPatterns(null, false, "/mvc/*");
Register the DelegatingFilterProxy
public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
}
The WebSecurity class
#Configuration
#EnableWebSecurity(debug = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private CustomAuthenticationProvider customAuthenticationProvider;
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthenticationProvider)
.userDetailsService(new UserDetails());
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED).and().
authorizeRequests(a ->
a.antMatchers(
"/resources/js/**",
"/resources/scripts/**",
"/login",
"/resources/styles/**",
"/resources/images/**",
"/resources/loginPage.jsp",
"/resources/forgotUserName.jsp",
"/resources/forgotPassword.jsp",
"/mvc/jsonInitialResponse/**")
.permitAll()
.antMatchers(
"/resources/resetPassword.jsp",
"/mvc/jsonResponse/**",
"/mvc/download/**",
"/resources/**"
).authenticated())
.formLogin()
.loginPage("/resources/loginPage.jsp")
.successHandler(new CustomeAuthenticationSuccessHandler())
.failureUrl("/resources/loginPage.jsp?error=true")
.and().anonymous()
.and()
.logout()
.logoutSuccessUrl("/resources/loginPage.jsp")
.permitAll()
.and()
.csrf().disable().cors().disable();
}
}
#Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
#Override
public Authentication authenticate(final Authentication authentication) {......}
#Override
public boolean supports(Class<?> authentication) {
return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
}
Any thoughts on what I may be missing? The CustomAuthenticationProvider isn't being called and either is the supports() method.
2020-10-06 12:26:29 DEBUG DefaultSavedRequest:359 - pathInfo: both null (property equals)
2020-10-06 12:26:29 DEBUG DefaultSavedRequest:359 - queryString: both null (property equals)
2020-10-06 12:26:29 DEBUG DefaultSavedRequest:383 - requestURI: arg1=/reinsurance-service-ui-war/resources/login; arg2=/reinsurance-service-ui-war/resources/images/icn-lock.png (property not equals)
2020-10-06 12:26:29 DEBUG HttpSessionRequestCache:95 - saved request doesn't match
2020-10-06 12:26:29 DEBUG FilterChainProxy:328 - /resources/images/icn-lock.png at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2020-10-06 12:26:29 DEBUG FilterChainProxy:328 - /resources/images/icn-lock.png at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2020-10-06 12:26:29 DEBUG AnonymousAuthenticationFilter:100 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#418e8a7d: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffbcba8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 4503EBEA550D56CD4AF5506BC88E7576; Granted Authorities: ROLE_ANONYMOUS'
2020-10-06 12:26:29 DEBUG FilterChainProxy:328 - /resources/images/icn-lock.png at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2020-10-06 12:26:29 DEBUG FilterChainProxy:328 - /resources/images/icn-lock.png at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2020-10-06 12:26:29 DEBUG FilterChainProxy:328 - /resources/images/icn-lock.png at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2020-10-06 12:26:29 DEBUG AntPathRequestMatcher:177 - Checking match of request : '/resources/images/icn-lock.png'; against '/resources/js/**'
2020-10-06 12:26:29 DEBUG AntPathRequestMatcher:177 - Checking match of request : '/resources/images/icn-lock.png'; against '/resources/scripts/**'
2020-10-06 12:26:29 DEBUG AntPathRequestMatcher:177 - Checking match of request : '/resources/images/icn-lock.png'; against '/resources/styles/**'
2020-10-06 12:26:29 DEBUG AntPathRequestMatcher:177 - Checking match of request : '/resources/images/icn-lock.png'; against '/resources/images/**'
2020-10-06 12:26:29 DEBUG FilterSecurityInterceptor:219 - Secure object: FilterInvocation: URL: /resources/images/icn-lock.png; Attributes: [anonymous]
2020-10-06 12:26:29 DEBUG FilterChainProxy:313 - /resources/images/icn-pencil.png reached end of additional filter chain; proceeding with original chain
2020-10-06 12:26:29 DEBUG FilterSecurityInterceptor:348 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#418e8a7d: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffbcba8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 4503EBEA550D56CD4AF5506BC88E7576; Granted Authorities: ROLE_ANONYMOUS
2020-10-06 12:26:29 DEBUG HstsHeaderWriter:169 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#51ca55f0
2020-10-06 12:26:29 DEBUG HttpSessionSecurityContextRepository:351 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2020-10-06 12:26:29 DEBUG ExceptionTranslationFilter:120 - Chain processed normally
2020-10-06 12:26:29 DEBUG SecurityContextPersistenceFilter:119 - SecurityContextHolder now cleared, as request processing completed
2020-10-06 12:26:29 DEBUG AffirmativeBased:66 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter#3fe8aa9d, returned: 1
2020-10-06 12:26:29 DEBUG FilterSecurityInterceptor:243 - Authorization successful
2020-10-06 12:26:29 DEBUG FilterSecurityInterceptor:256 - RunAsManager did not change Authentication object
2020-10-06 12:26:29 DEBUG FilterChainProxy:313 - /resources/images/icn-lock.png reached end of additional filter chain; proceeding with original chain
2020-10-06 12:26:29 DEBUG HstsHeaderWriter:169 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#51ca55f0
2020-10-06 12:26:29 DEBUG HttpSessionSecurityContextRepository:351 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2020-10-06 12:26:29 DEBUG ExceptionTranslationFilter:120 - Chain processed normally
2020-10-06 12:26:29 DEBUG SecurityContextPersistenceFilter:119 - SecurityContextHolder now cleared, as request processing completed```
Related
Well, i have a JWT with scope definied in a claim called scp, see the peace of jwt:
"scp": "xpto_role user_impersonation",
So, in my Spring application i have the following Configuration:
#Configuration
#EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
#Override
public void configure(final HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/urlabc/**").hasAuthority("abc")
.antMatchers("/urlabc/**").authenticated();
}
#Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("xpto");
}
}
ANd in my restController:
#RestController
public class TestResourceOne {
#RequestMapping(value = "/endpoint001")
public Double endpoint001(#RequestParam("value") Double value) {
return Math.sqrt(value);
}
}
Look, my scope passed by JWT is "xpto_role" in claim scp. In my SpringApp i want to force a Access Denied so i putted a "abc" role in "hasAuthority" method, but user is allowed to access my endpoint anyway.
The configuration is correct ?
Edit 1:
After remove the "authenticated()" line and putted the correct role i got Access Denied yet, see the error:
2018-07-20 16:57:36.732 DEBUG 6828 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /calcsqrt?value=10.0 at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2018-07-20 16:57:36.732 DEBUG 6828 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.oauth2.provider.OAuth2Authentication#8f785707: Principal: null; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=127.0.0.1, tokenType=BearertokenValue=<TOKEN>; Not granted any authorities'
2018-07-20 16:57:36.732 DEBUG 6828 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /calcsqrt?value=10.0 at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2018-07-20 16:57:36.732 DEBUG 6828 --- [nio-8080-exec-1] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy#63dfada0
2018-07-20 16:57:36.732 DEBUG 6828 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /calcsqrt?value=10.0 at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2018-07-20 16:57:36.733 DEBUG 6828 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /calcsqrt?value=10.0 at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2018-07-20 16:57:36.733 DEBUG 6828 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/calcsqrt'; against '/calcsqrt/**'
2018-07-20 16:57:36.733 DEBUG 6828 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /calcsqrt?value=10.0; Attributes: [#oauth2.throwOnError(hasRole('ROLE_EXEC_CALCSQRT'))]
2018-07-20 16:57:36.733 DEBUG 6828 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication#8f785707: Principal: null; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=127.0.0.1, tokenType=BearertokenValue=<TOKEN>; Not granted any authorities
2018-07-20 16:57:36.733 DEBUG 6828 --- [nio-8080-exec-1] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#7475b738, returned: -1
2018-07-20 16:57:36.734 DEBUG 6828 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-4.2.7.RELEASE.jar:4.2.7.RELEASE]
I have a ResourceServer defined which is currently validating an AccessToken using a public key. This is working as expected.
I would like to retain the sensitivity behavior of the Actuator endpoints and use OAuth for the Sensitive endpoints.
The default behavior in Spring boot is using some form of Basic Auth to secure the Actuator endpoints. How can I switch to OAuth for the Sensitive Endpoints?
Things I have tried:
management.security.enabled=false (disables all form of security to all the Actuator endpoints)
security.basic.enabled=false (doesn't seem to do anything at all afaik)
How do I go about achieving the desired behavior?
Edit-1: Adding the configuration of the ResourceServer
#Configuration
#EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
}
# OAuth2 Resource Configuration
security.oauth2.resource.filter-order=3
security.oauth2.resource.jwt.key-value=-----BEGIN PUBLIC KEY----- \
ABCD|\
-----END PUBLIC KEY-----
Edit-2: Logs with management.security.enabled=false
2018-04-04 09:38:52,428 [restartedMain ] INFO o.s.s.w.DefaultSecurityFilterChain.<init>(ln:43) - Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/css/**'], Ant [pattern='/js/**'], Ant [pattern='/images/**'], Ant [pattern='/webjars/**'], Ant [pattern='/**/favicon.ico'], Ant [pattern='/error']]], []
2018-04-04 09:38:52,428 [restartedMain ] INFO o.s.s.w.DefaultSecurityFilterChain.<init>(ln:43) - Creating filter chain: org.springframework.boot.actuate.autoconfigure.ManagementWebSecurityAutoConfiguration$LazyEndpointPathRequestMatcher#cba0b40, []
2018-04-04 09:38:52,517 [restartedMain ] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource.processMap(ln:74) - Adding web access control expression 'hasAnyRole('ROLE_USER','ROLE_ACTUATOR')', for org.springframework.security.web.util.matcher.AnyRequestMatcher#1
2018-04-04 09:38:52,527 [restartedMain ] DEBUG o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,528 [restartedMain ] DEBUG o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,537 [restartedMain ] INFO o.s.s.w.DefaultSecurityFilterChain.<init>(ln:43) - Creating filter chain: Ant [pattern='/h2-console/**'], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter#2f0907e7, org.springframework.security.web.context.SecurityContextPersistenceFilter#7d0c8fcd, org.springframework.security.web.header.HeaderWriterFilter#1deb6ece, org.springframework.security.web.authentication.logout.LogoutFilter#54ae565a, org.springframework.security.web.authentication.www.BasicAuthenticationFilter#101e66ff, org.springframework.security.web.savedrequest.RequestCacheAwareFilter#48870c1e, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter#2c3aa8cc, org.springframework.security.web.authentication.AnonymousAuthenticationFilter#43db62cc, org.springframework.security.web.session.SessionManagementFilter#1c417a06, org.springframework.security.web.access.ExceptionTranslationFilter#6af61e6, org.springframework.security.web.access.intercept.FilterSecurityInterceptor#e2595cc]
2018-04-04 09:38:52,559 [restartedMain ] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource.processMap(ln:74) - Adding web access control expression 'authenticated', for org.springframework.security.web.util.matcher.AnyRequestMatcher#1
2018-04-04 09:38:52,560 [restartedMain ] DEBUG o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,560 [restartedMain ] DEBUG o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,561 [restartedMain ] INFO o.s.s.w.DefaultSecurityFilterChain.<init>(ln:43) - Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher#1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter#71c85f60, org.springframework.security.web.context.SecurityContextPersistenceFilter#3867025d, org.springframework.security.web.header.HeaderWriterFilter#1fe578f, org.springframework.security.web.authentication.logout.LogoutFilter#6bcc7bbf, org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter#52f4e578, org.springframework.security.web.savedrequest.RequestCacheAwareFilter#2a57cae0, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter#5966b20a, org.springframework.security.web.authentication.AnonymousAuthenticationFilter#10e17172, org.springframework.security.web.session.SessionManagementFilter#440ed2d3, org.springframework.security.web.access.ExceptionTranslationFilter#76cc8ddc, org.springframework.security.web.access.intercept.FilterSecurityInterceptor#72a6a42e]
2018-04-04 09:38:52,565 [restartedMain ] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource.processMap(ln:74) - Adding web access control expression 'hasAnyRole('ROLE_USER','ROLE_ACTUATOR')', for org.springframework.security.web.util.matcher.AnyRequestMatcher#1
2018-04-04 09:38:52,566 [restartedMain ] DEBUG o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,566 [restartedMain ] DEBUG o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,567 [restartedMain ] INFO o.s.s.w.DefaultSecurityFilterChain.<init>(ln:43) - Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/**']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter#3b9584b5, org.springframework.security.web.context.SecurityContextPersistenceFilter#2181d916, org.springframework.security.web.header.HeaderWriterFilter#5ed5886a, org.springframework.security.web.authentication.logout.LogoutFilter#74909e09, org.springframework.security.web.authentication.www.BasicAuthenticationFilter#5b76b0e4, org.springframework.security.web.savedrequest.RequestCacheAwareFilter#7c129fed, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter#ef6dedd, org.springframework.security.web.authentication.AnonymousAuthenticationFilter#6c8179fb, org.springframework.security.web.session.SessionManagementFilter#4d36e557, org.springframework.security.web.access.ExceptionTranslationFilter#1868a4d7, org.springframework.security.web.access.intercept.FilterSecurityInterceptor#15c448ac]
2018-04-04 09:39:53,545 [nio-8080-exec-1] DEBUG o.s.s.w.u.m.OrRequestMatcher.matches(ln:65) - Trying to match using Ant [pattern='/metrics']
2018-04-04 09:39:53,545 [nio-8080-exec-1] DEBUG o.s.s.w.u.m.AntPathRequestMatcher.matches(ln:157) - Checking match of request : '/metrics'; against '/metrics'
2018-04-04 09:39:53,545 [nio-8080-exec-1] DEBUG o.s.s.w.u.m.OrRequestMatcher.matches(ln:68) - matched
2018-04-04 09:39:53,545 [nio-8080-exec-1] DEBUG o.s.s.w.FilterChainProxy.doFilterInternal(ln:201) - /metrics has an empty filter list
2018-04-04 09:41:57,195 [nio-8080-exec-5] DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
2018-04-04 09:41:57,196 [nio-8080-exec-5] DEBUG o.s.s.o.p.a.BearerTokenExtractor.extractToken(ln:54) - Token not found in headers. Trying request parameters.
2018-04-04 09:41:57,196 [nio-8080-exec-5] DEBUG o.s.s.o.p.a.BearerTokenExtractor.extractToken(ln:57) - Token not found in request parameters. Not an OAuth2 request.
2018-04-04 09:41:57,196 [nio-8080-exec-5] DEBUG o.s.s.o.p.a.OAuth2AuthenticationProcessingFilter.doFilter(ln:141) - No token in request, will continue chain.
2018-04-04 09:41:57,196 [nio-8080-exec-5] DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2018-04-04 09:41:57,196 [nio-8080-exec-5] DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2018-04-04 09:41:57,198 [nio-8080-exec-5] DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2018-04-04 09:41:57,198 [nio-8080-exec-5] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter.doFilter(ln:100) - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2018-04-04 09:41:57,199 [nio-8080-exec-5] DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2018-04-04 09:41:57,199 [nio-8080-exec-5] DEBUG o.s.s.w.s.SessionManagementFilter.doFilter(ln:124) - Requested session ID A2BB697A35FC287599CE86AA715115CA is invalid.
2018-04-04 09:41:57,199 [nio-8080-exec-5] DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2018-04-04 09:41:57,199 [nio-8080-exec-5] DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2018-04-04 09:41:57,200 [nio-8080-exec-5] DEBUG o.s.s.a.i.AbstractSecurityInterceptor.beforeInvocation(ln:219) - Secure object: FilterInvocation: URL: /customers; Attributes: [#oauth2.throwOnError(authenticated)]
2018-04-04 09:41:57,200 [nio-8080-exec-5] DEBUG o.s.s.a.i.AbstractSecurityInterceptor.authenticateIfRequired(ln:348) - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2018-04-04 09:41:57,205 [nio-8080-exec-5] DEBUG o.s.s.a.v.AffirmativeBased.decide(ln:66) - Voter: org.springframework.security.web.access.expression.WebExpressionVoter#794e8437, returned: -1
2018-04-04 09:41:57,207 [nio-8080-exec-5] DEBUG o.s.s.w.a.ExceptionTranslationFilter.handleSpringSecurityException(ln:173) - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
The brute force way is to just explicitly secure your actuator endpoints in your WebSecurityConfigurerAdapter. Something like this should do it:
#Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin()
.and()
.httpBasic().disable()
.anonymous().disable()
.authorizeRequests().anyRequest().authenticated();
}
Have a look at this tutorial. Following on from that, you should be able to secure any endpoint with an appropriate matcher in the configuration.
I am using oauth2 with springboot 1.5.6.RELEASE and I am using jdbc authentication with oauth2.
I added the property: security.oauth2.resource.filter-order = 3
1- AuthorizationServerConfigurerAdapter:
#Configuration
#EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {
#Autowired
#Qualifier("authenticationManagerBean")
#Lazy
private AuthenticationManager authenticationManager;
#Autowired
private Environment env;
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
// endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager);
endpoints.authenticationManager(authenticationManager);
}
#Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource());
}
#Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}
#Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource());
}
#Bean
public DataSource dataSource() {
DriverManagerDataSource dataSource = new DriverManagerDataSource();
dataSource.setDriverClassName(env.getProperty("spring.datasource.driver-class-name"));
dataSource.setUrl(env.getProperty("spring.datasource.url"));
dataSource.setUsername(env.getProperty("spring.datasource.username"));
dataSource.setPassword(env.getProperty("spring.datasource.password"));
return dataSource;
}
}
2- ResourceServerConfigurerAdapter
#EnableResourceServer
public class OAuth2ResourceServer extends ResourceServerConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/ws/**").authorizeRequests().anyRequest().authenticated();
}
}
3- SecurityConfig
#Configuration
#EnableWebSecurity
class SecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private UserDetailsService userDetailsService;
#Autowired
private CustomAuthenticationSuccessHandler successHandler;
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests()
.antMatchers("/", "/registerCompany", "/registerEmployee", "/jobs", "/returnPassword", "/resetPassword",
"/faces/public/**", "/resources/**", "/template/**", "/faces/fonts/*",
"/faces/javax.faces.resource/**", "/ws/**", "/login", "/oauth/**", "/error")
.permitAll().antMatchers("/admin/**", "/faces/admin/**").hasAuthority("ROLE_ADMIN")
.antMatchers("/employeeProfile", "/employeeMainPage", "/employeeAskJob").hasAuthority("ROLE_EMPLOYEE")
.antMatchers("/companyProfile", "/companyMainPage", "/companyPostJob", "/companySearch",
"/branchProfile")
.hasAnyAuthority("ROLE_COMPANY,ROLE_BRANCH,ROLE_ADMIN").anyRequest().fullyAuthenticated().and()
.formLogin().loginPage("/login").permitAll().successHandler(successHandler).failureUrl("/login?error")
.usernameParameter("username").passwordParameter("password").and().logout().deleteCookies("JSESSIONID")
.logoutUrl("/logout").deleteCookies("remember-me").logoutSuccessUrl("/").permitAll().and().rememberMe();
// http.sessionManagement().invalidSessionUrl("/login?invalidSession");
// cache resources
http.headers().addHeaderWriter(new DelegatingRequestMatcherHeaderWriter(
new AntPathRequestMatcher("/javax.faces.resource/**"), new HeaderWriter() {
#Override
public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
response.addHeader("Cache-Control", "private, max-age=86400");
}
})).defaultsDisabled();
}
#Override
#Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
#Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(11);
}
}
I am trying to generate a token using postman with a post request to url http://localhost:8082/dawam2/oauth/token?grant_type=password
and I use basic authentication and set the username=myclient_id and password=myclient_secret. So the header (Authorization : Basic Basic bXljbGllbnRfaWQ6bXljbGllbnRfc2VjcmV0) was generated
and I set the header Content-Type: application/x-www-form-urlencoded; charset=utf-8.
The response I am getting instead of a generated token :
!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> Not Found</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.0.M18</h3></body></html>
Here are the debugging info:
2017-09-26 15:32:16,833 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/token']
2017-09-26 15:32:16,833 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/oauth/token'; against '/oauth/token'
2017-09-26 15:32:16,833 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - matched
2017-09-26 15:32:16,833 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-09-26 15:32:16,833 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-09-26 15:32:16,833 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-09-26 15:32:16,833 DEBUG o.s.s.w.h.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#1d47c7a
2017-09-26 15:32:16,833 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2017-09-26 15:32:16,833 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET]
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/oauth/token'; against '/logout'
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST]
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /oauth/token' doesn't match 'POST /logout
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT]
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /oauth/token' doesn't match 'PUT /logout
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE]
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /oauth/token' doesn't match 'DELETE /logout
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
2017-09-26 15:32:16,834 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2017-09-26 15:32:16,834 DEBUG o.s.s.w.a.w.BasicAuthenticationFilter - Basic Authentication Authorization header found for user 'myclient_id'
2017-09-26 15:32:16,834 DEBUG o.s.s.a.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2017-09-26 15:32:16,849 DEBUG o.s.s.w.a.w.BasicAuthenticationFilter - Authentication success: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#d9cf8114: Principal: org.springframework.security.core.userdetails.User#6a9879e3: Username: myclient_id; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_EMPLOYEE; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_EMPLOYEE
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2017-09-26 15:32:16,850 DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#d9cf8114: Principal: org.springframework.security.core.userdetails.User#6a9879e3: Username: myclient_id; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_EMPLOYEE; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_EMPLOYEE'
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2017-09-26 15:32:16,850 DEBUG o.s.s.w.a.s.CompositeSessionAuthenticationStrategy - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy#15d6aaa
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2017-09-26 15:32:16,850 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/oauth/token'; against '/oauth/token'
2017-09-26 15:32:16,850 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /oauth/token?grant_type=password; Attributes: [fullyAuthenticated]
2017-09-26 15:32:16,850 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#d9cf8114: Principal: org.springframework.security.core.userdetails.User#6a9879e3: Username: myclient_id; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_EMPLOYEE; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_EMPLOYEE
2017-09-26 15:32:16,851 DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter#14cb584, returned: 1
2017-09-26 15:32:16,851 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Authorization successful
2017-09-26 15:32:16,851 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - RunAsManager did not change Authentication object
2017-09-26 15:32:16,851 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password reached end of additional filter chain; proceeding with original chain
2017-09-26 15:32:16,853 DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
2017-09-26 15:32:16,853 DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/token']
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/oauth/token'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/token_key']
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/oauth/token_key'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/check_token']
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/oauth/check_token'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
2017-09-26 15:32:16,854 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-09-26 15:32:16,854 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No HttpSession currently exists
2017-09-26 15:32:16,854 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
2017-09-26 15:32:16,854 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-09-26 15:32:16,854 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET]
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/logout'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST]
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'POST /logout
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT]
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'PUT /logout
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE]
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'DELETE /logout
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'POST /login
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 6 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 7 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 8 of 12 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2017-09-26 15:32:16,855 DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password reached end of additional filter chain; proceeding with original chain
2017-09-26 15:32:16,856 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2017-09-26 15:32:16,856 DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
2017-09-26 15:32:16,856 DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
How can I fix this issue?
The issue was related to Jersey configuration, it was stealing requests from oauth2, i had to reconfigure it with #ApplicationPath("/ws")
so the configuration now looks like :
#Configuration
#ApplicationPath("/ws")
public class JerseyConfig extends ResourceConfig {
public JerseyConfig() {
register(DawamService.class);
}
}
and my webservice implementation class like :
#Component
#Path("/dawam")
public class DawamService extends DawamServiceBase {
#GET
#Produces({ MediaType.TEXT_HTML })
#Path("/test")
public String getHTML() {
System.out.println("##### Welcome to test webservice #########");
return "Welcome to test webservice";
}
}
I have the same problem and I can fixed it.
In my case the reason was in the following:
My servlet-mapping for dispather servlet in web.xml
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/api/*</url-pattern>
</servlet-mapping>
It means the all http requests for access to your resources should be started with '/api' (ex. /api/user/2 or /api/login) even if #RequestMapping points as '/user/{id}' or /login. When you request a token by oauth2/token URL, spring or other filters handle it, but dispatcherServlet could not find any controller corresponding to your request and we have 404 error.
To resolve this, I just added the one method to endpoints in AuthorizationServerConfiguration class.
#Configuration
#EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter
...
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore)
.prefix("/api") //<---- PREFIX WAS ADDED
.userApprovalHandler(userApprovalHandler)
.authenticationManager(authenticationManager);
}
...
}
I think the
.pathMapping("/oauth/token", "/api/oauth/token")
code instead of .prefix("/api") also can resolve the problem.
It changes request for getting the tokens.
After made change I get the tokens by URL
/api/oauth/token
Of course I can mistake but it works for me. Thanks.
I am using spring security 4.1.1 and spring boot for authentication its working totally good. Now I started to implement remember me below is my configuration code
#Configuration
#EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
CustomAuthenticationProvider customAuthenticationProvider;
// UserDetailsService userDetailsService;
#Autowired
UserDetailsService userDetailsService;
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/", "/login", "/signup","/logout", "/loginProcess","/public/**","/forgotpassword","/forgot-password*","/isUserExists","/emailForgot","/verify-user*").permitAll()
.anyRequest().authenticated()
.and()
.csrf().disable()
.rememberMe().key("tokenkey").rememberMeParameter("_spring_security_remember_me").rememberMeCookieName("myremembermecookie").tokenValiditySeconds(1209600).alwaysRemember(true).userDetailsService(userDetailsService)
.and()
.formLogin().loginPage("/login").loginProcessingUrl("/loginProcess").defaultSuccessUrl("/home")
.failureUrl("/login?error").usernameParameter("userName").passwordParameter("userPassword").permitAll()
.and().logout().logoutUrl("/logout").logoutSuccessUrl("/login?logout").deleteCookies("JSESSIONID")
.invalidateHttpSession(true).permitAll().and().headers().defaultsDisabled().cacheControl();
}
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthenticationProvider);
auth.userDetailsService(userDetailsService);
}
}
This is my custom authentication provider code
#Component
public class CustomAuthenticationProvider implements AuthenticationProvider{
public static final Logger logger = LoggerFactory.getLogger(CustomAuthenticationProvider.class);
#Autowired
WyzbeeGatewayService sdkService;
#Autowired
UserData userData;
#Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
logger.info("###############################################################################################");
logger.info(authentication.getName()+" "+authentication.getCredentials());
logger.info("###############################################################################################");
try {
final String userToken = sdkService.login(authentication.getName(), authentication.getCredentials().toString());
final LoginResponse responseValidate = sdkService.validateUser(authentication.getName(), authentication.getCredentials().toString());
userData.setUserTenantList(responseValidate.getUserTenantList());
List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>();
userData.setUserName(authentication.getName());
userData.setPasswrod(authentication.getCredentials().toString());
userData.setGrantedAuths(grantedAuths);
userData.setUserToken(userToken);
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(authentication.getName(), authentication.getCredentials().toString(), grantedAuths);
logger.info("checking for authentication "+usernamePasswordAuthenticationToken.isAuthenticated());
//UserDetails user = new User(authentication.getName(), authentication.getCredentials().toString(), true, true, true, true, grantedAuths);
//SecurityContextHolder.getContext().setAuthentication(new RememberMeAuthenticationToken("tokenkey", authentication.getName(), grantedAuths));
/* UserService userService = new UserService();
userService.setUserDetails(user);*/
return usernamePasswordAuthenticationToken;
} catch (final WyzbeeException e) {
throw new UsernameNotFoundException("Username " + authentication.getName() + " not found");
}
}
#Override
public boolean supports(Class<?> arg0) {
return true;
}
As I don't have direct access to the database we have a rest call for login and logout so I was not able to use directly UserDetailsServiceI used AuthenticationProvider to check the credentials but, spring document says if you want to use in-built remember me mechanisms we should have UserDetailsService so I implemented in this way
#Service
public class UserService implements UserDetailsService {
UserDetails user= null;
public static final Logger logger = LoggerFactory.getLogger(UserService.class);
#Autowired
WyzbeeGatewayService sdkService;
#Autowired
UserData userData;
#Override
public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {
/*logger.info("###############################################################################################");
logger.info("User Service "+userData.getUserName());
logger.info("###############################################################################################");*/
return new User(userData.getUserName(), userData.getPasswrod(), true, true, true, true, userData.getGrantedAuths());
}
public void setUserDetails(UserDetails user){
this.user = user;
}
}
The problem is the cookie is generating and storing in browser when I login for first time after login I am closing the browser without logout when I again access my URL it is again moving to login page. I dent mention anything in index.jsp just maintained to redirect to login page.
Debugged content
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/public/css/style.css'; against '/'
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/public/css/style.css'; against '/login'
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/public/css/style.css'; against '/signup'
2016-09-27 11:51:24 DEBUG DispatcherServlet:1044 - Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/public/css/style.css'; against '/logout'
2016-09-27 11:51:24 DEBUG DispatcherServlet:1000 - Successfully completed request
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/public/css/style.css'; against '/loginProcess'
2016-09-27 11:51:24 DEBUG ExceptionTranslationFilter:117 - Chain processed normally
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/public/css/style.css'; against '/public/**'
2016-09-27 11:51:24 DEBUG SecurityContextPersistenceFilter:119 - SecurityContextHolder now cleared, as request processing completed
2016-09-27 11:51:24 DEBUG FilterSecurityInterceptor:219 - Secure object: FilterInvocation: URL: /public/css/style.css; Attributes: [permitAll]
2016-09-27 11:51:24 DEBUG OrderedRequestContextFilter:104 - Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade#4954e173
2016-09-27 11:51:24 DEBUG FilterSecurityInterceptor:348 - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#7a88a3ec: Principal: swapnil1472; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#380f4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 3B315D5D7EF75385D93713710B62079C; Not granted any authorities
2016-09-27 11:51:24 DEBUG AffirmativeBased:66 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter#5de2ed51, returned: 1
2016-09-27 11:51:24 DEBUG FilterSecurityInterceptor:243 - Authorization successful
2016-09-27 11:51:24 DEBUG FilterSecurityInterceptor:256 - RunAsManager did not change Authentication object
2016-09-27 11:51:24 DEBUG FilterChainProxy:310 - /public/css/style.css reached end of additional filter chain; proceeding with original chain
2016-09-27 11:51:24 DEBUG DispatcherServlet:865 - DispatcherServlet with name 'dispatcherServlet' processing GET request for [/virtual/public/css/style.css]
2016-09-27 11:51:24 DEBUG SimpleUrlHandlerMapping:190 - Matching patterns for request [/public/css/style.css] are [/public/**, /**]
2016-09-27 11:51:24 DEBUG SimpleUrlHandlerMapping:219 - URI Template variables for request [/public/css/style.css] are {}
2016-09-27 11:51:24 DEBUG SimpleUrlHandlerMapping:140 - Mapping [/public/css/style.css] to HandlerExecutionChain with handler [ResourceHttpRequestHandler [locations=[class path resource [static/public/]], resolvers=[org.springframework.web.servlet.resource.PathResourceResolver#1c026d4e]]] and 1 interceptor
2016-09-27 11:51:24 DEBUG DispatcherServlet:951 - Last-Modified value for [/virtual/public/css/style.css] is: -1
2016-09-27 11:51:24 DEBUG DispatcherServlet:1044 - Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
2016-09-27 11:51:24 DEBUG DispatcherServlet:1000 - Successfully completed request
2016-09-27 11:51:24 DEBUG ExceptionTranslationFilter:117 - Chain processed normally
2016-09-27 11:51:24 DEBUG SecurityContextPersistenceFilter:119 - SecurityContextHolder now cleared, as request processing completed
2016-09-27 11:51:24 DEBUG OrderedRequestContextFilter:104 - Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade#634ebe6
2016-09-27 11:51:24 DEBUG OrderedRequestContextFilter:114 - Bound request context to thread: org.apache.catalina.connector.RequestFacade#634ebe6
2016-09-27 11:51:24 DEBUG OrderedRequestContextFilter:114 - Bound request context to thread: org.apache.catalina.connector.RequestFacade#4954e173
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-09-27 11:51:24 DEBUG HttpSessionSecurityContextRepository:207 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#7a88a3ec: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#7a88a3ec: Principal: swapnil1472; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#380f4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 3B315D5D7EF75385D93713710B62079C; Not granted any authorities'
2016-09-27 11:51:24 DEBUG HttpSessionSecurityContextRepository:207 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#7a88a3ec: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#7a88a3ec: Principal: swapnil1472; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#380f4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 3B315D5D7EF75385D93713710B62079C; Not granted any authorities'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2016-09-27 11:51:24 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', GET]
2016-09-27 11:51:24 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', GET]
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/public/css/fonts/eau_sans_bold-webfont.woff'; against '/logout'
2016-09-27 11:51:24 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', POST]
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:137 - Request 'GET /public/css/fonts/eau_sans_bold-webfont.woff' doesn't match 'POST /logout
2016-09-27 11:51:24 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', PUT]
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:137 - Request 'GET /public/css/fonts/eau_sans_bold-webfont.woff' doesn't match 'PUT /logout
2016-09-27 11:51:24 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', DELETE]
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:137 - Request 'GET /public/css/fonts/eau_sans_bold-webfont.woff' doesn't match 'DELETE /logout
2016-09-27 11:51:24 DEBUG OrRequestMatcher:72 - No matches found
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/public/css/fonts/eau_sans_book-webfont.woff'; against '/logout'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:137 - Request 'GET /public/css/fonts/eau_sans_bold-webfont.woff' doesn't match 'POST /loginProcess
2016-09-27 11:51:24 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', POST]
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:137 - Request 'GET /public/css/fonts/eau_sans_book-webfont.woff' doesn't match 'POST /logout
2016-09-27 11:51:24 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', PUT]
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:137 - Request 'GET /public/css/fonts/eau_sans_book-webfont.woff' doesn't match 'PUT /logout
2016-09-27 11:51:24 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', DELETE]
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:137 - Request 'GET /public/css/fonts/eau_sans_book-webfont.woff' doesn't match 'DELETE /logout
2016-09-27 11:51:24 DEBUG OrRequestMatcher:72 - No matches found
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 6 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2016-09-27 11:51:24 DEBUG AntPathRequestMatcher:137 - Request 'GET /public/css/fonts/eau_sans_book-webfont.woff' doesn't match 'POST /loginProcess
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 7 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 6 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 7 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 8 of 12 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 8 of 12 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
2016-09-27 11:51:24 DEBUG RememberMeAuthenticationFilter:154 - SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#7a88a3ec: Principal: swapnil1472; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#380f4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 3B315D5D7EF75385D93713710B62079C; Not granted any authorities'
2016-09-27 11:51:24 DEBUG RememberMeAuthenticationFilter:154 - SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#7a88a3ec: Principal: swapnil1472; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#380f4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 3B315D5D7EF75385D93713710B62079C; Not granted any authorities'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_book-webfont.woff at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-09-27 11:51:24 DEBUG FilterChainProxy:325 - /public/css/fonts/eau_sans_bold-webfont.woff at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-09-27 11:51:24 DEBUG AnonymousAuthenticationFilter:106 - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#7a88a3ec: Principal: swapnil1472; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#380f4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 3B315D5D7EF75385D93713710B62079C; Not granted any authorities'
How can I set up a custom login form to protect my /oauth/authorize endpoint in an Spring Boot Application that is both a Authorization and Resource Server? I want to achieve that a user has to log in to make requests to /oauth/authorize. All resources, that are not /login and /oauth/** should be handled as secured resources protected by OAuth (requiring a valid access token)
So when a user calls localhost:1234/oauth/authorize?client_id=client&response_type=token&redirect_uri=http://localhost:5678 he is first redirected to the login form and after successfully loggin in redirect to the /oauth/authorize endpoint where the implicit OAuth flow proceeds.
When I try the following it works, using the standard basic authentication popup window
#Configuration
#EnableAuthorizationServer
public class OAuthConfig extends AuthorizationServerConfigurerAdapter {
#Autowired
private AuthenticationManager authenticationManager;
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
#Override
public void configure(final ClientDetailsServiceConfigurer clients)
throws Exception {
clients.inMemory()
.withClient("client")
.authorizedGrantTypes("implicit", "refresh_token")
.scopes("read");
}
}
The Resource config
#Configuration
#EnableResourceServer
public class ResourceConfiguration
extends ResourceServerConfigurerAdapter
{
#Override
public void configure(final HttpSecurity http) throws Exception {
// #formatter:off
http.authorizeRequests().antMatchers("/login").permitAll().and()
.authorizeRequests().anyRequest().authenticated();
// #formatter:on
}
}
The Web Security config
#Configuration
public class WebSecurityConfiguration
extends WebSecurityConfigurerAdapter
{
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/oauth/authorize").authenticated().and()
.authorizeRequests().anyRequest().permitAll().and().httpBasic();
}
}
but as soon as I replace httpBasic() with the following it fails:
#Configuration
public class WebSecurityConfiguration
extends WebSecurityConfigurerAdapter
{
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/oauth/authorize").authenticated().and()
.authorizeRequests().anyRequest().permitAll().and().formLogin().loginPage("/login").and().csrf()
.disable();
}
}
and my POST from the login Page is not redirected, it always just returns to /login
The output from the console is as following
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/css/**'
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/js/**'
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/images/**'
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/**/favicon.ico'
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/error'
o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/token']
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/oauth/token'
o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/token_key']
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/oauth/token_key'
o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/check_token']
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/oauth/check_token'
o.s.s.web.util.matcher.OrRequestMatcher : No matches found
o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration$NotOAuthRequestMatcher#5fe3eb5f
o.s.s.web.util.matcher.OrRequestMatcher : matched
o.s.security.web.FilterChainProxy : /login at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
o.s.security.web.FilterChainProxy : /login at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
o.s.security.web.FilterChainProxy : /login at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#51c78264
o.s.security.web.FilterChainProxy : /login at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/logout'
o.s.security.web.FilterChainProxy : /login at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
o.s.s.o.p.a.BearerTokenExtractor : Token not found in headers. Trying request parameters.
o.s.s.o.p.a.BearerTokenExtractor : Token not found in request parameters. Not an OAuth2 request.
p.a.OAuth2AuthenticationProcessingFilter : No token in request, will continue chain.
o.s.security.web.FilterChainProxy : /login at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
o.s.security.web.FilterChainProxy : /login at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
o.s.security.web.FilterChainProxy : /login at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#90541710: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: BDCE2D7EA7252AEA2506633726B8BA19; Granted Authorities: ROLE_ANONYMOUS'
o.s.security.web.FilterChainProxy : /login at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
o.s.security.web.FilterChainProxy : /login at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
o.s.security.web.FilterChainProxy : /login at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/login'
o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /login; Attributes: [#oauth2.throwOnError(permitAll)]
o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#90541710: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: BDCE2D7EA7252AEA2506633726B8BA19; Granted Authorities: ROLE_ANONYMOUS
o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#bba9bfc, returned: 1
o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
o.s.security.web.FilterChainProxy : /login reached end of additional filter chain; proceeding with original chain
o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
Adding an #Order(-10) to the WebSecurityConfig resolves the issue. I think this annoation ensures that the WebSecurityConfig is used before the ResourceConfig. My final configuration looks like this:
#Configuration
#Order(-10)
public class WebSecurityConfig
extends WebSecurityConfigurerAdapter
{
#Autowired
private AuthenticationManager authenticationManager;
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManager);
}
#Override
protected void configure(HttpSecurity http) throws Exception {
// #formatter:off
http.authorizeRequests().antMatchers("/oauth/authorize").authenticated()
.and()
.authorizeRequests().anyRequest().permitAll()
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.csrf().disable();
// #formatter:on
}
}