Develop Reference

isAuthenticated annotation does not prevent access

I have a following controller:
#RestController
#RequestMapping("/payments")
public class PaymentController {
#Autowired
PaymentService paymentService;
#Autowired
private Environment env;
#PostMapping("/create")
#PreAuthorize("isAuthenticated()")
public ResponseEntity<String> create(#Valid #RequestBody DownPayment downpayment) {
Customer customer;
Charge charge;
User user = new User();
............
}
}
WebSecurity config:
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringSecurityWebAppConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
}
}
I want to use preAuthorize annotation (method level) instead of http security. The payments/create endpoint is publicly accessible which works without throwing any unauthorised error.

Set a breakpoint and check what is contained in the SecurityContextHolder, e.g. like that: SecurityContextHolder.getContext().getAuthentication(). I suggest you add what is contained in the SecurityContextHolder to your question so that people can help you better.
My assumption is that you have anonymous access enabled, which means that an anonymous authentication object is placed in the SecurityContextHolder if no other authentication was set (e.g. by a AuthenticationTokenFilter). Spring detects this as an authentication, so that the access to your API is not prevented by the #PreAuthorize("isAuthenticated()") annotation. Generally you should consider if it might not be better to use role-based access rules, as these are more fine-granular.
You can disable anonymous access as follows:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.anonymous().disable()
.csrf().disable();
}

Spring Boot Security - How to disable security for Swagger UI

I have an application with only REST endpoints. I have enabled oauth2 token security via:
#Configuration
#EnableAuthorizationServer
public class AuthServerOAuth2Config extends AuthorizationServerConfigurerAdapter {
#Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("xxx").secret("xxx").accessTokenValiditySeconds(3600)
.authorizedGrantTypes("client_credentials")
.scopes("xxx", "xxx")
.and()
.withClient("xxx").secret("xxx").accessTokenValiditySeconds(3600)
.authorizedGrantTypes("password", "refresh_token")
.scopes("xxx", "xxx");
}
}
Now if I try to access any of my endpoints I get 401 Unauthorized, and I first have to get the access_token via the /oauth/token?grant_type=client_credentials or /oauth/token?grant_type=password calls. The REST endpoints work as expected if I add the proper Authorization header with the token returned in previous call.
However, I am unable to access the swagger-ui page. I have enabled swagger via:
#Configuration
#EnableSwagger2
public class SwaggerConfig {
#Bean
public Docket productApi() {
return new Docket(DocumentationType.SWAGGER_2)
.select().apis(RequestHandlerSelectors.basePackage("com.xxx"))
.paths(PathSelectors.regex("/xxx/.*"))
.build();
}
}
If I go to localhost:8080/swagger-ui.html I get:
<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>
So I added the following to be able to access Swagger:
#Configuration
public class ResourceServerConfig extends WebSecurityConfigurerAdapter {
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/swagger-ui.html")
.antMatchers("/webjars/springfox-swagger-ui/**")
.antMatchers("/swagger-resources/**")
.antMatchers("/v2/api-docs");
}
#Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
}
}
And in #EnableWebMvc class I added:
#Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("swagger-ui.html")
.addResourceLocations("classpath:/META-INF/resources/");
registry.addResourceHandler("/webjars/**")
.addResourceLocations("classpath:/META-INF/resources/webjars/");
}
Now I can access the Swagger UI page, but my security for the REST endpoints is messed up. By that I mean, the client_credentials endpoints no longer require a token, and the password endpoints give a 403 Forbidden no matter what I do.
I think my approach is wrong but I don't know what. Basically I want:
Oauth token security on all my REST endpoints (beginning with /api/* for example)
Swagger UI page should be accessible
The endpoints on the swagger page should have a way to specify the access_token
How do I achieve this?

This is how I fixed it. I removed the class that extends WebSecurityConfigurerAdapter (see above) and replaced with this:
#Configuration
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/xxx/**").authenticated();
http.authorizeRequests().anyRequest().permitAll();
http.csrf().disable();
}
}
To enable token authentication on the swagger page I followed this tutorial: http://www.baeldung.com/swagger-2-documentation-for-spring-rest-api

How to disable csrf in spring security for only localhost?

I have working spring boot application in which csrf is enabled but now I want to disable it only for localhost. any request from other domain must underpass csrf security but for localhost, I want to disable it. how can I achieve that?
I know how to disable it by changing
#Configuration
#EnableWebMvcSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf.disable();
}
}
the above code disabled csrf but I want to disable csrf for the only localhost.
Can you please help me?
EDIT: I know how to do it by two profile. Thanks #daren for your detailed answer.

You could use Spring Profiles to achieve what you are looking to do.
https://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-profiles.html
At it's simplest you could have two configurations
#Configuration
#EnableWebMvcSecurity
#Profile("!deployed") //Not(!) deployed profile
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf.disable();
}
}
And in deployed regions active the deployed profile.
#Configuration
#EnableWebMvcSecurity
#Profile("deployed")
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf.enable();
}
}
Depending on what security configuration you are doing you could do the inverse of this and active a local profile by default which would do the disabling.

You can use the CsrfConfigurer#requireCsrfProtectionMatcher method and use a RequestMatcher which checks the request local vs remote address e.g.
private RequestMatcher csrfProtectionMatcher() {
final Set<String> allowedMethods = ImmutableSet.of("GET", "HEAD", "TRACE", "OPTIONS");
return request -> !allowedMethods.contains(request.getMethod()) && !(request.getLocalAddr().equals(request.getRemoteAddr()));
}

Spring ResourceServer using RemoteTokenServices with uri to check access_token

I have a configuration that enables web security and resource server as below
#EnableWebSecurity
#EnableResourceServer
public class SpringSecurityConfiguration extends ResourceServerConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated();
}
}
I also added the following properties
security.oauth2.resource.user-info-uri: http://localhost:9090/oauth2/tokeninfo
security.oauth2.resource.token-info-uri: http://localhost:9090/oauth2/tokeninfo
But somehow the authentication manager in the created OAuth2AuthenticationProcessingFilter uses the DefaultTokenServices to loadAuthentication. How can I let it use the RemoteTokenServices by calling the uri I provided in the configuration to check the access_token sent by the client.

Add OAuth2 to existing Spring Security App

I have a web application which runs with following configuration.
public class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/api/**")
.authorizeRequests()
.antMatchers("/api/open/**").permitAll()
.antMatchers("/api/data/**").authenticated()
.antMatchers("/api/user/**").hasRole("USER")
.antMatchers("/api/mgr/**").hasRole("MGR")
.antMatchers("/api/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
.and() .exceptionHandling().accessDeniedHandler(customBasicAuthenticationAccessDeniedHandler())
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable() //TODO
.httpBasic().authenticationEntryPoint(customBasicAuthenticationEntryPoint());
}
...
}
I then added,
#Configuration
#EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
...
}
and
#Configuration
#EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
//Same as WebSecurityConfigurerAdapter configure()
...
}
Because of ResourceServerConfig class now everything has crewed up. Tried various ways to configure this. But it seems ResourceServerConfigurerAdapter behave completely different than WebSecurityConfigurerAdapter, but I don't have a single clue to get this to work.
Do I need to remove WebSecurityConfigurerAdapter and keep only ResourceServerConfigurerAdapter? Did that, but configure(HttpSecurity) behave differently than I thought.
Also some stackoverflow answers recommended to change the #Order of the WebSecurityConfigurerAdapter. But nothing works.
I need to know actually what is wrong and what is correct first, than writing a code.
Appreciate very very much if someone point me a right direction.
Thanks!

By sharing this, I am only intending to be helpful, not answer your query. I know documentation is not that good. Just sharing my 2 cents.
This is what worked for me. Using Spring-security-Oauth2 version 2.0.7
#EnableWebSecurity
public class SampleMultiHttpSecurityConfig {
#Configuration
#Order(1)
public static class ComplexOauth2SpringSecurityConfiguration extends
WebSecurityConfigurerAdapter {
#Autowired
private OAuth2AuthenticationProcessingFilter oAuth2AuthenticationProcessingFilter;
#Autowired
private OAuth2AuthenticationManager oAuth2AuthenticationManager;
#Override
protected void configure(HttpSecurity http) throws Exception {
...
}
}
#Configuration
public static class ComplexOauth2SpringSecurityConfiguration2 extends
WebSecurityConfigurerAdapter {
#Autowired
private OAuth2AuthenticationProcessingFilter oAuth2AuthenticationProcessingFilter;
#Autowired
private OAuth2AuthenticationManager oAuth2AuthenticationManager;
#Override
protected void configure(HttpSecurity http) throws Exception {
...
}
}
Thereafter, I simply added a component:scan on the package which is having this class.
This is primarily on the server side.
Also, note the injection of OAuth2AuthenticationProcessingFilter. This is based on RemoteTokenServices whose one of many jobs is to perform Token Validation with Authorization server.
<bean id="remoteTokenServices" class="org.springframework.security.oauth2.provider.token.RemoteTokenServices"
init-method="init" destroy-method="shutdown">
<property name="checkTokenEndpointUrl" value"..."/>
</bean>
I do agree that I did not implement resource server and Authorization server. They were already built for us. However, while testing we simply created couple of REST POST services to simulate the Token generation and Validation.