具有自定义身份验证提供程序的 OAUTH2 用户服务

Question

. Answers to this question are eligible for a +100 reputation bounty. Joy is looking for an .

I am new to Spring Security and Oauth2. In my spring boot application, I have implemented authentication with Oauth2 with following set of changes:

Custom Ouath2 User service is as follows:

  @Component
  public class CustomOAuth2UserService extends DefaultOAuth2UserService {

     private UserRepository userRepository;

     @Autowired
     public void setUserRepository(UserRepository userRepository) {
        this.userRepository = userRepository;
     }

    public OAuth2User loadUser(OAuth2UserRequest userRequest) throws OAuth2AuthenticationException {
        ...
    }
 }

Security Configuration is as follows:

@EnableWebSecurity
@Import(SecurityProblemSupport.class)
@ConditionalOnProperty(
        value = "myapp.authentication.type",
        havingValue = "oauth",
        matchIfMissing = true
)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
  private final CustomOAuth2UserService customOAuth2UserService;
    
  public SecurityConfiguration(CustomOAuth2UserService customOAuth2UserService) {
    this.customOAuth2UserService = customOAuth2UserService;
  }

  @Override
  public void configure(WebSecurity web) {
    web.ignoring()
        .antMatchers(HttpMethod.OPTIONS, "/**")
        .antMatchers("/app/**/*.{js,html}")
        .antMatchers("/bundle.js")
        .antMatchers("/slds-icons/**")
        .antMatchers("/assets/**")
        .antMatchers("/i18n/**")
        .antMatchers("/content/**")
        .antMatchers("/swagger-ui/**")
        .antMatchers("/swagger-resources")
        .antMatchers("/v2/api-docs")
        .antMatchers("/api/redirectToHome")
        .antMatchers("/test/**");
  }

  public void configure(HttpSecurity http) throws Exception {
    RequestMatcher csrfRequestMatcher = new RequestMatcher() {
      private RegexRequestMatcher requestMatcher =
          new RegexRequestMatcher("/api/", null);

      @Override
      public boolean matches(HttpServletRequest request) {
        return requestMatcher.matches(request);
      }
    };

    http.csrf()
        .requireCsrfProtectionMatcher(csrfRequestMatcher)
        .and()
        .authorizeRequests()
        .antMatchers("/login**").permitAll()
        .antMatchers("/manage/**").permitAll()
        .antMatchers("/api/auth-info").permitAll()
        .antMatchers("/api/**").authenticated()
        .antMatchers("/management/health").permitAll()
        .antMatchers("/management/info").permitAll()
        .antMatchers("/management/prometheus").permitAll()
        .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
        .anyRequest().authenticated()//.and().oauth2ResourceServer().jwt()
        .and()
        .oauth2Login()
        .redirectionEndpoint()
        .baseUri("/oauth2**")
        .and()
        .failureUrl("/api/redirectToHome")
        .userInfoEndpoint().userService(oauth2UserService())
    ;
    http.cors().disable();
  }


  private OAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService() {
    return customOAuth2UserService;
  }
}

Content of application.properties is as follows:

spring.security.oauth2.client.registration.keycloak.client-id=abcd
spring.security.oauth2.client.registration.keycloak.client-name=Auth Server
spring.security.oauth2.client.registration.keycloak.scope=api
spring.security.oauth2.client.registration.keycloak.provider=keycloak
spring.security.oauth2.client.registration.keycloak.client-authentication-method=basic
spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
myapp.oauth2.path=https://internal.authprovider.com/oauth2/
spring.security.oauth2.client.provider.keycloak.token-uri=${myapp.oauth2.path}token
spring.security.oauth2.client.provider.keycloak.authorization-uri=${myapp.oauth2.path}authorize
spring.security.oauth2.client.provider.keycloak.user-info-uri=${myapp.oauth2.path}userinfo
spring.security.oauth2.client.provider.keycloak.user-name-attribute=name
myapp.authentication.type=oauth

Now, with the existing authentication mechanism, I would like to add support for multiple authentication providers: LDAP, Form-Login, etc.

In this regard, I have gone through a few articles:

1. https://www.baeldung.com/spring-security-multiple-auth-providers
2. Custom Authentication provider with Spring Security and Java Config

But, I am not getting any concrete idea regarding what changes should I do in the existing code base in order to achieve this.

Could anyone please help here? Thanks.

Answer 1

I've created a simplified setup starting from your code with support for both OAuth2 and Basic Auth.

/basic/** will start a basic authentication. /** (everything else) triggers an OAuth2 Authorization Code authentication.

The key to achieve this is to have one @Configuration class per authentication type.

Let's start with the controllers:

BasicHomeController

@Controller
public class BasicHomeController {

    @GetMapping("/basic/home")
    public @ResponseBody String home() {
        return "basichome";
    }

}

RestHomeController

@RestController
public class RestHomeController {

    @GetMapping("/api/home")
    public String home() {
        return "home";
    }

}

Now, the configuration classes:

OAuth2SecurityConfiguration

@Configuration
public class OAuth2SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/login**").permitAll()
                .antMatchers("/manage/**").permitAll()
                .antMatchers("/api/auth-info").permitAll()
                .antMatchers("/api/**").authenticated()
                .antMatchers("/management/health").permitAll()
                .antMatchers("/management/info").permitAll()
                .antMatchers("/management/prometheus").permitAll()
                .antMatchers("/management/**").hasAuthority("ADMIN")
                .antMatchers("/api/**").authenticated()
                .and()
                .oauth2Login()
                .and()
                .cors()
                .disable();
    }
}

BasicSecurityConfiguration (Notice the @Order(90) , that's important

@Order(90)
@Configuration
public class BasicSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.requestMatcher(new AntPathRequestMatcher("/basic/**"))
                .csrf()
                .disable()
                .authorizeRequests()
                .antMatchers("/basic/**").hasAuthority("BASIC_USER")
                .and()
                .httpBasic();
        http.cors().disable();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user")
                .password("{noop}password")
                .roles("BASIC_USER");
    }
}

Finally the configuration:

spring:
  security:
    oauth2:
      client:
        registration:
          keycloak:
            client-id: myclient
            client-secret: c6dce03e-ea13-4b76-8aab-c876f5c2c1d9
        provider:
          keycloak:
            issuer-uri: http://localhost:8180/auth/realms/myrealm

With this in place, if we hit http://localhost:8080/basic/home , will be prompted with the basic auth popup:

Trying with http://localhost:8080/api/home sends you to Keycloak's login form: