stackoom
  简体   繁体   中英

Spring Boot 1.3 Oauth2 Sso return 401 instead of redirect to authorization server

 原文  2015-11-25 15:07:08       java/ spring/ spring-security/ spring-boot/ spring-security-oauth2

Question

With Spring Boot 1.3 there is an autoconfiguration for Oauth2 in Spring Boot.

There is a spring guide which provides a few nice examples, but i want to achieve a different solution. My problem bases on the provided click example. I want to be redirected to the authorization server after visiting the "/login" endpoint. If i request a protected resource without authentication i want to get a 401 (Unauthorized) instead of instant a redirect (302) to the authorization uri.

This is Java code of the click example 

@SpringBootApplication
@EnableOAuth2Sso
@RestController
public class SocialApplication extends WebSecurityConfigurerAdapter {

  @RequestMapping("/user")
  public Principal user(Principal principal) {
    return principal;
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.antMatcher("/**")
        .authorizeRequests()
        .antMatchers("/", "/login**", "/webjars/**")
        .permitAll()
        .anyRequest()
        .authenticated();
  }

  public static void main(String[] args) {
    SpringApplication.run(SocialApplication.class, args);
  }

}

I tried adding a custom AuthenticationEntryPoint but it seems that this is just ignored :(

What i tried: 

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.antMatcher("/**")
        .authorizeRequests()
        .antMatchers("/", "/login**", "/webjars/**")
        .permitAll()
        .anyRequest()
        .authenticated()
        .and()
        .exceptionHandling()
        .authenticationEntryPoint(new Http401AuthenticationEntryPoint("Session realm=\"JSESSIONID\""));
  }

The full source code of the click example can be found on github .

Is it possible to achieve a 401 instead of the redirect?

1 answers

solution1
 0 ACCPTED  2015-11-27 09:19:58

Until spring-boot 1.3.0 it was impossible to do so due to an issue in the order of applying custom configurers when using this combination (see #4629 for further resolution ).

Starting with spring-boot 1.3.1 the request header X-Requested-With: XMLHttpRequest signals that the caller prefers a 401 Unauthorized over a 302 Found

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question OAuth2 SSO with Spring Boot without the authorization screen Spring boot OAuth2 - OAuth Token does not return authorization token spring-boot 1.3-M5 oauth2 SSO does not work with spring-session? Spring-boot oauth2 splitting authorization server and resource server Redirecting user to oauth2 authorization server to get token Spring Boot Spring Boot OAuth2 Authorization Server with 2 step login Spring Boot Oauth2 authorization server not accepting valid tokens Spring boot Oauth2 - Security incompatibility between Authorization and Resource server OAuth2 With Spring Boot Unauthorized (401) Response Spring Boot OAuth2 - Remember given Authorization
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM