Spring Boot - OAuth2 - All requests are being forbidden

Question

I have a spring boot application which enables REST with OAuth (both Application & Resource server).

MyApplication.java

@SpringBootApplication
@EnableResourceServer
public class MyApplication {
    public static void main(String[] args) {
        SpringApplication.run(MyApplication.class, args);
    }
}

OAuthConfig.java

@Configuration
@EnableAuthorizationServer
public class OAuthConfig extends AuthorizationServerConfigurerAdapter {
    @Autowired
    private UserDetailsService userDetailsService;
    private TokenStore tokenStore = new InMemoryTokenStore();
    @Autowired
    private AuthenticationManager authenticationManager;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer configurer) throws Exception {
        configurer.authenticationManager(authenticationManager);
        configurer.userDetailsService(userDetailsService);
        configurer.tokenStore(tokenStore);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients
        .inMemory()
        .withClient("app")
        .secret("secret")
        .accessTokenValiditySeconds(120)
        .refreshTokenValiditySeconds(600)
        .scopes("read", "write")
        .authorizedGrantTypes("password", "refresh_token")
        .resourceIds("resources");
    }
}

SimpleCorsFilter.java

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {
    public SimpleCorsFilter() {
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) res;
        HttpServletRequest request = (HttpServletRequest) req;
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "x-requested-with, authorization, content-type");

        if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
            response.setStatus(HttpServletResponse.SC_OK);
        } else {
            chain.doFilter(req, res);
        }
    }

    @Override
    public void init(FilterConfig filterConfig) {
    }

    @Override
    public void destroy() {
    }
}

WebSecurityConfig.java

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(WebSecurity web) throws Exception {
        web
        .ignoring()
        .antMatchers("/signup");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
    }
}

TestController.java

@RestController
public class TestController {
    @Autowired
    private PanelService testService;

    @PostMapping("/test")
    public Panel getTest() throws Exception {
        return testService.get();
    }
}

I am successfully able to generate the token and also able to get a new token by calling the refresh_token using the above setup. The problem is that, my rest calls are also returning data irrespective of ouath token being passed or not. /test always returns data with or without the token.

I also tried different options in HTTP security. The below one always throws Forbidden even though I use a valid token.

http.csrf().disable();
.authorizeRequests()
.antMatchers("/signup").permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.httpBasic();

What am I doing wrong?

Answer 1

I am answering my own question to help all those who are facing a similar problem.

Set the following property in application.properties file

security.oauth2.resource.filter-order=3

• SpringBoot 1.5.x + Security + OAuth2

• Setting Spring boot actuator with oAuth2 in the Authorisation server

• Authentication is not working in spring boot 1.5.2 and Oauth2

Also in WebSecurityConfigurerAdapter add the following lines in configuring HttpSecurity (I am not sure how this piece of code made it work - I am still investigating)

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .sessionManagement()
    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    ...
}

The above code is referenced in the below two examples (refer the GitHub code)

https://medium.com/@nydiarra/secure-a-spring-boot-rest-api-with-json-web-token-reference-to-angular-integration-e57a25806c50

http://www.svlada.com/jwt-token-authentication-with-spring-boot/