I have a spring boot application which enables REST with OAuth (both Application & Resource server).
MyApplication.java
@SpringBootApplication
@EnableResourceServer
public class MyApplication {
public static void main(String[] args) {
SpringApplication.run(MyApplication.class, args);
}
}
OAuthConfig.java
@Configuration
@EnableAuthorizationServer
public class OAuthConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
private TokenStore tokenStore = new InMemoryTokenStore();
@Autowired
private AuthenticationManager authenticationManager;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer configurer) throws Exception {
configurer.authenticationManager(authenticationManager);
configurer.userDetailsService(userDetailsService);
configurer.tokenStore(tokenStore);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients
.inMemory()
.withClient("app")
.secret("secret")
.accessTokenValiditySeconds(120)
.refreshTokenValiditySeconds(600)
.scopes("read", "write")
.authorizedGrantTypes("password", "refresh_token")
.resourceIds("resources");
}
}
SimpleCorsFilter.java
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {
public SimpleCorsFilter() {
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
HttpServletRequest request = (HttpServletRequest) req;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "x-requested-with, authorization, content-type");
if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
chain.doFilter(req, res);
}
}
@Override
public void init(FilterConfig filterConfig) {
}
@Override
public void destroy() {
}
}
WebSecurityConfig.java
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/signup");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
}
}
TestController.java
@RestController
public class TestController {
@Autowired
private PanelService testService;
@PostMapping("/test")
public Panel getTest() throws Exception {
return testService.get();
}
}
I am successfully able to generate the token and also able to get a new token by calling the refresh_token using the above setup. The problem is that, my rest calls are also returning data irrespective of ouath token being passed or not. /test
always returns data with or without the token.
I also tried different options in HTTP security. The below one always throws Forbidden even though I use a valid token.
http.csrf().disable();
.authorizeRequests()
.antMatchers("/signup").permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.httpBasic();
What am I doing wrong?
I am answering my own question to help all those who are facing a similar problem.
Set the following property in application.properties file
security.oauth2.resource.filter-order=3
Setting Spring boot actuator with oAuth2 in the Authorisation server
Authentication is not working in spring boot 1.5.2 and Oauth2
Also in WebSecurityConfigurerAdapter add the following lines in configuring HttpSecurity (I am not sure how this piece of code made it work - I am still investigating)
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
...
}
The above code is referenced in the below two examples (refer the GitHub code)
http://www.svlada.com/jwt-token-authentication-with-spring-boot/
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.