Spring Boot Security with Basic Auth and OAuth Order Issue
Question
I'm trying to implement a simple spring boot project. I got several REST-Endpoints which I've to secure differently. One has to be secured by Basic Auth, another one with OAuth and one with a custom security implementation.
REST-Endpoints:
- /basic/auth
- /application/secure (oauth)
- /application/secure2 (own implementation)
From tutorials, I know I've to set the order of the security adapters. My first intention was to set the order in steps of ten (eg @Order(10) , @Order(20) ) in case I need to add other security filters in between. By doing so I investigated the following behavior:
- If I add the basic auth filter with
@Order(10)and an OAuth filter with@Order(20)only the OAuth filter works. - If I add the basic auth filter with
@Order(1)or@Order(2)and an OAuth filter with@Order(4)both filters works. - If I add a filter to
@Order(3)I receive an error which says, that order 3 is already in use and cannot be configured twice.
So there is a default spring security adapter (or whatever) which has the default order 3. I thought I disable every default spring security behavior by adding @EnableWebSecurity . After I did not find an answer by google my questions would be:
- Am I doing the right things?
- What is this security adapter with order 3 by spring?
- Does the default security adapter block my basic auth implementation?
WebSecurityConfig:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
@Order(10)
@Configuration
public class BasicAuthConfig extends WebSecurityConfigurerAdapter {
@Value("${security.user.password}")
private String password;
@Value("${security.user.name}")
private String username;
private static final String ROLE_ADMIN = "ADMIN";
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser(username).password(password).roles(ROLE_ADMIN);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.requestMatchers().antMatchers("/basic/**", "/") //
.and().authorizeRequests().anyRequest().authenticated() //
.and().httpBasic();
}
}
@Order(20)
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
protected static class Oauth2ServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
System.out.println("Filter called");
// @formatter:off
http.csrf().disable();
http.authorizeRequests().antMatchers("/application/**").authenticated()
// .antMatchers(GET, "/application/secure").authenticated()
.anyRequest().authenticated();
// @formatter:on
}
// offline token validator
}
1 answers
solution1
1 2019-01-04 02:26:26
This is an old question, but if anyone is still wondering what the issue is, here are my observations:
-
@EnableResourceServerimportsResourceServerConfiguration, which has an order of 3. - There are ways that may allow you to add more than 2 filters before the
order 3resource server configurer, for instance- by giving some of them negative order values (Although I don't suppose negative values would be any special, one would need to take into account other implicit web security configurers -- for instance the one with order 0 -- enabled by default. This however means there is a possibility of collision between filters in different versions of the framework as new features are introduced);
- by adding them as resource configurers (The
ResourceServerConfigurationclass does not add any request matchers, but enforces a fallback toanyRequest().authenticated()if the user has not configured anything).
- For a better understanding on how paths are matched in the configured request matchers, you can take a quick glance at Ant path patterns .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.