Reputation: 137
Spring OAuth Filter Chain & Java Config
I'm trying to add in spring-security-oauth to an existing app with spring-security. I'm using Java config.
I have an existing amended filter chain in place (with some custom filters added in) but requests to '/oauth/token' aren't using it, but are using the 'default' filter chain. How can i get access to the filter chain that's securing the oauth endpoints so that i can use the custom filters there also or can I wire in the OAuth endpoint(s) into the existing setup?
Upvotes: 6
Views: 4014
Answers (2)
Reputation: 1078
there is indeed a slightly smoother way using the interface AuthorizationServerConfigurer.
You can stick to the annotation @EnableAuthorizationServer and implement above interface in your configuration file. This will enable you to alter the oauth2-filter-chain by doing something like this:
@Configuration
@EnableWebSecurity
@EnableAuthorizationServer
public class SecurityConfig extends WebSecurityConfigurerAdapter
implements AuthorizationServerConfigurer
// some configuration ...
public void configure(AuthorizationServerSecurityConfigurer oauthSecurity) throws Exception {
oauthSecurity.addTokenEndpointAuthenticationFilter(new YourFilter());
}
// more configuration ...
}
In contrast to the addFilterXYX-methods of HttpSecurity you have no fine-grained influence here where the filter will be positioned in the filter chain. Any filter added by addTokenEndpointAuthenticationFilter will be inserted before the BasicAuthenticationFilter.
If you need to control the position of you filter in a more detailed way you could create a bean extending AuthorizationServerConfigurerAdapter instead of using the annotation @EnableAuthorizationServer. I did not try that but I guess you could then extend AuthorizationServerSecurityConfigurationlike systemfreund suggested without having to specify @Order(-1) because only your custom configuration gets imported. Probably you would also have to @Import AuthorizationServerEndpointsConfigurationlike it is done in the convenience annotation @EnableAuthorizationServer.
Upvotes: 5
Reputation: 551
It's probably not the best way to do it, but I did not manage to find a better approach. The idea is to provide a custom AuthorizationServerSecurityConfiguration instance and override the default instance which is @Imported via @EnableAuthorizationServer. We just need to make sure to add an @Order annotation with higher precendence than the default configuration:
@EnableAuthorizationServer
@Import(CustomSecurityConfig.class)
public class Application {
}
@Configuration
@Order(-1)
public class CustomSecurityConfig extends AuthorizationServerSecurityConfiguration {
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http); // do the default configuration first
http
.addFilterBefore(new MyFilter(), ...);
}
}
Upvotes: 2
Related Questions
- Spring security oauth2 - add filter after oauth/token call
- Add filter before OAuth2AuthenticationProcessingFilter
- Spring Boot OAuth2 with custom security filter
- Spring OAuth2 Auth Server: a specific /oauth/token filter?
- OAuth2LoginAuthenticationFilter Spring Security
- Oauth2 Spring implementation
- Spring Security Java Config
- Spring Security OAuth2 disable BasicAuthenticationFilter from default filter chain
- Spring security - implement oauth with existing FilterChainProxy
- Basic Authentication Filter and authentication entry point not actually used from spring oauth2 token request