Reputation: 121
spring-boot 1.3-M5 oauth2 SSO does not work with spring-session?
Basically I cannot get spring-boot oauth2 integration to work with spring-session.
I created an issue in spring-boot's issue tracker: https://github.com/spring-projects/spring-boot/issues/4360
I made a repo to demonstrate this problem
https://github.com/sloppycoder/spring-session-oauth-problem
there're 2 modules:
- auth-server is the oauth2 authorization server. to run it, just
mvn. the server will be at http://localhost:19999/uaa - web-app is the web application that uses the auth-server for single sign-on.
mvnwill start the app on http://localhost:8080
My sso logout logic works like this:
- click on "Logout" button will do a POST to http://localhost:19999/uaa/logout, with passing the URL to redirect to, http://localhost:8080/ssologout, after successful logout.
- auth-server logout and redirect to http://localhost:8080/ssologout
- http://localhost:8080/ssologout then POST to http://localhost:8080/logout
- (default spring-security behavior) after logout, redirect to http://localhost:8080/login?logout
- http://localhost:8080/login?logout redirect to http://localhost:19999/uaa/login and prompt user to login again.
However after I bring in the spring-session, step #5 is not happening. the browser goes directly to web-app /dashboard.
make sure you start your local redis daemon before running the sos-spring-session branch.
I created 2 branches to show the different behavior:
- sso-only. spring-boot integrates with auth-server and things work fine.
- sso-spring-sesson. logout does not work.
github compare shows the difference.
I'll appreciate any advise and suggestions on how to solve this.
Upvotes: 1
Views: 1118
Answers (2)
Reputation: 1263
I had similar problem on spring-boot 1.3.0.RC1, spring-session and redis.
It may work if you change filter order as
'requestContextFilter' < 'OAuth2ClientContextFilter' < 'springSessionRepositoryFilter'
@Bean
@ConditionalOnMissingBean(RequestContextFilter.class)
public RequestContextFilter requestContextFilter() {
return new RequestContextFilter();
}
@Bean
public FilterRegistrationBean requestContextFilterChainRegistration(
@Qualifier("requestContextFilter") Filter securityFilter) {
FilterRegistrationBean registration = new FilterRegistrationBean(securityFilter);
registration.setName("requestContextFilter");
// note : must previous order of oAuth2ClientContextFilter
registration.setOrder(SessionRepositoryFilter.DEFAULT_ORDER + 1);
return registration;
}
@Bean
public FilterRegistrationBean sessionRepositoryFilterRegistration(
SessionRepositoryFilter sessionRepositoryFilter) {
FilterRegistrationBean registration = new FilterRegistrationBean(sessionRepositoryFilter);
registration.setName("springSessionRepositoryFilter");
// note : must following order of oAuth2ClientContextFilter
registration.setOrder(Integer.MAX_VALUE - 1);
return registration;
}
also you may need to remove dependency org.springframework.boot:spring-boot-devtools
related to https://github.com/spring-projects/spring-boot/issues/3805
postscript: for spring-boot 1.3.3.RELEASE
spring-session, redis, spring-security-oauth2 works below filter order.
# logs on bootRun task
Mapping filter: 'characterEncodingFilter' to: [/*]
Mapping filter: 'springSessionRepositoryFilter' to: [/*]
Mapping filter: 'requestContextFilter' to: [/*]
Mapping filter: 'OAuth2ClientContextFilter' to: [/*]
Mapping filter: 'springSecurityFilterChain' to: [/*]
Mapping servlet: 'dispatcherServlet' to [/]
current required setting is below.
@Bean
@ConditionalOnMissingBean(RequestContextFilter.class)
public RequestContextFilter requestContextFilter() {
return new RequestContextFilter();
}
@Bean
public FilterRegistrationBean requestContextFilterChainRegistration(
@Qualifier("requestContextFilter") Filter securityFilter) {
FilterRegistrationBean registration =
new FilterRegistrationBean(securityFilter);
registration.setName("requestContextFilter");
// note : must to be following order of springSessionRepositoryFilter
registration.setOrder(SessionRepositoryFilter.DEFAULT_ORDER + 1);
return registration;
}
Upvotes: 1
Reputation: 58124
There are quite a few issues with that code, but the one that stops it working with Spring Session is that the two apps are sharing a cookie. The context-path is "/" for the "main" webapp, so the auth server tries to use the same cookie when it is running on the same host. It doesn't matter when you use a local session, but when you use a distributed session you mess up the state when the 2 apps try to share the same session. You can fix it by using a server.context-path in the webapp (e.g. /app) and making corresponding changes to your HTML etc. to make sure that the browser follows paths back to there.
Upvotes: 1
Related Questions
- Spring Boot 2.0.0 + OAuth2
- Spring Security with OAuth2 losing session
- Spring Security with SSO
- How to make spring-boot 1.5.0 support this oauth2 solution?
- Oauth2 doesn't work in Spring Boot
- SSO in OAuth2Client in Spring Boot Security
- Spring security - implement oauth2 sso
- spring boot 2 M5 oauth authentication issue
- Spring Boot and Spring Cloud Security OAUTH 2 SSO Failing with latest releases
- Spring Security 3 using OAuth2 for SSO