Reputation: 319
WebSecurityConfigurerAdapter overrides EnableResourceServer?
I have perfectly working spring boot app which use spring oAuth2. when i use @EnableResourceServer on main class it worked well. but to enable CORS for services I have implemented below class
@Configuration
public class CorsConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.cors();
}
@Bean
public CorsConfigurationSource corsConfigurationSource() {
final org.springframework.web.cors.CorsConfiguration configuration = new org.springframework.web.cors.CorsConfiguration();
configuration.setAllowedOrigins(ImmutableList.of("*"));
configuration.setAllowedMethods(ImmutableList.of("HEAD",
"GET", "POST", "PUT", "DELETE", "PATCH"));
configuration.setAllowCredentials(true);
configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
After I add that class it seems request does not validate with oAuth token. any request even without oAuth token can access service.
What I did wrong? Cant I use both? is there any special thing to do both to work? is there any better way to enable CORS that this. (I tried @CrossOrigin annotation it didn't worked)
Upvotes: 0
Views: 918
Answers (1)
Reputation: 377
I am not sure why you wanted to use WebSecurityConfigurerAdapter
I think your problem is you are not forwarding your calls to oAuth for authorize. try this it worked for me
@Configuration
public class CorsConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable().authorizeRequests().anyRequest().authenticated();
}
@Bean
public CorsFilter corsFilter() {
final org.springframework.web.cors.CorsConfiguration configuration = new org.springframework.web.cors.CorsConfiguration();
configuration.setAllowedOrigins(ImmutableList.of("*"));
configuration.setAllowedMethods(ImmutableList.of("HEAD",
"GET", "POST", "PUT", "DELETE", "PATCH"));
configuration.setAllowCredentials(true);
configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return new CorsFilter(source);
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("resource");
}
}
here this resources.resourceId("resource"); should be resource you have used in your oAuth server
similar method like this
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("clinet").secret("secret").accessTokenValiditySeconds(3600).scopes("read", "write")
.authorizedGrantTypes("password", "refresh_token").resourceIds("resource");
}
Upvotes: 6
Related Questions
- Replace WebSecurityConfigurerAdapter in Spring boot for ResourceServerConfigurerAdapter
- java Spring @EnableResourceServer and @EnableWebSecurity
- Spring disable @EnableResourceServer
- Relation between WebSecurityConfigurerAdapter and ResourceServerConfigurerAdapter
- EnableResourceServer breaks oAuth2 authorization server
- Using WebSecurityConfigurerAdapter with Spring OAuth2 and user-info-uri
- Spring security Resource server configuration
- Spring oauth2 / HttpSecurity http / ResourceServerConfigurer and WebSecurityConfigurerAdapter
- Enabling Spring OAuth2 ResourceServer disables UsernamePasswordAuthenticationFilter
- Spring OAuth @EnableResourceServer preventing login page from OAuth server