CODEWITHSUNDEEP
javaspring-securityoauth-2.0jhipsterspring-security-oauth2
Ariel
Ariel

Reputation: 26783

Controlling authentication redirects with JHipster, Spring Security, and oauth2

I want to be able control the automatic redirect to an oauth2 authorization server when the user is not logged in.

I generated a JHipster Gateway project, and the code below is simply a copy of that, with the addition of the oAuth2ClientContextFilter variable, which is autowired, and then I use it to setRedirectStrategy

However the variable is NULL when it comes time to use it. What am I doing wrong?

@EnableOAuth2Sso
@Configuration

public class OAuth2SsoConfiguration extends WebSecurityConfigurerAdapter {

    private final RequestMatcher authorizationHeaderRequestMatcher;

    private final CorsFilter corsFilter;

    @Autowired
    private OAuth2ClientContextFilter oAuth2ClientContextFilter;

    private final Logger log = LoggerFactory.getLogger(OAuth2SsoConfiguration.class);

    public OAuth2SsoConfiguration(@Qualifier("authorizationHeaderRequestMatcher")
                                  RequestMatcher authorizationHeaderRequestMatcher, CorsFilter corsFilter) {
        this.authorizationHeaderRequestMatcher = authorizationHeaderRequestMatcher;
        this.corsFilter = corsFilter;
        oAuth2ClientContextFilter.setRedirectStrategy(new RedirectStrategy() {

            @Override
            public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException {
                // My Code Here
            }

        });

    }

    @Bean
    public AjaxLogoutSuccessHandler ajaxLogoutSuccessHandler() {
        return new AjaxLogoutSuccessHandler();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf()
            .disable()
            .addFilterBefore(corsFilter, CsrfFilter.class)
            .headers()
            .frameOptions()
            .disable()
        .and()
            .logout()
            .logoutUrl("/api/logout")
            .logoutSuccessHandler(ajaxLogoutSuccessHandler())
        .and()
            .requestMatcher(new NegatedRequestMatcher(authorizationHeaderRequestMatcher))
            .authorizeRequests()
            .antMatchers("/api/profile-info").permitAll()
            .antMatchers("/api/**").authenticated()
            .antMatchers("/management/health").permitAll()
            .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
            .anyRequest().permitAll();
    }
}

Upvotes: 1

Views: 533

Answers (1)

Nikolai Shevchenko
Nikolai Shevchenko

Reputation: 7521

It's not good to mix autowiring strategies (field autowiring and constructor autowiring), because construction occurres prior to @Autowired. So either inject filter into constructor:

private OAuth2ClientContextFilter oAuth2ClientContextFilter;

public OAuth2SsoConfiguration(
    @Qualifier("authorizationHeaderRequestMatcher")RequestMatcher authorizationHeaderRequestMatcher, 
    CorsFilter corsFilter, 
    OAuth2ClientContextFilter oAuth2ClientContextFilter
) {
    this.authorizationHeaderRequestMatcher = authorizationHeaderRequestMatcher;
    this.corsFilter = corsFilter;
    this.oAuth2ClientContextFilter = oAuth2ClientContextFilter;
    .....
}

or move RequestMatcher & CorsFilter out of constructor arguments and denote them @Autowired

Upvotes: 2

Related Questions