Reputation: 7995
Spring Boot 2 and migrating OAuth2 configuration
We are migrating our Spring Boot 1.5.7 application to Spring Boot 2 and I noticed that SecurityProperties.ACCESS_OVERRIDE_ORDER is not available anymore.
We were using @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)) to force a certain order of security config filters and it is not working without this annotation anymore (getting different statuses since the security filters are in a wrong order). Is there some replacement or configuration change to make it work in the old way?
We have basic auth + OAuth2 in place.
This is the OAuth2 dependency we use:
compile group: 'org.springframework.security.oauth', name: 'spring-security-oauth2', version: '2.1.0.RELEASE'
EDIT: this is my WebSecurity properties:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final String LOGIN = "/login";
private static final String LOGOUT_SUCCESS = "/login?logout";
private final UserDetailsService userDetailsService;
private final AuthenticationManager authenticationManager;
public WebSecurityConfig(UserDetailsService userDetailsService, @Lazy AuthenticationManager authenticationManager) {
this.userDetailsService = userDetailsService;
this.authenticationManager = authenticationManager;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
// enable cors
.cors().and()
.requestMatchers().antMatchers("/oauth/**", "/*").and()
// These from the above are secured by the following way
.authorizeRequests().antMatchers("/").permitAll()
// These from the rest are secured by the following way
.anyRequest().authenticated().and()
// Set login page
.formLogin().loginPage(LOGIN).permitAll().defaultSuccessUrl(PROFILE)
// Set logout handling
.and().logout().logoutSuccessUrl(LOGOUT_SUCCESS);
// @formatter:on
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**");
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManager);
auth.userDetailsService(userDetailsService);
}
}
When accessing /user via REST, I expect to get 401 - Unauthorized without a valid token. Instead, I get 302 - Redirect to /login meaning that basic auth has higher priority. I am not sure how to fix this since any order I try to use does not work.
Upvotes: 9
Views: 6683
Answers (2)
Reputation: 7995
So, it turns out that the problem was not in my WebSecurity config but it was a bit more complex. Spring Security 5 requires clientSecret to be encrypted with BCrypt by default, which I was missing. Also, adding AuthenicationManager bean fixed the issue.
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
I have an example project with this functionality on github but I am going to improve it a bit to fix some additional issues.
Upvotes: 2
Reputation: 3196
Have same issue. Just for monkey patching (will investigate real meaning of @Order annotation later), I found what value has been assigned to ACCESS_OVERRIDE_ORDER in 1.5.* version from there https://docs.spring.io/spring-boot/docs/1.5.10.RELEASE/api/ , which appears to be @Order(2147483640)...
Upvotes: 2
Related Questions
- Migrating away from Spring Security OAuth 2
- OAuth2.0 migration for SpringBoot 2.4.1
- Spring Boot 2.0.0 + OAuth2
- Spring boot 2.0.3 + Security + Oauth2 autoconfigure
- Migrating from Spring Boot Oauth2 to Spring Security 5
- SpringBoot 1.5.x + Security + OAuth2
- Springboot2 and oauth
- Springboot with Spring OAuth2
- Spring Boot + Spring OAuth Java configuration
- spring boot oaut2 properties