Correctly configure spring security oauth2

Question

I'm trying to configure an authorization server with spring-security-oauth2 and jwt.

My main :

@SpringBootApplication
@EnableResourceServer
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

My Security config :

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    @Bean
    public AuthenticationManager    authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("john").password("123").roles("USER").authorities("FOO_READ");
    }
}

My auth server config :

@Configuration
@EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("gateway")
                .secret("secret")
                .authorizedGrantTypes("refresh_token", "password")
                .scopes("GATEWAY")
                .autoApprove(true) ;
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenEnhancer(jwtTokenEnhancer()).authenticationManager(authenticationManager);
    }

}

And a webservice to access the current user :

@RestController
public class UserController {

    @GetMapping("/users/me")
    public Principal user(Principal principal) {
        return principal;
    }
}

Now, if I do a post request like this :

gateway:secret@localhost:10101/oauth/token
grant_type : password
username : john
password : 123

I have a response like :

{
    "access_token": "...access token...",
    "token_type": "bearer",
    "refresh_token": "...refresh token...",
    "expires_in": 43199,
    "scope": "GATEWAY",
    "jti": "...jti..."
}

If I use the access token to call my user WS :

GET localhost:10101/users/me
Authorization : Bearer ...access token...

I obtain a null response.

But if I had this lines to my Security config :

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.requestMatchers().antMatchers("/wtf");
    }

I then obtain the appropriate response.

Can someone explain me how this is working ? Why my user is not recognized without this additional line ?

Thank you.

Oreste Viron · Accepted Answer

Actually it's a problem with spring security. The solution is in this thread :

https://github.com/spring-projects/spring-security-oauth/issues/980

This annotation should be added for the Adapter to be correctly called :

@Configuration 
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) 
class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { 
    // ...
}

Another solution is to implement ResourceServerConfigurerAdapter instead of WebSecurityConfigurerAdapter.

Correctly configure spring security oauth2

Answers (1)

Related Questions