Spring OAuth2 Authorization Server with Actuator endpoints secured with basic auth

Question

I have Spring Spring OAuth2 Authorization Server. It is one of my microservices (called user-management). It holds users and passwords in database but also some other "security related" entities. It means I have custom implementation of UserDetailsService that wraps loading of users for Spring Security operations. This microservice is authorization server but it is also resource server since there is some persistence and domain logic related to Users, Organizations, OrganizationMemberships, etc... Most of my REST endpoints are accessed with OAuth2 token in header and everything works fine.

But I am also using Spring Actuator that is accessed usually by Spring Boot Admin server. For these endpoints I am using Http basic auth so I have some custom WebSecurityConfigurerAdapter for /actuator/** endpoints. In all microservices I have the user for these actuator endpoints access defined in application.yaml configuration and it works fine. But... In case of this user-management with custom UserDetailsService implementation it does not work.

The issue is that when performing basic auth for actuator endpoint calls then DaoAuthenticationProvider has reference on my custom UserDetailsService that is trying to find the user in my database and it is not there. When this happens in all other microservices then there is InMemoryUserDetailsManager implementation of UserDetailsService (used by DaoAuthenticationProvider) that contains the user from application.yaml.

Any idea how to solve or approach the problem?

• Create the user for actuator endpoints access to the database? I don't like it because it differs from my other microservices
• Create a delegating UserDetailsService that would check both user storages? I am not sure how to configure it since InMemoryUserDetailsManager doesn't look like managed bean so there is some manual programing.
• Or is there any different correct approach? How to configure it?

Many thanks, Lukas

Answer 1

After some investigations I found solution that looks quite ok. I have created dedicated configuration for actuator endpoints where I was able to set dedicated implementation of UserDetailsService. I have chosen InMemoryUserDetailsManager that is used as a default when you dont use custom implementation.

This means the other instances of WebSecurityConfigurerAdapter and implementation of AuthorizationServerConfigurerAdapter does not interfere with security of these actuator endpoints

@Configuration
@Order(1)
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Autowired
    private InMemoryUserDetailsManager inMemoryUserDetailsManager;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.userDetailsService(inMemoryUserDetailsManager)
                .antMatcher("/actuator/**").httpBasic().and()
                .csrf().disable()
                .headers().disable();
    }
}

I had to create instance of InMemoryUserDetailsManager manually and inject values from configuration.

    @Value("${spring.security.user.name}")
    private String systemUserName;

    @Value("${spring.security.user.password}")
    private String systemUserPassword;

    @Bean
    public InMemoryUserDetailsManager inMemoryUserDetailsManager()
    {
        List<UserDetails> userDetailsList = new ArrayList<>();
        userDetailsList.add(User.withUsername(systemUserName).password(systemUserPassword).authorities("USER").build());

        return new InMemoryUserDetailsManager(userDetailsList);
    }