Reputation: 23277
spring boot: security autoconfiguration not applied (opaquetoken)
I'm trying to configure oauth2 opaque token authorization using spring.
According to oficial spring documentation:
If the application doesn’t expose a SecurityFilterChain bean, then Spring Boot will expose the above default one.
When I'm trying to reach my endpoint without any authorization token, I'm able to reach it.
I need to add securityfilterchain manually:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
return http.build();
}
By other hand, documentation tells:
If the application doesn’t expose an OpaqueTokenIntrospector bean, then Spring Boot will expose the above default one.
Nevertheless, when I start service I'm getting:
***************************
APPLICATION FAILED TO START
***************************
Description:
Method filterChain in slab.tsystems.multipart.commonsupload.config.SecurityConfiguration required a bean of type 'org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector' that could not be found.
Action:
Consider defining a bean of type 'org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector' in your configuration.
My related dependencies:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>oauth2-oidc-sdk</artifactId>
<version>10.7.2</version>
<scope>runtime</scope>
</dependency>
Why default behaviour is not applied?
Upvotes: 0
Views: 738
Answers (1)
Reputation: 326
As explained in Spring OAuth2 Resource Server documentation you should declare a Bean returning the introspector or create a CustomOpaqueTokenIntrospector.
Declare a Bean that returns the needed OpaqueTokenIntrospector:
@Bean
public OpaqueTokenIntrospector introspector() {
return new NimbusOpaqueTokenIntrospector("http://localhost:8080/oauth2/introspect", "clientid", "clientsecret");
}
Or if you want to customize the token introspection endpoint response, you can create a CustomOpaqueTokenIntrospector that implements the OpaqueTokenIntrospector interface. Then pass to the configuration like this:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.oauth2ResourceServer((oAuth2ResourceServerConfigurer -> {
oAuth2ResourceServerConfigurer
.opaqueToken((opaqueTokenConfigurer -> {
opaqueTokenConfigurer.introspector(customOpaqueTokenInstropector);
}));
}));
return http.build();
}
Upvotes: 0
Related Questions
- How to configure port for a Spring Boot application
- Running code after Spring Boot starts
- How can I log SQL statements in Spring Boot?
- Spring Authorization Server 1.2.1 does not forward anonymous /authorize call to the login page
- authentication in microservice, login problem
- How does OAuth 2 protect against things like replay attacks using the Security Token?
- Spring-boot OAuth2 implementation: NoSuchBeanDefinitionException: No qualifying bean of type AuthenticationManager
- Okta spring boot is not working when adding jpa dependency on spring boot application
- Spring Security with Openid and Database Integration