Welcome. Ask away! Unless otherwise specified we assume you're using the latest 5.x version of Spring Security
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
do it for one path, then do it for the other
on the way...
when i provide a second AuthorizationServerConfig, i get:
The bean 'authenticationManagerBean', defined in class path resource [.../security2/SecurityConfig2.class], could not be registered. A bean with that name has already been defined in class path resource [.../security/SecurityConfig.class] and overriding is disabled.
Action:
Consider renaming one of the beans or enabling overriding by setting spring.main.allow-bean-definition-overriding=true
this happens in line 47 here:
https://github.com/daveyx/spring-oauth/blob/master/backend-spring/src/main/java/com/example/oauthdemo/security/SecurityConfig.java
when providing a AuthenticationManager
i've provided now a second config for
SecurityConfig extends WebSecurityConfigurerAdapter
AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter
ResourceServerConfig extends ResourceServerConfigurerAdapter
if i comment out the second config, i get a token with the config 1
if i activate the second config, something seems to be messed up with the httpbasic-auth:
try config 1 with
curl -X POST http://localhost:8080/oauth1/token -H 'Authorization: Basic dGVzdGp3dGNsaWVudGlkOlhZN2ttem9OemwxMDA' --data "username=user&password=password&grant_type=password"
results in "Forbidden","path":"/oauth1/token"
try config 2 with
curl -X POST http://localhost:8080/oauth2/token -H 'Authorization: Basic dGVzdGp3dGNsaWVudGlkMjpYWTdrbXpvTnpsMTAwMg==' --data "username=user2&password=password2&grant_type=password"
results in "error":"invalid_grant","error_description":"Bad credentials"
i didnt get it working with two WebSecurityConfigurerAdapter, so i started with only one WebSecurityConfigurerAdapter and only one AuthorizationServerConfigurerAdapter, but two UserDetailsServices
i can get a token with both client ids
the downside is that i have only one authentication endpoint, but this is not a big problem
i've provided two AuthenticationProviders, each connected to a different UserDetailsService
The behaviour is now that both UserDetailsServices are tested if they can find the user, i see it as a downside too
what i want to have is:
case a) user with clientid X triggers only UserDetailsService1
case b) user with clientid Y triggers only UserDetailsService2
in case a) user has only access to resources of /api1
in case b) user has only access to resources of /api2
how can i achieve that?
Set-Cookie
header with the JSESSIONID triggers a firewall rule. Does anyone know whether any update in Spring Security or Spring Boot might be the reason that this header is set now? Other services that use the same setup don't have this header set in their responses. Unfortunately tracking down why this header is set now is difficult, because the service that shows this behaviour is the result of two services being merged, so there was quite some change going on. The underlying setup as such however didn't change, it's based on Spring Boot 2.1.6 (and we're using a custom, but shared Resource Server Setup in all our services)
Hi @rolaca11, thank you for wanting to contribute. The best thing you can do to explain your use case is start with a test that shows how a request fails in one commit. Then add a second commit that makes the test pass.
This will give whoever reviews your PR a great deal of information on what you are trying to accomplish, and that it actually works in the code.
Commit 1 - a test case that fails, but you believe it should pass
Commit 2 - fixes the code, causes the test in Commit 1 to pass
Hello, I just bumped Spring Boot version from 2.2.0.M4 -> 2.2.0.M6. As a result Spring Security version went from 5.2.0.M3 -> 5.2.0.RC1. With this change my previous OAuth2 resource server security configuration fails at startup with an exception java.lang.IllegalArgumentException: An AuthenticationManager is required
. In version 5.2.0.M3 a default manager with JwtAuthenticationProvider would be created. It appears this issue only occurs when I disable anonymous and have an authorizeRequests section in my HttpSecurity configuration as in the example below.
protected void configure(HttpSecurity http) throws Exception {
http.anonymous()
.disable()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt();
}
Do I need to provide an authentication manager rather than relying on the default in this case?
WebSecurityConfigurationAdapter
. In my setup I have a different WebSecurityConfigurationAdapter
for my Actuator endpoints and different profiles. Right now I provide those via bean and profile annotations. If I override the one of those adapters authenticationManagerBean() method it doesn't take effect. I guess I could declare them as components rather than just creating beans so the bean gets picked up... My question is it expected that disabling anonymous access cause no default AuthenticationManager
for oauth2resourceserver?
@AutoConfigureWebTestClient
which expects a working security configuration in order to start the context at all? Maybe we can solve it with your suggestions …
Hi
Could someone help me please? I'm getting empty username
parameter in findByUsername(String username)
in ReactiveUserDetailsService
In my security config I defined this:
.formLogin()
.loginPage("/login")
.authenticationManager(new UserDetailsRepositoryReactiveAuthenticationManager(authService))
where authService
is Autowired ReactiveUserDetailsService
I'm sending POST request to /login
with parameters:
{
"username": "<some_username>",
"password": "<some_password>"
}
There is not controller implementing /login
Spring security somehow itslef managing it, so I'm getting hit straight into ReactiveUserDetailsService
but obviously request params were not properly mapped, I'm definitely missing something
username
only from Authentication
object,.authenticationManager(new UserDetailsRepositoryReactiveAuthenticationManager(authService))
ReactiveAuthenticationManager
with implementation of authenticate(Authentication authentication)
authentication
parameter is also empty, and I'm not sure where do I get request body content to return proper Authentication
object with username and password
/login/oauth2/code
endpoint which 302s to https://accounts.google.com/o/oauth2/v2/auth
which seems correct. Domain and SSL cert are matching/correct.
hasAnyIpAddress(String[] ipAddresses)
expression to be an extension to current hasIpAddress(String ipAddress)
. Context: I had to to allow some endpoints to be used only by specified machines that could not be described as normal ip range expression (eg. "192.168.1.1/24"). To accomplish that I had to use some weird string based expression ("hasIpAddress('...') or hasIpAddress('...')"
) which was dynamically generated. What do you think about that?