I have no reputation for comments, otherwise this post describes exactly the same problem.
I successfully implemented spring protection oauth2 2.0.5 in a spring 4 application. Everything works fine, I can generate tokens, and api requests are authenticated correctly. But the problem is that once the api is authenticated using an access token inside the browser-based application, subsequent calls do not need an access token, because - Spring protection seems to rely on sessionid instead to identify and authenticate the user. - calls seem to be checked even after the access token expires.
So, it looks like spring uses the access token only for the first call, then it relies on the cookie / jsessionid. I tried disabling the behavior as follows (learning using sparklr2) -
Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.anonymous().disable();
http.requestMatchers().antMatchers("/oauth/token").and().authorizeRequests().anyRequest().fullyAuthenticated();
http.httpBasic().authenticationEntryPoint(oAuth2AuthenticationEntryPoint()).and()
.addFilterBefore(clientCredentialsTokenEndpointFilter(), BasicAuthenticationFilter.class)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().exceptionHandling()
.accessDeniedHandler(oAuth2AccessDeniedHandler);
}
but it doesn’t help. In the magazines I see -
Ant [pattern = '/oauth/token'] request: '/v1.0/printconfig/'; '/oauth/token' Ant [pattern = '/oauth/token_key'] : '/v1.0/printconfig/'; '/oauth/token_key' Ant [pattern = '/oauth/check_token'] : '/v1.0/printconfig/'; '/oauth/check_token' Ant [pattern = '/v1.0/'] request: '/v1.0/printconfig/'; '/v1.0/' /v 1.0/printconfig/ 1 10 ; firing Filter: 'WebAsyncManagerIntegrationFilter'/v1.0/printconfig/ 2 10 ; : 'SecurityContextPersistenceFilter' SecurityContext SPRING_SECURITY_CONTEXT: "Org.springframework.security.core.context.SecurityContextImpl@bd392350: : org.springframework.security.oauth2.provider.OAuth2Authentication@bd392350: Principal: org.springframework.security.core.userdetails.User@6d: : m; ]; Enabled: true; AccountNonExpired: ; credentialsNonExpired: true; AccountNonLocked: true; : ROLE_USER; : []; Authenticated: true; : remoteAddress = 0: 0: 0: 0: 0: 0: 0: 1, tokenValue =; : ROLE_USER '/v1.0/printconfig/ 3 10 ; firing Filter: 'HeaderWriterFilter' Not HSTS, requestMatcherorg.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6044b89b /v 1.0/printconfig/ 4 10 ; firing Filter: 'LogoutFilter' : '/v1.0/printconfig/'; '/logout'/v1.0/printconfig/ 5 10 ; : > " OAuth2AuthenticationProcessingFilter" . . . OAuth2. , ./v1.0/printconfig/ 6 10 ; firing Filter: 'RequestCacheAwareFilter'/v1.0/printconfig/at 7 10 ; : 'SecurityContextHolderAwareRequestFilter'/v1.0/printconfig/at 8 10 ; : 'SessionManagementFilter'/v1.0/printconfig/ 9 10 ; firing Filter: 'ExceptionTranslationFilter' /v 1.0/printconfig/ 10 10 ; firing Filter: 'FilterSecurityInterceptor' : '/v1.0/printconfig/'; '/v1.0/**' : FilterInvocation: URL:/v1.0/printconfig/; : [# oauth2.throwOnError(hasRole ('ROLE_USER'))] : org.springframework.security.oauth2.provider.OAuth2Authentication@bd392350: Principal: org.springframework.security.core.userdetails.User@6d: : m; ]; Enabled: true; AccountNonExpired: ; credentialsNonExpired: true; AccountNonLocked: true; : ROLE_USER; : []; Authenticated: true; : remoteAddress = 0: 0: 0: 0: 0: 0: 0: 1, tokenValue =; : ROLE_USER : org.springframework.security.web.access.expression.WebExpressionVoter@5f574bdc, return: 1 . RunAsManager /v1.0/printconfig/ ; , SecurityContextHolder ,
oauth, . sessionId, spring . , .