Geek Answers Handbook

Spring boot oauth2 httpbasic authentication management

I have a spring boot application that uses oauth2 for authentication. The oauth2 mechanism works, and clients can authenticate and receive their access tokens.

I want to capture the endpoints of the actuators using httpbasic authentication, that is, not requiring the user to use oauth2 for authentication first, and then access the endpoints of the actuator. What I have done so far is to set the following in the properties file:

management.context-path=/admin/actuators
management.security.enabled=true
management.security.role=ADMIN

security.user.name=admin
security.user.password=password

I tried various ways of configuring using ResourceServerConfigurerAdapter and WebSecurityConfigurerAdapter.

None of my attempts work, and she keeps telling me

<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>

OAUTH2 ?

+4
4

, , java.

/admin/ / , /admin/ /* .

@Configuration
@Order(1)
protected static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) throws Exception {

        http
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/admin/actuators/health").permitAll()
            .and()
                .antMatcher("/admin/actuators/**")
                .authorizeRequests()
                .anyRequest()
                .hasRole("ADMIN")
                .and()
                .httpBasic();
    }
}
-1

, @EnableResourceServer ResourceServerConfiguration, 3, ManagementServerProperties.ACCESS_OVERRIDE_ORDER.
. Spring : http://docs.spring.io/spring-boot/docs/1.4.3.RELEASE/reference/htmlsingle/#boot-features-security-actuator

, /health , management.port management.contextPath, URL- , .

, :

EDIT: a) ResourceServerConfiguration BeanPostProcessor

@dsyer github:

@Component
@Slf4j
public class ResourceServerConfigurationPostProcessor implements BeanPostProcessor {

    @Override
    public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {
        if (bean instanceof ResourceServerConfiguration) {
            LOGGER.debug("Lowering order of ResourceServerConfiguration bean : {}", beanName);
            ResourceServerConfiguration config = (ResourceServerConfiguration) bean;
            config.setOrder(SecurityProperties.ACCESS_OVERRIDE_ORDER);
        }
        return bean;
    }

    @Override
    public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
        return bean;
    }

}

, .

: b) ResourceServerConfiguration

- -, @EnableResourceServer , :

/** 
 * Extend the default resource server config class, and downgrade its order
 */
public class ResourceServerLowPrecedenceConfiguration extends ResourceServerConfiguration {

     /**
     * This is enough to override Spring Boot default resource security,
     * but it does not takes over the management.
     */
    @Override
    public int getOrder() {
        return SecurityProperties.ACCESS_OVERRIDE_ORDER;
    }
}

:

/** @EnableResourceServer is replaced by @Import using the low precedence config */
@Configuration
@Import(ResourceServerLowPrecedenceConfiguration.class)
public class YourOwnOAuth2Config extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(final HttpSecurity http) throws Exception {
        // Secure your resources using OAuth 2.0 here
    }
}

EDIT: @EnableResourceServer, @Import:

@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Import(ResourceServerLowPrecedenceConfiguration.class)
public @interface EnableResourceServer {
}

IMHO , spring -security-oauth .
. GitHub: https://github.com/spring-projects/spring-boot/issues/5072

+3

security.oauth2.resource.filter-order = 3 application.yml

0

Spring -Security Multiple HttpSecurity.

<http pattern="/actuators/**/*" request-matcher="ant" authentication-manager-ref="basicAuthManager">
    <security:intercept-url pattern="/**" access="isAuthenticated()" />
    <http-basic />
<http>
<http use-expressions="false">
   ... your oauth config
</http>

<authentication-manager id="basicAuthManager">
    <authentication-provider>
        <user-service>
            <user name="user1" password="user1Pass" authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>
</authentication-manager>

... your oath config stuff

( xml, java- )

@See http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#nsa-http

( , Spring -boot.)

-1

More articles:


All Articles