Geek Answers Handbook

Spring OAuth @EnableResourceServer prevents access to the login page from the OAuth server

Browser response for localhost: 9999 / uaa / oauth / authorize? response_type = code & client_id = acme & redirect_uri = http://example.com - 302 Found, but the answer for localhost: 9999 / uaa / login - 401 Unauthorized.

I can get the login token before adding @EnableResourceServer. I am using Spring loading and the WebSecurityConfigurerAdapter extension to use the identity manager with the data source. When I tried to add a ResourceServerConfigurerAdapter, it will not be built. What is the easiest way to allow a login page?

@SpringBootApplication @RestController @EnableResourceServer public class OAuthSvcApplication extends WebMvcConfigurerAdapter { private static final Logger log = LoggerFactory.getLogger(OAuthSvcApplication.class); @RequestMapping("/user") public Principal user(Principal user) { return user; } public static void main(String[] args) { SpringApplication.run(OAuthSvcApplication.class, args); } } @Configuration @EnableGlobalMethodSecurity(securedEnabled = true) public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired public void configureAuth(AuthenticationManagerBuilder auth,DataSource dataSource, Environment env) throws Exception { auth.jdbcAuthentication().dataSource(dataSource); } @Configuration @EnableAuthorizationServer protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter { @Autowired private AuthenticationManager authenticationManager; @Autowired private DataSource dataSource; @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.authenticationManager(authenticationManager); } @Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { security.checkTokenAccess("hasAuthority('USER')"); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory() .withClient("acme") .secret("acmesecret") .authorizedGrantTypes("authorization_code", "refresh_token", "password").scopes("openid"); } } }
+7
spring spring-security oauth
source share
1 answer

SpringSecurityFilterChain should always be ordered before other filters. If you want to add your own authentication for all or some endpoints, it is best to add your own lower-order WebSecurityConfigurerAdapter. Changing the WebSecurityConfigurerAdapter subclass as shown below allows the ResourceServer to work with the jdbc authentication protocol:

 @Configuration @Order(-10) protected static class LoginConfig extends WebSecurityConfigurerAdapter { @Autowired private AuthenticationManager authenticationManager; @Autowired private DataSource dataSource; @Override protected void configure(HttpSecurity http) throws Exception { http .formLogin().loginPage("/login").permitAll() .and() .requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access") .and() .authorizeRequests().anyRequest().authenticated(); } @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth.parentAuthenticationManager(authenticationManager).jdbcAuthentication().dataSource(dataSource); } }
+4
source share

More articles:


All Articles