Geek Answers Handbook

Spring Boot Security OAuth2 with form registration

I am following Part V getting started with Spring Boot Security to protect my RESTful microservices.

The simple thread that I intend to implement is: -

  • If not authenticated, the user is redirected to the user login page in say / login.

  • The user provides their credentials.

  • Upon successful authentication, the user is redirected to the main page ('/ Home'). I must have access to my REST endpoint (behind Zuul Proxy Server) after providing the access token in the request.

In the Getting Started manual, the above link uses Basic Auth and a dummy user configured in a .properties or .yml file.

Here is how I tried with my configuration: -

@Configuration @EnableAuthorizationServer public class OAuth2Config extends AuthorizationServerConfigurerAdapter { @Autowired private AuthenticationManager authenticationManager; @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.authenticationManager(authenticationManager); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory().withClient("acme").secret("acmesecret") .authorizedGrantTypes("authorization_code", "refresh_token", "password").scopes("openid") .accessTokenValiditySeconds(3600); } @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer.tokenKeyAccess("isAnonymous()").checkTokenAccess("isAnonymous()") .allowFormAuthenticationForClients(); } } @Configuration @Import({ OptoSoftSecurityServiceConfig.class }) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; // backed by MongoDB @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService); } @Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic().disable().formLogin();// disabled basic auth and configured to use dafault Spring Security form login. } }

Clicking the authorization endpoint redirects me to ' http: // localhost: 9999 / uaa / login ' with an error message like: -

 <oauth> <error_description> Full authentication is required to access this resource </error_description> <error>unauthorized</error> </oauth>

PROBLEM

  • How to configure the authorization server to use UserDetailsService instead of a static user and use Form Login instead of Basic Auth.

  • How to configure autodetection when using 'authorization_code' as a grant type?

  • Is it mandatory for / oauth / authorize endpoint to be protected by Basic Auth? Why full authentication is required to access / oauth / authorize 'endpoint. I believe that we do not know who the user is up to this endpoint. A user can only be identified after he is authenticated using valid credentials that appear after the Login form.

+7
spring-boot spring-security spring-security-oauth2
source share
1 answer

Finally, he worked. This item is already configured in the git repository on the specified blog. Turns out it was pretty straight forward.

This is what worked for me (I also set the automatic statement to true): -

 ** * @author kumar * */ @SpringBootApplication public class AuthenticationServerApplication { /** * @param args */ public static void main(String[] args) { SpringApplication.run(AuthenticationServerApplication.class, args); } @Configuration protected static class LoginConfig extends WebSecurityConfigurerAdapter { @Autowired private AuthenticationManager authenticationManager; @Override protected void configure(HttpSecurity http) throws Exception { http.formLogin().permitAll().and().authorizeRequests().anyRequest().authenticated();//.and().userDetailsService(yourCustomerUserDetailsService); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.parentAuthenticationManager(authenticationManager); } } @Configuration @EnableAuthorizationServer protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter { @Autowired private AuthenticationManager authenticationManager; @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.authenticationManager(authenticationManager); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory().withClient("acme").secret("acmesecret") .authorizedGrantTypes("authorization_code", "refresh_token", "password").scopes("openid") .autoApprove(true); } @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()"); } } }

application.yml: -

  security: user: password: password server: port: 9999 context-path: /uaa
+4
source share

More articles:


All Articles