Geek Answers Handbook

Spring OAuth2 Security - @ EnableOauth2Sso, but also accept tokens as authentication

I have an application that has @EnableOAuth2Sso on WebSecurityConfigurerAdapter

After adding @EnableOAuth2Sso application redirects me to the authorization server and allows access after logging into this authorization server. I also want to offer an API, so I want applications to be able to access my resources by passing accesstoken through Authorization-Header

 Authorization: bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...

I debugged through the authentication filter that is used with @EnableOAuth2Sso noticed that the value of the "Authorization-Header" parameter was not verified.

After that I tried to create a custom filter and added this filter to the security configuration

 @Override public void configure(HttpSecurity http) throws Exception { http.addFilter(myCustomFilter) ...; }

But now I get the following exception:

 Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is org.springframework.security.config.annotation.AlreadyBuiltException: This object has already been built at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:189) at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:588) ... 26 more Caused by: org.springframework.security.config.annotation.AlreadyBuiltException: This object has already been built at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:44) at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain(WebSecurityConfiguration.java:105) at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerBySpringCGLIB$$f0788cea.CGLIB$springSecurityFilterChain$5(<generated>) at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerBySpringCGLIB$$f0788cea$$FastClassBySpringCGLIB$$7e95689d.invoke(<generated>) at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228) at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:318) at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerBySpringCGLIB$$f0788cea.springSecurityFilterChain(<generated>) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:162)

At first it seemed to me that I did something wrong inside the filter, but I got a simple filter class that does nothing but continue the filter and still with the same error.

I have two questions:

  • Why am I getting this exception?
  • Is there a way to enable token authentication for endpoints in an application that uses @EnableOAuth2Sso ?
+6
source share
2 answers

The reason for the exception was the streamlining of filters such as @jah .

What I did to ensure authentication of requests containing an access token in the authorization header is to create an ApiTokenAccessFilter class that extends OAuth2AuthenticationProcessingFilter . This filter takes a ResourceServerTokenServices constructor parameter and sets the status flag to false.

 public class ApiTokenAccessFilter extends OAuth2AuthenticationProcessingFilter { public ApiTokenAccessFilter(ResourceServerTokenServices resourceServerTokenServices) { super(); setStateless(false); setAuthenticationManager(oauthAuthenticationManager(resourceServerTokenServices)); } private AuthenticationManager oauthAuthenticationManager(ResourceServerTokenServices tokenServices) { OAuth2AuthenticationManager oauthAuthenticationManager = new OAuth2AuthenticationManager(); oauthAuthenticationManager.setResourceId("oauth2-resource"); oauthAuthenticationManager.setTokenServices(tokenServices); oauthAuthenticationManager.setClientDetailsService(null); return oauthAuthenticationManager; } }

In my security configuration, I used this filter as follows:

 @Configuration @EnableOAuth2Sso public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired private ResourceServerTokenServices tokenServices; @Override public void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .anyRequest() .authenticated() .and() .addFilterBefore(new ApiTokenAccessFilter(tokenServices), AbstractPreAuthenticatedProcessingFilter.class); } }

I think this might be easier, so I opened the problem on the spring -security-oauth Github repo . I am not sure if this solution is suitable, but I have not found another alternative.

+7
source

This is the answer to your first question. You get this exception because you are trying to add a filter to the filter chain without specifying an order. A filter chain consists of several filters in a fixed order . An exception is selected to check for the addition of a filter. org.springframework.security.config.annotation.AlreadyBuiltException in AbstractSecurityBuilder when an exception occurs in it. Thus, the wide range of exceptions that occur inside AbstractSecurityBuilder raises this unrelated exception.

A possible way to add a filter would be to use the addFilterBefore(Filter filter, Class<? extends Filter> beforeFilter) or addFilterAfter(Filter filter, Class<? extends Filter> afterFilter) HttpSecurity methods.

As for your second question, you should provide more information.

+2
source

More articles:


All Articles