1

I have a app that could login with from or by oauth2 alos. But I met some troubles.

What I met:

  • When I visit http://127.0.0.1/, it truns to /login page what is right.
  • When I visit http://127.0.0.1/api/hellos, it also truns to /login page what is exactly wrong. What I want is I can access /api/hellos by using oauth2.

Here is my Security Configuration:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private SpringDataMyBatisUserDetailsService userDetailsService;

    @Override
    @Autowired
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
        .userDetailsService(this.userDetailsService)
        .passwordEncoder(Manager.PASSWORD_ENCODER);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilterBefore(new CorsFilter(), ChannelProcessingFilter.class);
    }

    @Configuration
    @EnableAuthorizationServer
    public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

        private final AuthenticationManager authenticationManager;
        @Autowired
        private TokenStore tokenStore;
        @Autowired
        private SpringDataMyBatisClientDetailsService clientDetailsService;

        @Autowired
        public AuthorizationServerConfig(AuthenticationManager authenticationManager) {
            this.authenticationManager = authenticationManager;
        }

        /**
         * Defines the security constraints on the token endpoints /oauth/token_key and /oauth/check_token
         * Client credentials are required to access the endpoints
         *
         * @param oauthServer
         * @throws Exception
         */
        @Override
        public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
            oauthServer
            .tokenKeyAccess("permitAll()")
            .checkTokenAccess("isAuthenticated()");
        }

        /**
         * Defines the authorization and token endpoints and the token services
         *
         * @param endpoints
         * @throws Exception
         */
        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            endpoints
            .authenticationManager(this.authenticationManager)
            .tokenEnhancer(tokenEnhancer())
            .tokenStore(tokenStore);
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients
            .withClientDetails(clientDetailsService);
        }

        @Bean
        public TokenEnhancer tokenEnhancer() {
            return new CustomTokenEnhancer();
        }

    }

    @Order(1)
    @Configuration
    public class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers("/index.html", "/index.css", "/common.js", "/index.js", "/api/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .and()
            .logout()
            .logoutSuccessUrl("/")
            .and().exceptionHandling().accessDeniedPage("/error/403");
        }

    }

    @Configuration
    @EnableResourceServer
    @Order(2)
    public class AuthorizationResourceConfig extends ResourceServerConfigurerAdapter {

        @Autowired
        private RestAuthenticationEntryPoint restAuthenticationEntryPoint;
        @Autowired
        private AuthenticationSuccessHandler successHandler;
        @Autowired
        private AuthenticationFailureHandler failureHandler;
        @Autowired
        private TokenStore tokenStore;

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
            resources
            .stateless(true)
            .tokenStore(tokenStore);
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
            .authorizeRequests()
            .and()
            .anonymous().disable()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and().httpBasic()
            .and()
            .exceptionHandling()
            .accessDeniedHandler(new OAuth2AccessDeniedHandler())
            .authenticationEntryPoint(restAuthenticationEntryPoint)
            .and()
            .authorizeRequests()
            .antMatchers("/api/**").fullyAuthenticated();

        }
    }

}

I have tried some ways where I searched from google.But none can help me. So, I really want someone can help me, I will be appreciated for you.

In addition, the most helpful info I have searched is this.

Community
  • 1
  • 1
WhatAKitty
  • 338
  • 1
  • 5
  • 17

1 Answers1

0

u use this ".antMatchers("/api/**").fullyAuthenticated(); " ,, in this case will require a "LOG IN " for all actions /api/.... ,, if u dont Want"log in" form for "127.0.0.1/api/hellos "u must to use only /api/ without stars

kuciB
  • 1
  • 1
  • I'm not use RESOURCE_PATH_MATCH .I have removed it. – WhatAKitty Aug 26 '16 at 15:29
  • u use this ".antMatchers("/api/**").fullyAuthenticated(); " ,, in this case will require a "LOG IN " for all actions /api/.... ,, if u dont Want"log in" form for "http://127.0.0.1/api/hellos "u must to use only /api/ without stars – kuciB Aug 26 '16 at 15:39
  • You may misunderstand. My project consists exposes two different parts, a JSF admin panel and a RESTfull service. I am trying to setup spring security to use different authentication methods depending on the URL the user navigates. – WhatAKitty Aug 26 '16 at 15:58