Spring OAuth @EnableResourceServer preventing login page from OAuth server

Question

Browser Response for localhost:9999/uaa/oauth/authorize?response_type=code&client_id=acme&redirect_uri=http://example.com is 302 Found,
but response for localhost:9999/uaa/login is 401 Unauthorized.

I could get the login token prior to adding the @EnableResourceServer. I am using Spring boot and extending WebSecurityConfigurerAdapter to use authentication Manager with data source. When I tried to add a ResourceServerConfigurerAdapter it wouldn't build. What is the easiest way to allow the login page?

@SpringBootApplication
@RestController
@EnableResourceServer
public class OAuthSvcApplication extends WebMvcConfigurerAdapter {

private static final Logger log = LoggerFactory.getLogger(OAuthSvcApplication.class);

   @RequestMapping("/user")
   public Principal user(Principal user) {
    return user;
   }
   public static void main(String[] args) {
      SpringApplication.run(OAuthSvcApplication.class, args);
   }

}

@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {


@Autowired
public void configureAuth(AuthenticationManagerBuilder auth,DataSource dataSource, Environment env)
        throws Exception {

    auth.jdbcAuthentication().dataSource(dataSource);
}


@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {


    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private DataSource dataSource;


    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {
        endpoints.authenticationManager(authenticationManager);
    }


    @Override
    public void configure(AuthorizationServerSecurityConfigurer security)
            throws Exception {
            security.checkTokenAccess("hasAuthority('USER')");
        }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients)
            throws Exception {
        clients.inMemory()
                .withClient("acme")
                .secret("acmesecret")
                .authorizedGrantTypes("authorization_code",
                        "refresh_token", "password").scopes("openid");
        }

    }
}

Answer 1

SpringSecurityFilterChain should always be ordered before other filters. If you want to add your own authentication for all or some endpoints the best thing to do is add your own WebSecurityConfigurerAdapter with lower order. Modifying the WebSecurityConfigurerAdapter subclass as follows allows the ResourceServer to work with a jdbc authentication mgr:

@Configuration
@Order(-10)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {


    @Autowired
    private AuthenticationManager authenticationManager;


    @Autowired
    private DataSource dataSource;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .formLogin().loginPage("/login").permitAll()
        .and()
            .requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
        .and()
            .authorizeRequests().anyRequest().authenticated();
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.parentAuthenticationManager(authenticationManager).jdbcAuthentication().dataSource(dataSource);

    }

}