Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring OAuth Filter Chain & Java Config

Tags:

spring

oauth

oauth-2.0

spring-security

I'm trying to add in spring-security-oauth to an existing app with spring-security. I'm using Java config.

I have an existing amended filter chain in place (with some custom filters added in) but requests to '/oauth/token' aren't using it, but are using the 'default' filter chain. How can i get access to the filter chain that's securing the oauth endpoints so that i can use the custom filters there also or can I wire in the OAuth endpoint(s) into the existing setup?

like image 898
martin samm Avatar asked Aug 11 '15 18:08

martin samm

People also ask

What is Spring filter chain?

Spring Security maintains a filter chain internally where each of the filters has a particular responsibility and filters are added or removed from the configuration depending on which services are required. The ordering of the filters is important as there are dependencies between them.

Is WebSecurityConfigurerAdapter deprecated?

The type WebSecurityConfigurerAdapter is deprecatedWell, it's because the developers of Spring framework encourage users to move towards a component-based security configuration.

What is difference between interceptor and filter in Spring?

Filters can modify inbound and outbound requests and responses including modification of headers, entity and other request/response parameters. Interceptors are used primarily for modification of entity input and output streams. You can use interceptors for example to zip and unzip output and input entity streams.

2 Answers

there is indeed a slightly smoother way using the interface AuthorizationServerConfigurer. You can stick to the annotation @EnableAuthorizationServer and implement above interface in your configuration file. This will enable you to alter the oauth2-filter-chain by doing something like this:

@Configuration
@EnableWebSecurity
@EnableAuthorizationServer
public class SecurityConfig extends WebSecurityConfigurerAdapter 
implements AuthorizationServerConfigurer
    // some configuration ...

    public void configure(AuthorizationServerSecurityConfigurer oauthSecurity) throws Exception {
        oauthSecurity.addTokenEndpointAuthenticationFilter(new YourFilter());
    }

    // more configuration ...
}

In contrast to the addFilterXYX-methods of HttpSecurity you have no fine-grained influence here where the filter will be positioned in the filter chain. Any filter added by addTokenEndpointAuthenticationFilter will be inserted before the BasicAuthenticationFilter.

If you need to control the position of you filter in a more detailed way you could create a bean extending AuthorizationServerConfigurerAdapter instead of using the annotation @EnableAuthorizationServer. I did not try that but I guess you could then extend AuthorizationServerSecurityConfigurationlike systemfreund suggested without having to specify @Order(-1) because only your custom configuration gets imported. Probably you would also have to @Import AuthorizationServerEndpointsConfigurationlike it is done in the convenience annotation @EnableAuthorizationServer.

like image 131
Fencer Avatar answered Oct 09 '22 04:10

Fencer

It's probably not the best way to do it, but I did not manage to find a better approach. The idea is to provide a custom AuthorizationServerSecurityConfiguration instance and override the default instance which is @Imported via @EnableAuthorizationServer. We just need to make sure to add an @Order annotation with higher precendence than the default configuration:

@EnableAuthorizationServer
@Import(CustomSecurityConfig.class)
public class Application {
}

@Configuration
@Order(-1)
public class CustomSecurityConfig extends AuthorizationServerSecurityConfiguration {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http); // do the default configuration first

        http
            .addFilterBefore(new MyFilter(), ...);
    }

}
like image 41
systemfreund Avatar answered Oct 09 '22 05:10

systemfreund
Sign in to Comment

Related questions

Lightweight deployable WAR for a Spring Boot Application
Spring IO platform release management
Spring Rest Controller handling java.util.Optional using Jackson
AuthenticationPrincipal is empty when using EnableWebSecurity
Spring-mvc integration with reactjs?
Microservice Event driven Design with multiple Instances
Spring Batch Item Reader is executing only once
JavaFX : Consuming REST service and displaying the data in front-end
Spring's @PreDestroy results in logging randomly not logging
Spring boot security with 3 fields authentication and custom login form
Multipart file upload with OkHttp + Spring
What is the springMacroRequestContext called in bind macro of spring.ftl?
Dependency Injection into Spring non-managed beans
WFLYEJB0137: Only session and message-driven beans with bean-managed transaction demarcation are allowed to access UserTransaction
Get request only works with trailing slash (spring REST annotations)
SSE implementation in Spring REST
Referring to ConfigurationProperties Beans in SpEL expression in @Configuration bean
get all keys from spring ReloadableResourceBundleMessageSource
Spring integration Java - how to use @InboundChannelAdapter to check a directory for files?
Yourkit java profiler : Cannot launch: it's impossible to automatically detect whether a 32-bit or a 64-bit JVM will be used

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!