I am really new to OAuth2 and trying to build one server in roles auth.server for authorizing users and one keeping a protected resource...
I've got issues to secure with the ResourceServerConfigurerAdapter. It seems like he is ignoring all it's roles fetching form userInfoUrl...
so here the code:
AuthServer
@SpringBootApplication
@EnableAuthorizationServer
@EnableResourceServer
@RestController
public class Oa2AuthServerApplication {
@RequestMapping("/user")
public Principal user(Principal user) {
return user;
}
public static void main(String[] args) {
SpringApplication.run(Oa2AuthServerApplication.class, args);
}
}
__
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password("admin")
.roles("ADMIN", "USER")
.and()
.withUser("user")
.password("user")
.roles("USER");
}
}
__
@Configuration
public class OA2AuthConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("default")
.secret("kx")
.scopes("AUTH", "TRUST")
.autoApprove(true)
.authorities("ROLE_GUEST", "ROLE_USER", "ROLE_ADMIN")
.authorizedGrantTypes("authorization_code", "implicit", "refresh_token");
}
}
ResourceServer
@SpringBootApplication
@RestController
@EnableResourceServer
public class Oa2ResourceServerApplication {
@RequestMapping("/")
public String greet() {
return UUID.randomUUID().toString() + "\r\n";
}
@RequestMapping("/forAdmin")
public String admin() {
return "hi admin!";
}
public static void main(String[] args) {
SpringApplication.run(Oa2ResourceServerApplication.class, args);
}
}
So getting token from authserver + calling "localhost:9091/" and "/forAdmin" works with this token.
But when I do this:
public class WebSecurityConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/forAdmin").hasRole("USER");
}
I get access denied....
to be sure, the roles are reaching the resource server, i have changed the geet() from above to
@RequestMapping("/")
public String greet(Principal user) {
if (user instanceof OAuth2Authentication) {
log.info("having roles: {}", ((OAuth2Authentication) user).getAuthorities());
}
return UUID.randomUUID().toString() + "\r\n";
}
and the console shows
d.k.auth.Oa2ResourceServerApplication : having roles: [{authority=ROLE_USER}]
So when "Principal" is the currently authenticated user, I assume there is a bug with the resourceserverer configurer....or I am doing something fatally wrong...
or both....I don't know
does anybody can help me in this problem?
So JWT is necessary, without it does not work.
I solved it with the combination:
@PreAuthorize("#oauth2.hasScope('openid') and hasRole('ROLE_ADMIN')")
You can find a sample of a protected Resource here.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With