i'm trying secure rest api authorization code flow, don't understand why i'm getting message:
user must authenticated spring security before authorization can completed. i have web part of application user , admin access, , rest api part 2 different grants, on /api/** authorization code , on /oauth2/** client_credentials.
the client_credential flow work, authorization code nope...
so, authorization server configuration
@configuration @enableauthorizationserver public class authorizationserverconfig extends authorizationserverconfigureradapter { @autowired datasource datasource; @autowired @qualifier("authenticationmanagerbean") private authenticationmanager authmanager; @override public void configure(authorizationserversecurityconfigurer oauthserver) throws exception { oauthserver.tokenkeyaccess("permitall()").checktokenaccess("isauthenticated()"); } @override public void configure(clientdetailsserviceconfigurer clients) throws exception { clients.jdbc(datasource); } @override public void configure(authorizationserverendpointsconfigurer endpoints) throws exception { endpoints.tokenstore(tokenstore()).authenticationmanager(authmanager); } @bean public tokenstore tokenstore() { return new jdbctokenstore(datasource); } } this resource server configuration
@configuration @enableresourceserver @enableglobalmethodsecurity(prepostenabled=true) public class resourceserverconfig extends resourceserverconfigureradapter{ @autowired datasource datasource; @override public void configure(httpsecurity http) throws exception { http .requestmatchers() .antmatchers("/api/**") .antmatchers("/oauth2/**") .and().authorizerequests() .antmatchers("/api/**").access("hasrole('user')") .antmatchers("/oauth2/**").authenticated() .and().httpbasic(); } @bean public tokenstore tokenstore() { return new jdbctokenstore(datasource); } @override public void configure(resourceserversecurityconfigurer resources) throws exception { resources.tokenstore(tokenstore()); } } and finally, general security
@configuration @enablewebsecurity public class securityconfiguration extends websecurityconfigureradapter { @autowired @qualifier("customuserdetailsservice") userdetailsservice userdetailsservice; @autowired customsuccesshandler customsuccesshandler; @autowired customauthenticationfailurehandler customauthenticationfailurehandler; @autowired datasource datasource; @autowired public void configureglobalservice(authenticationmanagerbuilder auth) throws exception { auth.userdetailsservice(userdetailsservice).passwordencoder(passwordencoder()); } @bean public passwordencoder passwordencoder() { return new bcryptpasswordencoder(); } @override protected void configure(httpsecurity http) throws exception { http.authorizerequests() .antmatchers("/", "/registration", "/registrationconfirm", "/resendregistrationtoken") .permitall() .antmatchers("/edit/**", "/payment/**", "/plate/**", "/book/**", "/home", "/stop/**", "/notification/**", "/include/**") .access("hasrole('user') or hasrole('admin') or hasrole('park')").antmatchers("/admin/**") .access("hasrole('admin') or hasrole('park')").antmatchers("/updatepassword") .hasauthority("change_password_privilege") .and().formlogin().loginpage("/") .successhandler(customsuccesshandler).failurehandler(customauthenticationfailurehandler) .usernameparameter("email").passwordparameter("password").and().rememberme() .remembermeparameter("remember-me").tokenrepository(persistenttokenrepository()) .tokenvalidityseconds(86400).and().exceptionhandling().accessdeniedpage("/access_denied").and() .logout().logoutrequestmatcher(new antpathrequestmatcher("/logout")) .logoutsuccessurl("/?logout=true").invalidatehttpsession(false).deletecookies("jsessionid"); http.csrf().disable(); } @override @bean public authenticationmanager authenticationmanagerbean() throws exception { return super.authenticationmanagerbean(); } @bean public persistenttokenrepository persistenttokenrepository() { jdbctokenrepositoryimpl db = new jdbctokenrepositoryimpl(); db.setdatasource(datasource); return db; } } the user in oauth_client_details table has role_user authorities, client_id , client_secret test/test
this how i'm searching token postman
but i'm getting exception
error i.b.e.e.restresponseentityexceptionhandler[66] - 500 status code org.springframework.security.authentication.insufficientauthenticationexception: user must authenticated spring security before authorization can completed. edit see when push request token button
edit inspecting logs found in security filter chain there no sign of filter of oauth2... when making request authorization token see:
2017-04-07 22:50:34 [http-nio-8080-exec-1] debug o.s.security.web.filterchainproxy[325] - /oauth/authorize?client_id=test&scope=&state=7220832&redirect_uri=https%3a%2f%2fwww.getpostman.com%2foauth2%2fcallback&response_type=code @ position 1 of 12 in additional filter chain; firing filter: 'webasyncmanagerintegrationfilter' 2017-04-07 22:50:34 [http-nio-8080-exec-1] debug o.s.security.web.filterchainproxy[325] - /oauth/authorize?client_id=test&scope=&state=7220832&redirect_uri=https%3a%2f%2fwww.getpostman.com%2foauth2%2fcallback&response_type=code @ position 2 of 12 in additional filter chain; firing filter: 'securitycontextpersistencefilter' 2017-04-07 22:50:34 [http-nio-8080-exec-1] debug o.s.security.web.filterchainproxy[325] - /oauth/authorize?client_id=test&scope=&state=7220832&redirect_uri=https%3a%2f%2fwww.getpostman.com%2foauth2%2fcallback&response_type=code @ position 3 of 12 in additional filter chain; firing filter: 'headerwriterfilter' 2017-04-07 22:50:34 [http-nio-8080-exec-1] debug o.s.security.web.filterchainproxy[325] - /oauth/authorize?client_id=test&scope=&state=7220832&redirect_uri=https%3a%2f%2fwww.getpostman.com%2foauth2%2fcallback&response_type=code @ position 4 of 12 in additional filter chain; firing filter: 'logoutfilter' 2017-04-07 22:50:34 [http-nio-8080-exec-1] debug o.s.security.web.filterchainproxy[325] - /oauth/authorize?client_id=test&scope=&state=7220832&redirect_uri=https%3a%2f%2fwww.getpostman.com%2foauth2%2fcallback&response_type=code @ position 5 of 12 in additional filter chain; firing filter: 'usernamepasswordauthenticationfilter' 2017-04-07 22:50:34 [http-nio-8080-exec-1] debug o.s.security.web.filterchainproxy[325] - /oauth/authorize?client_id=test&scope=&state=7220832&redirect_uri=https%3a%2f%2fwww.getpostman.com%2foauth2%2fcallback&response_type=code @ position 6 of 12 in additional filter chain; firing filter: 'requestcacheawarefilter' 2017-04-07 22:50:34 [http-nio-8080-exec-1] debug o.s.security.web.filterchainproxy[325] - /oauth/authorize?client_id=test&scope=&state=7220832&redirect_uri=https%3a%2f%2fwww.getpostman.com%2foauth2%2fcallback&response_type=code @ position 7 of 12 in additional filter chain; firing filter: 'securitycontextholderawarerequestfilter' 2017-04-07 22:50:34 [http-nio-8080-exec-1] debug o.s.security.web.filterchainproxy[325] - /oauth/authorize?client_id=test&scope=&state=7220832&redirect_uri=https%3a%2f%2fwww.getpostman.com%2foauth2%2fcallback&response_type=code @ position 8 of 12 in additional filter chain; firing filter: 'remembermeauthenticationfilter' 2017-04-07 22:50:34 [http-nio-8080-exec-1] debug o.s.security.web.filterchainproxy[325] - /oauth/authorize?client_id=test&scope=&state=7220832&redirect_uri=https%3a%2f%2fwww.getpostman.com%2foauth2%2fcallback&response_type=code @ position 9 of 12 in additional filter chain; firing filter: 'anonymousauthenticationfilter' 2017-04-07 22:50:34 [http-nio-8080-exec-1] debug o.s.security.web.filterchainproxy[325] - /oauth/authorize?client_id=test&scope=&state=7220832&redirect_uri=https%3a%2f%2fwww.getpostman.com%2foauth2%2fcallback&response_type=code @ position 10 of 12 in additional filter chain; firing filter: 'sessionmanagementfilter' 2017-04-07 22:50:34 [http-nio-8080-exec-1] debug o.s.security.web.filterchainproxy[325] - /oauth/authorize?client_id=test&scope=&state=7220832&redirect_uri=https%3a%2f%2fwww.getpostman.com%2foauth2%2fcallback&response_type=code @ position 11 of 12 in additional filter chain; firing filter: 'exceptiontranslationfilter' 2017-04-07 22:50:34 [http-nio-8080-exec-1] debug o.s.security.web.filterchainproxy[325] - /oauth/authorize?client_id=test&scope=&state=7220832&redirect_uri=https%3a%2f%2fwww.getpostman.com%2foauth2%2fcallback&response_type=code @ position 12 of 12 in additional filter chain; firing filter: 'filtersecurityinterceptor' 2017-04-07 22:50:34 [http-nio-8080-exec-1] debug o.s.security.web.filterchainproxy[310] - /oauth/authorize?client_id=test&scope=&state=7220832&redirect_uri=https%3a%2f%2fwww.getpostman
the problem code part inside securityconfiguration:
.and().formlogin().loginpage("/") spring not detecting login page , cannot redirected authenticate user.
the solution change to:
.and().formlogin() you use spring's default login page , authorization code flow should work. after works, need debug why login page @ '/' not being detected.
edit:
the real problem restresponseentityexceptionhandler.class @controlleradvice annotated class messing redirection issued in exceptiontranslationfilter. because catching exception , throwing front-end without allowing exceptiontranslationfilter issue redirection login page. removing use of restresponseentityexceptionhandler.class solves issue , auth code flow works correctly.
Comments
Post a Comment