36

I'm trying to integrate Spring OAuth2 into Spring MVC REST. Most of the Spring OAuth2 examples, there is only ResourceServerConfigurerAdapter and some of have WebSecurityConfigurerAdapter as well. I'm not going to integrate OAuth with Google, Facebook, etc. I'm trying to provide a token based authentication for Spring MVC REST which is currently based on Basic Authentication. Can someone exaplin me what is required and not or good resource to understand the Spring MVC REST +OAuth integration in a single server?

Currently my POC works without WebSecurityConfigurerAdapter, but with ResourceServerConfigurerAdapter along with AuthorizationServerConfigurerAdapter. It looks like ResourceServerConfigurerAdapter is enough. Now I'm not sure what should I do to my existing WebSecurityConfigurerAdapter which is working perfectly in my Spring MVC REST application.

sura2k
  • 7,365
  • 13
  • 61
  • 80

1 Answers1

21

Here is a good answer https://stackoverflow.com/a/28604260, it looks like WebSecurityConfigurerAdapter is an order inferior to the ResourceServerConfigurerAdapter.

I have a WebSecurityConfigurerAdapter and a ResourceServerConfigurerAdapter, but the endpoints security configuration is in the ResourceServerConfigurerAdapter under:

public void configure(HttpSecurity http) throws Exception {

I also have the following configuration:

security:
    oauth2:
        resource:
            filter-order: 3

Else the endpoints security configuration is ignored (I don't know why).

james.garriss
  • 12,959
  • 7
  • 83
  • 96
Florian Courtial
  • 930
  • 1
  • 11
  • 20
  • 1
    this worked for me too. with this, I don't need a `WebSecurityConfigurerAdapter` at all -- `ResourceServerConfigurerAdapter` does everything. I observed the filter chain with `logging.level.org.springframework.security: DEBUG`, across 3 tests. 1. "Resource* only" 2. "Resource* and Web*" 3. "Resource* and Web* and `filter-order`". In cases 1 and 3: the filter chain was 12-long, and included a `OAuth2AuthenticationProcessingFilter`, which conferred bearer auth (as desired). but in case 2: the filter chain was 14-long, excluded `OAuth*Filter`, and instead filters such as `User*Password*Filter`. – Birchlabs Sep 27 '17 at 17:40
  • If you found any solution for this, please let me know, I am having same issue. here is my question https://stackoverflow.com/questions/47627226/basic-auth-oauth-implementation-in-spring-boot – Dev Sabby Dec 04 '17 at 14:07
  • I think is a good answer, however, being a newbie in oauth, I come to this answer and I took _'... it looks like WebSecurityConfigurerAdapter is an order inferior to the ResourceServerConfigurerAdapte'_ as if ResourceServerConfigurerAdapter could be processed before WebSecurityConfigurerAdapter . Just to clarify, WebSecurityConfigurerAdapter seems to have a **higher precedence** over ResourceServerConfigurerAdapter – kavrosis Mar 06 '18 at 00:30
  • As you can define the order using @Order, using the order keyword was on purpose. Still your comment makes sense. – Florian Courtial Mar 06 '18 at 11:10
  • Since last two days I'm trying to find issue with CORS, Then I figure out by implementing both it let request allow from cross origin. I think it is related with @nuvio answer https://stackoverflow.com/questions/45980267/resourceserverconfigureradapter-vs-websecurityconfigureradapter – Ravi Parekh May 31 '20 at 21:02