I am building rest web services with Spring Boot. Authentication is implemented using Spring Security and OAuth2. Users are authenticated against LDAP server. Here is my websecurityconfig
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private RestAuthenticationSuccessHandler authenticationSuccessHandler;
@Autowired
private RestAuthenticationEntryPoint restAuthenticationEntryPoint;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.and()
.csrf().disable()
.sessionManagement().sessionCreationPolicy(
SessionCreationPolicy.STATELESS)
.and()
.exceptionHandling()
.authenticationEntryPoint(restAuthenticationEntryPoint)
.and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/logout").permitAll()
.antMatchers("/ristore/**").authenticated()
.anyRequest().authenticated()
.and()
.formLogin()
.successHandler(authenticationSuccessHandler)
.failureHandler(new SimpleUrlAuthenticationFailureHandler());
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public RestAuthenticationSuccessHandler mySuccessHandler(){
return new RestAuthenticationSuccessHandler();
}
@Bean
public SimpleUrlAuthenticationFailureHandler myFailureHandler(){
return new SimpleUrlAuthenticationFailureHandler();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
DefaultSpringSecurityContextSource contextSource = getSource();
auth
.ldapAuthentication()
.userDnPatterns("cn={0},ou=institution,ou=people")
.groupSearchBase("ou=groups")
.contextSource(contextSource);
}
}
Additional config is done in authserverconfig including clientdetailservice.
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer)
throws Exception {
oauthServer.allowFormAuthenticationForClients();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(new InMemoryTokenStore())
.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients
.inMemory()
.withClient("ristoreclient")
.scopes("read")
.authorizedGrantTypes("password", "refresh_token", "client_credentials")
.secret("ristoresecret")
.accessTokenValiditySeconds(60);
}
}
It works for initial login. However when I try to get a new access token with refresh token when the old expires, I got the error "UserDetailsService is required". After searching for answers online, I found this post with similar problem: spring-security-oauth2 2.0.7 refresh token UserDetailsService Configuration. Basically the solution there was to create a custom LdapUserDetailsService. Thing is it was set up in xml config instead of java. Besides, it is not clear how and where this class is injected. In this other case, userdetailservice instance is added in auth server endpoint config instead. This article does not provide the implementation of this class.
The idea of having a userdetailservice, in my opinion, is to look up and see if this user is still active before issuing a new access token. What is contradictory is that the request of getting a refresh_token for oauth2 only consists of the following information which does not include username/password.
client_id=clientid
client_secret=clientsecret
refresh_token=1/6BMfW9j53gdGImsiyUH5kU5RsR4zwI9lUVX-tqf8JXQ&
grant_type=refresh_token
OAuth2 for a Spring REST uses Zuul proxy as a middle layer between front end and web api to handle refresh token which makes the configuration more complex. How should I implement a userdetailsservice for oauth2 in Spring Boot and where should I inject it?
