2

Using Spring Boot 1.5.2.RELEASE and Java 8

I'm trying to understand, what goes in public void configure(HttpSecurity http) method of WebSecurityConfigurerAdapter and of ResourceServerConfigurerAdapter?

With the following code, configure(HttpSecurity http) method of ResourceServerConfigurerAdapter is taking precedence over WebSecurityConfigurerAdapter. All the changes I'm doing in ResourceServerConfiguration is taking effect, it appears that WebSecurityConfigurerAdapteris ignored completely.

When we use these methods (use case)? And, is override of WebSecurityConfigurerAdapter.configure(..) method even required for grant type password

Using security.oauth2.resource.filter-order = 3 Without this property I keep getting 403 Access Denied

The default order of the OAuth2 resource filter has changed from 3 to SecurityProperties.ACCESS_OVERRIDE_ORDER - 1

WebSecurityConfiguration 

@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

@Override
public void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
    .authorizeRequests()
    .antMatchers("/unsecured").permitAll()
    .antMatchers("/users").hasRole("USER")
    .antMatchers("/api/secured").hasRole("ADMIN")
    .antMatchers("/api/admin").authenticated()
    .antMatchers("/greeting").authenticated();
  }
}

Resource Server

@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends
        ResourceServerConfigurerAdapter {

    public void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests()
                .anyRequest().permitAll();          
    }
}
Vijay Nandwana
  • 2,476
  • 4
  • 25
  • 42

1 Answers1

0

I think you have the answer here, please check out the solution given Spring Security OAuth2, which decides security?

Community
  • 1
  • 1
Sampath
  • 599
  • 5
  • 12