0

I am Implementing Spring Security using Oauth following these websystique , baeldung,What I found WebSecurityConfigurerAdapter and ResourceServerConfigurerAdapter both provides control over HttpSecurity,and filterchain adds them in order 0 and 3 respectively.

So I am overriding configure of any of the above ConfigurerAdapter but only one at a time.

@Override
public void configure(HttpSecurity http) throws Exception {

     http
     .csrf().disable()
     .anonymous().disable()
     .requestMatchers().antMatchers("/api/**").and()
     .authorizeRequests()
        .antMatchers("/api/ads").permitAll()
        .antMatchers("/api/admin").hasAuthority(RoleConstant.ADMIN.getRole())
        .antMatchers("/api/user").hasAuthority(RoleConstant.USER.getRole())
        .anyRequest().authenticated()
     .and()
     .exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
}

What I observe in case of WebSecurityConfigurerAdapter I am able to access unauthorized resources ie I am able to access /api/user after being authenticated even with token having authority ADMIN.Why so?

Note : I am not overriding HttpSecurity of ResourceServerConfigurerAdapter.

References : There are similar resources available here. Resource1 , Resource2.

Also I want to know,I must have to override both configure(HttpSecurity http) or any of the class is sufficient?If yes,which one is recommended?

ResourceServer :

@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

    private static final String RESOURCE_ID = "my_rest_api";

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources.resourceId(RESOURCE_ID).stateless(false);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {

         http
         .csrf().disable()
         .anonymous().disable()
         .requestMatchers().antMatchers("/api/**").and()
         .authorizeRequests()
            .antMatchers("/api/ads").permitAll()
            .antMatchers("/api/admin").hasAuthority(RoleConstant.ADMIN.getRole())
            .antMatchers("/api/user").hasAuthority(RoleConstant.USER.getRole())
            .antMatchers("/api/readProperty").access("hasRole('ADMIN')")
            .anyRequest().authenticated()
         .and()
         .exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
    }

}

SpringSecurityConfig :

@Configuration
@EnableWebSecurity
@ComponentScan(basePackages = {"com.ttnd.mvc_mod.services","com.ttnd.mvc_mod.repository","com.ttnd.mvc_mod.config","com.ttnd.mvc_mod.custom"})
@Import({SpringORMHibernateSupportConfig.class})
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private ClientDetailsService clientDetailsService;

    @Autowired
    private CustomAuthenticationProvider authProvider;

   /* @Override
    protected void configure(HttpSecurity http) throws Exception {
         http
         .csrf().disable()
         .anonymous().disable()
         .requestMatchers().antMatchers("/**").and()
         .authorizeRequests()
            .antMatchers("/oauth/token","/api/ads").permitAll()
            .antMatchers("/api/admin").hasAuthority(RoleConstant.ADMIN.getRole())
            .antMatchers("/api/user").hasAuthority(RoleConstant.USER.getRole())
            .antMatchers("/api/readProperty").access("hasRole('ADMIN')")
         .and()
         .exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());//.exceptionHandling().authenticationEntryPoint(restAuthenticationEntryPoint);

    }
    */

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        //auth.userDetailsService(customUserDetailsService);
        auth.authenticationProvider(authProvider);

    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Bean
    @Autowired
    public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore){
        TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
        handler.setTokenStore(tokenStore);
        handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
        handler.setClientDetailsService(clientDetailsService);
        return handler;
    }

    @Bean
    @Autowired
    public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception {
        TokenApprovalStore store = new TokenApprovalStore();
        store.setTokenStore(tokenStore);
        return store;
    }

}
TheCurious
  • 593
  • 1
  • 4
  • 29
  • It seems that you are using Spring Boot (add the tag to your question), but which version do you use? If your `SpringSecurityConfig` class has order `0` (before `3`) it is applied for all your request, so all authenticaed users can access all URLs. – dur Dec 18 '17 at 09:45
  • not using boot,this is spring4 App.So your concern is any of both is sufficient,if filter at order 0 is not Authorizing ie not overridden `config(HttpSecurity security)` filter at order 3 will come in action,and visaversa. – TheCurious Dec 18 '17 at 17:00
  • Only the filter with the lowest order is applied. In your case it is `SpringSecurityConfig` and that filter uses the default values (because you didn't override `configure` method), which allow all authenticated users to access every URL. – dur Dec 18 '17 at 17:22

0 Answers0