Spring: Using Oauth2 and HttpBasicAuth together

Question

I'm using Spring Boot 2.0.0

For securing my REST API i'm using Oauth2 with JWT, which works perfectly fine.

The problem is:

I'm also using Springfox Swagger which should be secured by BasicAuth. So that the user is challenged if he points his browser to /swagger-ui.html Therefore i got two configuration files:

SecurityConfig

@Configuration
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {

    @Throws(Exception::class)
    override fun configure(web: WebSecurity) {
        web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**")
    }

    @Throws(Exception::class)
    override fun configure(auth: AuthenticationManagerBuilder) {
        auth.inMemoryAuthentication()
                //user: "user", password: "Passw0rd!"
                .withUser("user")
                .password("\$2a\$04\$DDYoNw1VAYt64.zU.NsUpOdvjZ3OVrGXJAyARkraaS00h322eL2iy")
                .roles("ADMIN")
    }
}

ResourceServerConfig

@Configuration
@EnableResourceServer
class ResourceServerConfig : ResourceServerConfigurerAdapter() {

    override fun configure(http: HttpSecurity) {
        super.configure(http)
        http.httpBasic().and().cors().and().csrf().disable()
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .antMatcher("/swagger-ui.html**")
                .authorizeRequests().anyRequest().hasRole("ADMIN")

    }
}

I think the OAuth2AuthorizationServerConfig is not needed here.

The shown configuration (of course) doesn't work, so the question is: Is it possible to mix BasicAuth and Oauth2?

score 1 · Accepted Answer · answered Apr 05 '18 at 12:49

Ok, i more or less found an answer to my question:

SecurityConfig

@Configuration
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {

    @Throws(Exception::class)
    override fun configure(auth: AuthenticationManagerBuilder) {
        auth.inMemoryAuthentication()
                //user: "user", password: "Passw0rd!"
                .withUser("user")
                .password("...")
                .roles("ADMIN")
    }

    override fun configure(http: HttpSecurity) {
        http.csrf()
                .and()
                .httpBasic()
                .and()
                .authorizeRequests()
                .antMatchers(
                        "/swagger-ui.html**").hasRole("ADMIN")
                .antMatchers(
                        "/v2/api-docs",
                        "/swagger-resources/**",
                        "/configuration/security", "/webjars/**"
                ).permitAll()
    }
}

ResourceServerConfig

@Configuration
@EnableResourceServer
class ResourceServerConfig : ResourceServerConfigurerAdapter() {

    override fun configure(http: HttpSecurity) {
        http.cors().and()
                .antMatcher("/api")
                .authorizeRequests().antMatchers("/api/**").authenticated()
    }
}

I'm using antMatcher in the ResourceServerConfig to protect only the /api/** paths with oauth2.

The BasicAuth part happens in SecurityConfig. The current solution only applies the BasicAuth only to the /swagger-ui.html endpoint. The other swagger resources are public visible.

Does anyone know a way to also protect /v2/api-docs?

score 0 · Answer 2 · answered Jun 20 '18 at 13:03

0

It's all about matching security configurations onto different application context paths. See my answer at Run a Spring Boot oAuth2 application as resource server AND serving web content - I hope this helps.

answered Jun 20 '18 at 13:03

Bernd

370
4
16

Spring: Using Oauth2 and HttpBasicAuth together

2 Answers2