0

I have a WebApp consisting of 2 parts. One is with a frontend (Vaadin) where i want the user to be Logged-In via OAuth2. I then Check whether the user has a certain Role or not. --> If user opens the URL he shall be redirected to the OAuthLogin automatically. --> This is working with the @EnableOAuthSso.

Second Part is the REST-API of the Application, which is found by anything under /api/*. fE. /api/devices should give me a list if the Get-Request has a valid Bearer-Token. If the GET Request has no Bearer-Token or a wrong Role (Authority) if want to get a 403.

Now this is my configuration: 

@Configuration
@EnableOAuth2Sso
public class ProdWebSecurityConfiguration extends WebSecurityConfigurerAdapter {
    private static final String ADMIN_ROLE= "role.global.admin";
    private static final String READ_API_ROLE= "role.base.read.api";

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.authorizeRequests()
                .antMatchers("/login**", "/error**").permitAll()

                .antMatchers("/*").hasAuthority(ADMIN_ROLE)
                .antMatchers("/api/**").hasAnyAuthority(ADMIN_ROLE, READ_API_ROLE)
                .and().logout().permitAll().logoutSuccessUrl(rootAuthUri + "/connect/endsession")
        ;
    }

Now when opening for example /manageDevices in the Browser i get forced to be logged in via Auth-Code-Flow and everything works like as expected.

When i try to open /api/devices i also get forced to be logged in via Oauth. Even when i do send Http-Header with Authentication: Bearer xxxxx. Somehow it always forces me to the Login-Screen from my OAuth login.

application.properties these lines are defined:

base.rootauthuri=https://oauth2.mypage.ch
security.oauth2.client.clientId=client.base.parameters
security.oauth2.client.clientSecret=secret
security.oauth2.client.accessTokenUri=${base.rootauthuri}/connect/token
security.oauth2.client.userAuthorizationUri=${base.rootauthuri}/connect/authorize
security.oauth2.client.scope=openid,scope.base.parameters,role,offline_access
security.oauth2.client.clientAuthenticationScheme=form
security.oauth2.resource.userInfoUri=${base.rootauthuri}/connect/userinfo

How can i force everything under /api/* to not redirect to the AuthenticationForm but respond with 403 if no Bearer Token is sent. How can i make it to Check whether the Bearer-Token has Role "READ_API_ROLE" also.

DWLabcube
  • 11
  • 1

1 Answers1

0

I had the same question with SSO, I configured a ResourceServe for that: 

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Autowired
    private ResourceServerConfiguration configuration;

    @PostConstruct
    public void setSecurityConfigurerOrder() {
        configuration.setOrder(3);
    }

    @Bean("resourceServerRequestMatcher")
    public RequestMatcher resources() {
        return new AntPathRequestMatcher("/api/**");
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
        .requestMatchers().antMatchers("/v1/**") // this is free resource
        .and().authorizeRequests()
        .antMatchers("/api/**").permitAll() // This is free resource for mvc calls
        // Usado para paths que necessitam de token bearer
        .and().requestMatchers().antMatchers("/integration/**")
        .and().authorizeRequests()
        .antMatchers("/integration/**").authenticated(); // this is protected resource, it's necessary token
    }
}

I not configure WebSecurityConfigurerAdapter in my project;

Check this:

Spring Boot 1.3.3 @EnableResourceServer and @EnableOAuth2Sso at the same time

https://www.baeldung.com/spring-security-oauth2-enable-resource-server-vs-enable-oauth2-sso

João Junior
  • 89
  • 6