2

I want to implement Spring Security with OAuth2. I tried this security configuration:

@Override
protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/users/authorize").permitAll()
            .antMatchers("/users/reset_request").permitAll()
            .antMatchers("/users/reset_token").permitAll()
            .antMatchers("/users/reset_password").permitAll()
            .antMatchers("/users/confirmation_token").permitAll()
            .antMatchers("/users/reset_user_password").permitAll()
            .anyRequest().authenticated()
            .and().formLogin().permitAll()
            .and().csrf().disable();
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}

Full code: Github

But I get always:

{
    "error": "unauthorized",
    "error_description": "Full authentication is required to access this resource"
}

I make a POST request to the authentication endpoint:

localhost:8080/engine/users/authorize

Response:

    01:57:19.237 [http-nio-8080-exec-5] DEBUG ExceptionTranslationFilter[sendStartAuthentication:211] - Calling Authentication entry point.
01:57:19.239 [http-nio-8080-exec-5] DEBUG HstsHeaderWriter[writeHeaders:169] - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@69e77584
01:57:19.251 [http-nio-8080-exec-5] DEBUG DefaultOAuth2ExceptionRenderer[writeWithMessageConverters:101] - Written [error="unauthorized", error_description="Full authentication is required to access this resource"] as "application/json" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@4fe0c045]
01:57:19.252 [http-nio-8080-exec-5] DEBUG SecurityContextPersistenceFilter[doFilter:119] - SecurityContextHolder now cleared, as request processing completed
09:07:01.012 [PRODUCTION_HIKARICP_CONNECTION_POOL housekeeper] WARN  HikariPool[run:787] - PRODUCTION_HIKARICP_CONNECTION_POOL - Thread starvation or clock leap detected (housekeeper delta=6h6m24s237ms51╡s500ns).
09:07:02.931 [WAREHOUSE_HIKARICP_CONNECTION_POOL housekeeper] WARN  HikariPool[run:787] - WAREHOUSE_HIKARICP_CONNECTION_POOL - Thread starvation or clock leap detected (housekeeper delta=6h6m24s237ms408╡s400ns).
11:16:17.556 [http-nio-8080-exec-7] DEBUG OrRequestMatcher[matches:65] - Trying to match using Ant [pattern='/oauth/token']
11:16:27.735 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:177] - Checking match of request : '/users/authorize'; against '/oauth/token'
11:16:27.754 [http-nio-8080-exec-7] DEBUG OrRequestMatcher[matches:65] - Trying to match using Ant [pattern='/oauth/token_key']
11:16:27.754 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:177] - Checking match of request : '/users/authorize'; against '/oauth/token_key'
11:16:27.754 [http-nio-8080-exec-7] DEBUG OrRequestMatcher[matches:65] - Trying to match using Ant [pattern='/oauth/check_token']
11:16:27.754 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:177] - Checking match of request : '/users/authorize'; against '/oauth/check_token'
11:16:27.754 [http-nio-8080-exec-7] DEBUG OrRequestMatcher[matches:72] - No matches found
11:16:27.756 [http-nio-8080-exec-7] DEBUG FilterChainProxy[doFilter:328] - /users/authorize at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
11:16:27.757 [http-nio-8080-exec-7] DEBUG FilterChainProxy[doFilter:328] - /users/authorize at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
11:16:27.758 [http-nio-8080-exec-7] DEBUG FilterChainProxy[doFilter:328] - /users/authorize at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
11:16:27.770 [http-nio-8080-exec-7] DEBUG FilterChainProxy[doFilter:328] - /users/authorize at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
11:16:27.771 [http-nio-8080-exec-7] DEBUG OrRequestMatcher[matches:65] - Trying to match using Ant [pattern='/logout', GET]
11:16:27.773 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:157] - Request 'POST /users/authorize' doesn't match 'GET /logout'
11:16:27.773 [http-nio-8080-exec-7] DEBUG OrRequestMatcher[matches:65] - Trying to match using Ant [pattern='/logout', POST]
11:16:27.773 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:177] - Checking match of request : '/users/authorize'; against '/logout'
11:16:27.773 [http-nio-8080-exec-7] DEBUG OrRequestMatcher[matches:65] - Trying to match using Ant [pattern='/logout', PUT]
11:16:27.774 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:157] - Request 'POST /users/authorize' doesn't match 'PUT /logout'
11:16:27.774 [http-nio-8080-exec-7] DEBUG OrRequestMatcher[matches:65] - Trying to match using Ant [pattern='/logout', DELETE]
11:16:27.774 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:157] - Request 'POST /users/authorize' doesn't match 'DELETE /logout'
11:16:27.774 [http-nio-8080-exec-7] DEBUG OrRequestMatcher[matches:72] - No matches found
11:16:27.774 [http-nio-8080-exec-7] DEBUG FilterChainProxy[doFilter:328] - /users/authorize at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
11:16:27.775 [http-nio-8080-exec-7] DEBUG BearerTokenExtractor[extractToken:54] - Token not found in headers. Trying request parameters.
11:16:27.782 [http-nio-8080-exec-7] DEBUG BearerTokenExtractor[extractToken:57] - Token not found in request parameters.  Not an OAuth2 request.
11:16:27.783 [http-nio-8080-exec-7] DEBUG OAuth2AuthenticationProcessingFilter[doFilter:141] - No token in request, will continue chain.
11:16:27.783 [http-nio-8080-exec-7] DEBUG FilterChainProxy[doFilter:328] - /users/authorize at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
11:16:27.783 [http-nio-8080-exec-7] DEBUG FilterChainProxy[doFilter:328] - /users/authorize at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
11:16:27.784 [http-nio-8080-exec-7] DEBUG FilterChainProxy[doFilter:328] - /users/authorize at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
11:16:27.787 [http-nio-8080-exec-7] DEBUG AnonymousAuthenticationFilter[doFilter:100] - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@461b50c6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
11:16:27.788 [http-nio-8080-exec-7] DEBUG FilterChainProxy[doFilter:328] - /users/authorize at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
11:16:27.789 [http-nio-8080-exec-7] DEBUG FilterChainProxy[doFilter:328] - /users/authorize at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
11:16:27.789 [http-nio-8080-exec-7] DEBUG FilterChainProxy[doFilter:328] - /users/authorize at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
11:16:27.791 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:177] - Checking match of request : '/users/authorize'; against '/*'
11:16:27.799 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:177] - Checking match of request : '/users/authorize'; against '/v1/swagger.**'
11:16:27.800 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:157] - Request 'POST /users/authorize' doesn't match 'GET /v2/api-docs'
11:16:27.800 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:157] - Request 'POST /users/authorize' doesn't match 'GET /swagger-resources/**'
11:16:27.800 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:157] - Request 'POST /users/authorize' doesn't match 'GET /swagger-ui.html**'
11:16:27.801 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:157] - Request 'POST /users/authorize' doesn't match 'GET /webjars/**'
11:16:27.802 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:157] - Request 'POST /users/authorize' doesn't match 'GET favicon.ico'
11:16:27.802 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:177] - Checking match of request : '/users/authorize'; against '/v1/application.wadl'
11:16:27.803 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:177] - Checking match of request : '/users/authorize'; against '/v1/admin/**'
11:16:27.803 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:177] - Checking match of request : '/users/authorize'; against '/v1/dev/**'
11:16:27.803 [http-nio-8080-exec-7] DEBUG AntPathRequestMatcher[matches:177] - Checking match of request : '/users/authorize'; against '/v1/pages/**'
11:16:27.805 [http-nio-8080-exec-7] DEBUG FilterSecurityInterceptor[beforeInvocation:219] - Secure object: FilterInvocation: URL: /users/authorize; Attributes: [#oauth2.throwOnError(authenticated)]
11:16:27.805 [http-nio-8080-exec-7] DEBUG FilterSecurityInterceptor[authenticateIfRequired:348] - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@461b50c6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
11:16:27.835 [http-nio-8080-exec-7] DEBUG AffirmativeBased[decide:66] - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@2938ceb8, returned: -1
11:16:27.842 [http-nio-8080-exec-7] DEBUG ExceptionTranslationFilter[handleSpringSecurityException:180] - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
        at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)
        at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123)
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

For some reason this security configuration is not applied. Do you know how I can fix this issue?

Peter Penzov
  • 1,126
  • 134
  • 430
  • 808
  • You probably should show your dependencies and application.yml as that would affect what gets autoconfigured in a spring boot app. More information in your question would be helpful – sdoxsee Jun 29 '20 at 14:06
  • Here it is: https://github.com/rcbandit111/oauth2_jwt/blob/master/src/main/resources/application.yml – Peter Penzov Jun 29 '20 at 14:28
  • The project is hosted on Guhub. You should be able to browse it. – Peter Penzov Jun 29 '20 at 14:28

1 Answers1

1

You might have missed /engine in the endpoint. as follows

Add /engine in antMatchers with configure(HttpSecurity http)

Change

.antMatchers("/users/authorize").permitAll()

To

.antMatchers("/engine/users/authorize").permitAll()

configure(HttpSecurity http)

@Override
protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/engine/users/authorize").permitAll()
            .antMatchers("/engine/users/reset_request").permitAll()
            .antMatchers("/engine/users/reset_token").permitAll()
            .antMatchers("/engine/users/reset_password").permitAll()
            .antMatchers("/engine/users/confirmation_token").permitAll()
            .antMatchers("/engine/users/reset_user_password").permitAll()
            .anyRequest().authenticated()
            .and().formLogin().permitAll()
            .and().csrf().disable();
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}

with configure(WebSecurity web) method, You may completely avoid spring security filters with configure(WebSecurity web) method.

@Override
public void configure(WebSecurity web) throws Exception {
    web.
        ignoring()
            .antMatchers("/engine/users/authorize")
            .antMatchers("/engine/users/reset_request")
            .antMatchers("/engine/users/reset_token")
            .antMatchers("/engine/users/reset_password")
            .antMatchers("/engine/users/confirmation_token")
            .antMatchers("/engine/users/reset_user_password");
}

Note: If you use both configure(WebSecurity web) and configure(HttpSecurity http) then keep configure(WebSecurity web) above configure(HttpSecurity HTTP) as described here

@Override
public void configure(WebSecurity web) throws Exception {
    ...
}

@Override
protected void configure(HttpSecurity http) throws Exception {
     ...
}
Romil Patel
  • 12,879
  • 7
  • 47
  • 76
  • @PeterPenzov, Have you tried with `configure(WebSecurity web)`? – Romil Patel Jun 29 '20 at 15:06
  • 1
    Yes, that was the issue. Thanks! – Peter Penzov Jun 29 '20 at 15:36
  • One more question: Do you know how I can implement refresh token? – Peter Penzov Jun 29 '20 at 15:37
  • Yes, You may create two tokens (access token, refresh token) on successful authentication that will be added in the cookies and will be send on each request. An access token has less validity than a refresh token. If the access token has expired and refresh token is still valid you can assign a new token for the same request. – Romil Patel Jun 29 '20 at 16:01
  • You may also like to explore the *jhipster* which creates the ready to use projects and we can configure it as per requirement. https://www.jhipster.tech/ – Romil Patel Jun 29 '20 at 16:02