Ignore authorization for some endpoints in Spring Boot

Question

I have my OAuth server and client which is being authorized by Oauth2.

Now if I need to call my service I need to:

Generate access token from the server using below API :

localhost:9191/oauth/token?grant_type=password&username=krish&password=kpass

Which is giving response like :

"access_token": "ee41435d-8ad9-432e-82c1-07477e2b6956",
"token_type": "bearer",
"refresh_token": "ea6d83b4-62f6-4eaf-9f89-8600bd36690d",
"expires_in": 3429,
"scope": "READ WRITE"

Now I am passing access token, to run the client service like below:

So this is manually I am doing it. But I need to run it from the client code. When I am trying to hit the first API itself (server) to get the token, it is saying unauthorized. My service code is below :

I need to skip the authentication from the /getToken controller. How can I do that? Can anyone please help

My WebSecurityConfigurerAdapter class is as below: I added highlighted code after reading one answer below, but that also not working.

score 1 · Accepted Answer · answered Jan 08 '21 at 08:44

1

You may want to create a new configuration extending the WebSecurityConfigurerAdapter and override the configure method. Have a look at this guide for a practical example. Want you want to focus on is this part

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }
}

As you can see in the example the path "/login","/","/home" are excluded from authentication. Check this other answer also: Spring Security exclude url patterns in security annotation configurartion

answered Jan 08 '21 at 08:44

berrur

115
11

I need to add in Client or Server ? @berrur – Jan 08 '21 at 09:08
In the server, this is a Spring configuration. Just create a new class and use the annotation `@Configuration` and Spring will handle it. I'm assuming you are using Spring since this you tagged this answer with Spring Boot and Spring Security. – berrur Jan 08 '21 at 09:10
Yes I added the config as you said, but that also not working.. Its then also authenticating (/getName) request. I have added screenshot in the question. Please check @berrur – Jan 08 '21 at 09:30
1

Try to override the `configure(WebSecurity web)` and use `web.ignoring().antMatchers("/getToken")` – berrur Jan 08 '21 at 09:35
Also check [this other answer](https://stackoverflow.com/questions/22998731/httpsecurity-websecurity-and-authenticationmanagerbuilder) for further understanding on how to manipulate Spring Security behaviour – berrur Jan 08 '21 at 09:36
Thanks it worked with web.ignoring().antMatchers("/getToken") { I added in client code} – Jan 08 '21 at 10:44

Ignore authorization for some endpoints in Spring Boot

1 Answers1