1

I have the intention to use two types of authentication methods in a Springboot application: JWT (token generated manually) and oauth2 (token generated for an external app: Azure). However, the application takes only the JWT way, no matter the order.

If I comment or delete the class WebSecurityConfig. The application does take the oauth authentication method.

This is the code:

package com.k12.rosterapi.config;

import java.util.Arrays;
import java.util.List;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.jwk.JwkTokenStore;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

@Configuration
@EnableWebSecurity
public class ResourceServerConfig extends WebSecurityConfigurerAdapter {

    @Configuration
    @EnableResourceServer
    @Order(1)
    public static class OauthSecurityConfig extends ResourceServerConfigurerAdapter {

        @Value("${security.oauth2.resource.jwk.key-set-uri}")
        private String jwkKeySetUri;

        @Value("${security.oauth2.resource.id}")
        private String resourceId;
        
        public static final List<String> ALL_WILDCARD_LIST = Arrays.asList(CorsConfiguration.ALL);

        public OauthSecurityConfig() { }


        @Override
        public void configure(ResourceServerSecurityConfigurer config) throws Exception {

            // This is used by the oauth2 library as a unique identifier of your
            // microservice.
            // It is used to verify that your service is the intended audience of a given
            // JWT access token.
            config.resourceId(resourceId);
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {

            http.authorizeRequests()
                .antMatchers("/dal/**", "/healthcheck/**").permitAll()
                .and().antMatcher("/**").authorizeRequests().anyRequest().authenticated()
                .and().cors()
                .and().csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        }

        @Bean
        @ConditionalOnMissingBean(TokenStore.class)
        @Primary
        public TokenStore jwkTokenStore() {
            return new JwkTokenStore(jwkKeySetUri);
        }

        @Bean
        @Order(Ordered.HIGHEST_PRECEDENCE)
        public CorsConfigurationSource corsConfigurationSource() {
            CorsConfiguration configuration = new CorsConfiguration();
            configuration.setAllowedOrigins(ALL_WILDCARD_LIST);
            configuration.setAllowedMethods(ALL_WILDCARD_LIST);
            configuration.setAllowedHeaders(ALL_WILDCARD_LIST);
            configuration.setAllowCredentials(true);
            configuration.addExposedHeader("Access-Control-Allow-Origin");
            
            UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
            source.registerCorsConfiguration("/**", configuration);
            
            return source;
        }
    }   

    @Configuration
    @Order(2)
    public static class WebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable().addFilterAfter(new JWTAuthorizationFilter(), AnonymousAuthenticationFilter.class)
                    .authorizeRequests()
                    .antMatchers("/dal/**", "/healthcheck/**").permitAll()
                    .anyRequest().authenticated();
        }
    }
}

What should I correct to take both authentication methods?

John Willmer Cubillos Vega
  • 21
  • 2
  • Why can't you delete WebSecurityConfig and add http.addFilterBefore(new JWTAuthorizationFilter(), AbstractPreAuthenticatedProcessingFilter.class)); inside configure(HttpSecurity http) of ResourceServerConfig? – Delta George Apr 12 '22 at 17:22
  • 1
    Note that you are using the [deprecated](https://spring.io/blog/2020/05/07/end-of-life-for-spring-security-oauth) spring-security-oauth module. Please migrate to a supported version of Spring Security as soon as possible. You can follow the official migration guide [here](https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide). – Eleftheria Stein-Kousathana Apr 13 '22 at 10:11

0 Answers0