0

So I tried Resource Server Multi-tenancy using Spring docs and everything works fine, I can pass two different token to access my resource. My question is how do I add BasicAuth functionality to this. I want my resource to be accessible by either of the oauth2 tokens or BasicAuth. I have individual solutions but I am not able to combine both for some reason.

Working solution -> Resource server Multi-tenancy

@EnableWebSecurity
@Order(1)
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
   http.csrf().disable()
            .httpBasic()
            .disable()
            .authorizeRequests(auth -> auth
                .anyRequest().authenticated()
            ).oauth2ResourceServer(oauth2ResourceServer -> {
                oauth2ResourceServer.authenticationManagerResolver(this.authenticationManagerResolver);
            });
}
//...

Working Solution -> Oauth and BasicAuth both to access same resource I came across this solution which does this https://stackoverflow.com/a/36243650/2188126

@EnableWebSecurity
@Order(1)
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {     
  http.csrf().disable()
            .requestMatcher(new BasicRequestMatcher())
            .authorizeRequests().anyRequest().authenticated()
            .and()
            .httpBasic()
            .authenticationEntryPoint(new OAuth2AuthenticationEntryPoint())
            .and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
//...

Here's what I have tried(and few other variations) but doesn't work. -> Multi-tenancy + Basic Auth

@EnableWebSecurity
@Order(1)
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .requestMatcher(new BasicRequestMatcher())
            .authorizeRequests().anyRequest().authenticated()
            .and()
            .oauth2ResourceServer(oauth2ResourceServer -> {
                oauth2ResourceServer.authenticationManagerResolver(this.authenticationManagerResolver);
            })
            .httpBasic()
            .authenticationEntryPoint(new OAuth2AuthenticationEntryPoint())
            .and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
//...

Here's my resource server config file

@Configuration
@EnableResourceServer
public class Oauth2SecurityConfiguration extends ResourceServerConfigurerAdapter {

@Override
public void configure(HttpSecurity http) throws Exception {

    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
            .antMatchers(AUTH_WHITELIST).permitAll()
            .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
            .anyRequest().authenticated();
  }

}
dur
  • 15,689
  • 25
  • 79
  • 125
Enix
  • 138
  • 1
  • 7

0 Answers0