spring-security-oauth2 | 易学教程

Spring Security OAuth2, which decides security?

阅读更多关于 Spring Security OAuth2, which decides security?

I've been trying to implement a OAuth2 authentication server using the guides by Dave Syer with some inspiration from JHipster. But I can't figure out how it all works together. It looks like the security setup using the WebSecurityConfigurerAdapter is overwritten when I use ResourceServerConfigurerAdapter. @Configuration @EnableResourceServer public class OAuth2ResourceConfig extends ResourceServerConfigurerAdapter { private TokenExtractor tokenExtractor = new BearerTokenExtractor(); @Override public void configure(HttpSecurity http) throws Exception { http .addFilterAfter(contextClearer(),

spring security permitAll still considering token passed in Authorization header and returns 401 if token is invalid

阅读更多关于 spring security permitAll still considering token passed in Authorization header and returns 401 if token is invalid

问题 I am using spring security oauth in my project. I am excluding some urls from authentication by configuring in spring security ResourceServerConfigurerAdapter. I added http.authorizeRequests().antMatchers(url).permitAll() . Now, what I am seeing is that, if I don't pass the Authorization header to these urls, it is not authenticated. And the API is called properly. If the call is made with an Authorization header, then it validates the token and fails the call if the token is not validated.

Spring Security OAuth2: InsufficientAuthenticationException

阅读更多关于 Spring Security OAuth2: InsufficientAuthenticationException

问题 First of all, I disabled basic auth: security.basic.enabled=false Then I access the authorization page: http://localhost:8080/oauth/authorize?client_id=client&response_type=code&redirect_uri=http://www.baidu.com I got following exception: org.springframework.security.authentication.InsufficientAuthenticationException: User must be authenticated with Spring Security before authorization can be completed. at org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize

How to set proxy on spring oauth2 OAuth2AccessToken request or How to override OAuth2AccessTokenSupport restTemplate variable?

阅读更多关于 How to set proxy on spring oauth2 OAuth2AccessToken request or How to override OAuth2AccessTokenSupport restTemplate variable?

问题 I have tried to set network proxy in the following ways, but none of the method is working 1: set jvm variables like -Dhttp.proxyHost= -Dhttp.proxyPort= ....... 2: Created the Bean. @Bean public RestTemplate restTemplate() { final String proxyHost = "######"; // host final int proxyPort = ####; // port SimpleClientHttpRequestFactory factory = new SimpleClientHttpRequestFactory(); factory.setProxy(new Proxy(Type.HTTP, new InetSocketAddress(proxyHost, proxyPort))); return new RestTemplate

How to get @WebMvcTest work with OAuth?

阅读更多关于 How to get @WebMvcTest work with OAuth?

问题 I just had hard time to get my controllers unit tests working because, IMO, what is in Spring doc is not enough if using OAuth. In my case, it's Oauth2 with JWT. I tried to use @WithMockUser , @WithUserDetails and even define my own annotation with @WithSecurityContext and a custom UserSecurityContextFactory but always got anonymous user in the UserSecurityContext when security expression where evaluated, whatever I set the test context to in my factory... I propose the solution I came to

Single sign off using OAuth 2

阅读更多关于 Single sign off using OAuth 2

问题 We just have been discussing the login and logout behaviour when using OAuth 2. Let's say we have two webapps A and B using one OAuth provider O (built using the spring-security-oauth2 stack). When you want to login to A you get redirected to O , enter your credentials, get a session there on O , redirected back to A with an access token and a session is created on A as well. Now when you want to login to B you get redirected to O , get directly sent back with a token to B because you still

jhipster oauth : How can i get the access_token via CURL

阅读更多关于 jhipster oauth : How can i get the access_token via CURL

i'm trying to use the jhipster tool in order to create a new project with the oauth2 authentication. The project example work fine, i can login with the angularjs interface, but can't understand how can i create a new user and then get the access token via Curl command line for this new user. Thanks for your help Step #1: Register the user. Register a user at http://localhost:8080/#/register and make sure you can log in via the web interface. Step #2: Obtain an OAuth2 token. Information required for obtaining an OAuth2 token: OAuth2 client id (see application.yml) OAuth2 secret (see

Customize auth error from Spring Security using OAuth2

阅读更多关于 Customize auth error from Spring Security using OAuth2

问题 I was wondering if I could customize the following authorization error: { "error": "unauthorized", "error_description": "Full authentication is required to access this resource" } I get it when the user request does not have permissions. And I would like to customize it to be quite similar than Spring Boot error: { "timestamp":1445441285803, "status":401, "error":"Unauthorized", "message":"Bad credentials", "path":"/oauth/token" } Could it be possible? Many thanks. 回答1: I got it :) https:/

How to test spring-security-oauth2 resource server security?

阅读更多关于 How to test spring-security-oauth2 resource server security?

Following the release of Spring Security 4 and it's improved support for testing I've wanted to update my current Spring security oauth2 resource server tests. At present I have a helper class that sets up a OAuth2RestTemplate using ResourceOwnerPasswordResourceDetails with a test ClientId connecting to an actual AccessTokenUri to requests a valid token for my tests. This resttemplate is then used to make requests in my @WebIntegrationTest s. I'd like to drop the dependency on the actual AuthorizationServer, and the use of valid (if limited) user credentials in my tests, by taking advantage of

Spring Security OAuth 2.0 - client secret always required for authorization code grant

阅读更多关于 Spring Security OAuth 2.0 - client secret always required for authorization code grant

According to the spec, requests for a token using the authorization code grant are not required to be authenticated as long as the client_id is included in the request and the client_id is the same one used to generate the code. However, with the Spring Security OAuth 2.0 implementation, it appears that basic auth is always required on the /oauth/token endpoint even if the client was never assigned a secret. It looks like there is support for allowing clients without a secret due to the isSecretRequired() method in the ClientDetails interface. What do I need to do to enable clients without a