7

I'm writing a small application that has an authentication linked to a database, this authentication will be managed by the Oauth2 aspect (Classes annotated by @EnableAuthorizationServer and @EnableResourceServer). There's another authentication in the same application for an administration page that will be linked to another different database and will use the normal form-based authentication.

I've written the following Web Security configuration class for this specific purpose:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig{

    @Configuration
    @Order(5)
    public static class AdminSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.logout().logoutRequestMatcher(new AntPathRequestMatcher("/admin_logout"))
                    .invalidateHttpSession(true).logoutSuccessUrl("/admin/login.html");

            http.authorizeRequests()
                    .antMatchers("/admin/login.html").permitAll().antMatchers("/admin/protected.html")
                    .hasRole("ADMIN")
                    .and().formLogin().loginPage("/admin/login.html")
                    .loginProcessingUrl("/admin_login").defaultSuccessUrl("/admin/protected.html");

        }

        @Override
        public void configure(AuthenticationManagerBuilder auth) throws Exception {
            //Data source for form based auth
            auth.inMemoryAuthentication().withUser("adminuser").password("adminpassword").roles("ADMIN");
        }
    }
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        //Data source for Oauth
        auth.inMemoryAuthentication().withUser("myuser").password("mypassword").roles("USER").and().withUser("test")
                .password("testpassword").roles("USER");
    }
}

Other relevant components are:

Authorization Server configuration:

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter{

    @Autowired
    AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(authenticationManager).tokenEnhancer(tokenEnhancer())
        .tokenStore(tokenStore());
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients
            .inMemory()
                .withClient("client")
                .secret("secret")
                .authorizedGrantTypes("password", "refresh_token")
                .scopes("read", "write")
                .resourceIds("resource").accessTokenValiditySeconds(60);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception
    {
       oauthServer.checkTokenAccess("isAuthenticated()");    
    }

    @Bean
    public TokenEnhancer tokenEnhancer() {
        return new CustomTokenEnhancer();
    }

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

}

Resource server configuration:

@Configuration
@EnableResourceServer
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER-1)
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter{

    @Autowired
    TokenStore tokenStore;

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources.resourceId("resource").tokenStore(tokenStore);
    }
    @Override
    public void configure(final HttpSecurity http) throws Exception {
     http.authorizeRequests().antMatchers("/api/**").authenticated();
 }
}

You can also checkout the code here: https://github.com/cenobyte321/spring-oauth2-tokenenhancer-test/tree/webspeciallogin (Branch: webspeciallogin)

The problem is that everything in the AdminSecurityConfig class is ignored, I can go into the protected.html page without logging myself in and the login and logout processing urls specified aren't created.

The Oauth2 based login on the other hand works without a problem. I haven't also figured out how to specify in Oauth2 an AuthenticationManagerBuilder, most of online resources suggest to use the configureGlobal injected method which is read by Oauth appropriately, that's why it's setup like that in the code above.

How can I configure two authentication sources independent of one another in a single Oauth2-enabled application?

Regards.

Cenobyte321
  • 469
  • 1
  • 8
  • 26

2 Answers2

3

You need two things:

  1. Make sure your AdminSecurityConfig has a higher priority than your ResourceServerConfiguration. While the @EnableResourceServer annotation's documentation says it will register a WebSecurityConfigurerAdapter with a hard-coded Order 3, it's actually overridden in ResourceServerOrderProcessor with an order of -10. So make sure your AdminSecurityConfig has an order lower than -10.

  2. Make sure you limit your configuration of HttpSecurity in AdminSecurityConfig with request matchers to the URLs associated with your admin server, like this:

    http.requestMatchers().antMatchers("/admin/**", "/admin_login", "/admin_logout")
    .and()
        .authorizeRequests()
        .antMatchers("/admin/protected.html").hasRole("ADMIN")
        .antMatchers("/admin/login.html").permitAll()
    .and()
        .formLogin().loginPage("/admin/login.html")
        .loginProcessingUrl("/admin_login")
        .defaultSuccessUrl("/admin/protected.html")
    .and()
        .logout().logoutRequestMatcher(new AntPathRequestMatcher("/admin_logout"))
        .invalidateHttpSession(true).logoutSuccessUrl("/admin/login.html")
        ;

    Note the first line of the embedded code with http.requestMatchers().antMatchers("/admin/**", "/admin_login", "/admin_logout").

See Dave Syer's (one of Spring Security authors) answer on a similar question for reference.

I made a pull request with the above fixes for your example project on github.

Community
  • 1
  • 1
Nándor Előd Fekete
  • 6,988
  • 1
  • 22
  • 47
  • Thank you very much for this, I was also under the impression that the resource server order was 3. Although the protected page is indeed protected now in your pull request, I have a strange problem of the "/admin_login" url returning "There was an unexpected error (type=Method Not Allowed, status=405). Request method 'POST' not supported" after submitting the form, even though CSRF protection is disabled for this particular example. – Cenobyte321 Jan 13 '16 at 07:22
  • 1
    You're right. I limited the configuration of `HttpSecurity` in `AdminSecurityConfig` without including the URL pattern `/admin_login` for the login processing. I've updated my answer. Try it out again, seems to be working. – Nándor Előd Fekete Jan 13 '16 at 13:53
  • Got it, it is working now. Given that you should limit all the routes of this separate application component, including the processing urls, the "admin_logout" route should then also be added here. Thank you very much for your help! – Cenobyte321 Jan 13 '16 at 15:30
0

Could you solve the problem a different way by using role based authorization? For example:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            ....
            .antMatchers("/user/manage/**").access("hasRole('SYS_ADMIN_ROLE')")
            .antMatchers("/audit/**").access("hasRole('SYS_ADMIN_ROLE')")
            .antMatchers("/upload**").access("hasRole('SYS_ADMIN_ROLE')")

Anther approach would be a custom user details service that knows how to look up user IDs in the appropriate database:

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    LimitLoginAuthenticationProvider provider = (LimitLoginAuthenticationProvider)authenticationProvider;
    provider.setPasswordEncoder(passwordEncoder);
    auth.userDetailsService(customUserDetailsService()).passwordEncoder(passwordEncoder);
    auth.authenticationProvider(authenticationProvider);
}
Brian Kates
  • 480
  • 4
  • 14