F�rum Spring Oauth2 + Spring Security #586744

16/10/2017

Estou desenvolvendo uma aplica��o que tem uma interface web, e uma camada Rest, essa camada Rest vai usar Oauth2, e o restante, vai se autenticar usando um formul�rio de login e senha.

O problema, � que a configura��o de Security do spring esta sobrescrevendo minhas configura��es do ResourceServer, eu consigo autenticar normalmente no AuthorizationServer, mas quando tento acessar alguma url Rest com o token gerado, ele me redireciona para o formul�rio de login.

Depois de pesquisar muito eu consegui fazer com que n�o redirecionasse mais para o formul�rio, mas ele n�o autentica com o Token, e retorna erro 403.

� poss�vel manter as duas formas de autentica��o, e filtrar por url qual vai se autenticar via token, e qual vai se autenticar atrav�s do formul�rio de login?

Segue abaixo minha configura��o de seguran�a.

@Configuration
@EnableAuthorizationServer
@EnableWebSecurity
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {
	private static final String RESOURCE_ID = "resource_id";
	@Autowired
	private CustomUserDetailsService userDetailsService;

	@Autowired
	private AuthenticationManager authenticationManager;

	@Value("${oauth.tokenTimeout:3600}")
	private int expiration;

	@Bean
	public PasswordEncoder passwordEncoder() {
		return new BCryptPasswordEncoder();
	}

	@Override
	public void configure(AuthorizationServerEndpointsConfigurer configurer) throws Exception {
		configurer.authenticationManager(authenticationManager);
		configurer.userDetailsService(userDetailsService);
	}

	@Override
	public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
		oauthServer.allowFormAuthenticationForClients(); // Disable /oauth/token Http Basic Auth
		oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
	}	
	
	@Override
	public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
		clients
			.inMemory()
			.withClient("client_id")
			.authorizedGrantTypes("password", "refresh_token")
			.authorities("ADMIN")
			.scopes("read", "write")
			.resourceIds(RESOURCE_ID)
			.secret("senha")
			.accessTokenValiditySeconds(expiration);
	}
}

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

    @Configuration
    @Order(1)
    public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{
 	
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable() 
            .antMatcher("/api/**")
            .authorizeRequests()
            .anyRequest().hasAnyRole("ADMIN", "USER", "AGENTE")
            .antMatchers("/api/**").fullyAuthenticated()
            .and()
            .httpBasic().disable();
        }
    }

    @Configuration
    @Order(2)
    public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter{

        @Override
        @Bean
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();
        }

        @Override
        public void configure(WebSecurity web) throws Exception {
    		web.ignoring().antMatchers("/static/**");
    		web.ignoring().antMatchers("/webjars/**");
    		web.ignoring().antMatchers("/upload/**");
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            //Permiss�es
      		http
      		.authorizeRequests()
      		.antMatchers("/usuario/**").hasRole("ADMIN")
      		.antMatchers("/relatorio/**").hasAnyRole("ADMIN","USER")
      		.anyRequest().authenticated();
            
    		//Login
    		http.formLogin()
    		.loginPage("/login")
    		.permitAll()
    		.defaultSuccessUrl("/", false)
    		.failureUrl("/error-login")
    		.usernameParameter("login")
    		.passwordParameter("password");
    		
    		//Logout
    		http.logout()
    		.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
    		.logoutSuccessUrl("/login")
    		.permitAll();
    				
    		//Remenber-me
    		http.rememberMe()
    		.tokenValiditySeconds(1209600);
        }
    }
}

@EnableResourceServer
@Configuration
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter{
	private static final String RESOURCE_ID = "floricultura-service";
	
	@Autowired
	private JsonToUrlEncodedAuthenticationFilter jsonFilter;
	
	@Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources.resourceId(RESOURCE_ID).stateless(false);
    }
	
	@Override
    public void configure(HttpSecurity http) throws Exception {
		http.addFilterBefore(jsonFilter, ChannelProcessingFilter.class)
		.requestMatchers().antMatchers("/api/**")
        .and().authorizeRequests().anyRequest().authenticated();

		http.headers().contentTypeOptions().disable();
    }
}

Luis Sena

Curtir t�pico

+ 0

Responder