I am trying to get a mvc spring-boot application that works with standard input when exposing some API endpoints with oAuth2 protection. Basically my requirements are as follows:
If the user is taken to the home page ("/"), check if it is complete. If you do not see the login form, show the home page. But the user should also be able to request an oauth authentication token with this token acces / api / assign / {id}.
I can make standard input work, and I can make oauth2 work, but I can not make them work together.
This is my configuration at the moment:
WebSecurityConfig
@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private DataSource dataSource; @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.jdbcAuthentication().dataSource(this.dataSource).passwordEncoder(new BCryptPasswordEncoder()); } }
OAuth2Config
@Configuration @EnableResourceServer @EnableAuthorizationServer public class OAuth2Config { protected static final String RESOURCE_ID = "oauthdemo"; @Configuration @EnableResourceServer protected static class ResourceServer extends ResourceServerConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http .httpBasic().disable() .authorizeRequests() .antMatchers("/js/**", "/css/**", "/images/**", "/webjars/**", "/login").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .permitAll() .and() .logout() .permitAll(); } @Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { resources.resourceId(RESOURCE_ID); } } @Configuration @EnableAuthorizationServer protected static class AuthServer extends AuthorizationServerConfigurerAdapter { @Autowired @Qualifier("authenticationManagerBean") private AuthenticationManager authenticationManager; @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer.allowFormAuthenticationForClients(); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.authenticationManager(authenticationManager); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory() .withClient("client") .authorizedGrantTypes("password", "refresh_token") .authorities("ROLE_USER") .scopes("read") .resourceIds(RESOURCE_ID) .secret("secret").accessTokenValiditySeconds(3600); } }
}
The problem is that when I try to open the home page ("/") I always get the following error:
<oauth> <error_description> Full authentication is required to access this resource </error_description> <error>unauthorized</error> </oauth>
It is not redirected to the login page. I do not need this page to protect oauth2, but even if I go directly to the login page ("/ login", which I can access) and set up the credentials, I still get the "full authentication" error. Although I have disabled basic HTTP authentication.
Does anyone know how to separate the normal user interface from the api endpoints that should be protected by OAuth2?