I want to make an sso application that is located in front of uaa, there are also some methods that were protected by annotation, like @PreAuthorize in the application. However, @PreAuthorize does not work, even the URL is not secure. Any moment would be welcome, thanks in advance.
@Configuration @ComponentScan @EnableAutoConfiguration @RestController @RequestMapping("/dashboard") @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, proxyTargetClass = true) public class SsoApplication extends GlobalMethodSecurityConfiguration { @RequestMapping("/message") @PreAuthorize("hasRole('ADMIN')") public Map<String, Object> dashboard() { return Collections.<String, Object>singletonMap("message", "Yay!"); } @RequestMapping("/user") @PreAuthorize("authenticated") public Principal user(Principal user) { return user; } public static void main(String[] args) { SpringApplication.run(SsoApplication.class, args); } @Component @EnableOAuth2Sso @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) public static class LoginConfigurer extends WebSecurityConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http.csrf().csrfTokenRepository(csrfTokenRepository()).and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class).authorizeRequests().and() .logout().logoutUrl("/dashboard/logout").permitAll() .logoutSuccessUrl("/"); } private Filter csrfHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request .getAttribute(CsrfToken.class.getName()); if (csrf != null) { Cookie cookie = new Cookie("XSRF-TOKEN", csrf.getToken()); cookie.setPath("/"); response.addCookie(cookie); } filterChain.doFilter(request, response); } }; } private CsrfTokenRepository csrfTokenRepository() { HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository(); repository.setHeaderName("X-XSRF-TOKEN"); return repository; } } }
And if SsoApplication does not extend GlobalMethodSecurityConfiguration, there will be an exception:
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.aopalliance.intercept.MethodInterceptor]: Factory method 'methodSecurityInterceptor' threw exception; nested exception is org.springframework.security.config.annotation.AlreadyBuiltException: This object has already been built at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:189) at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:588) ... 46 more Caused by: org.springframework.security.config.annotation.AlreadyBuiltException: This object has already been built at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:44) at org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration.getAuthenticationManager(AuthenticationConfiguration.java:81) at org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration.authenticationManager(GlobalMethodSecurityConfiguration.java:257) at org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration.methodSecurityInterceptor(GlobalMethodSecurityConfiguration.java:123) at org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration$$EnhancerBySpringCGLIB$$420668b7.CGLIB$methodSecurityInterceptor$8(<generated>) at org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration$$EnhancerBySpringCGLIB$$420668b7$$FastClassBySpringCGLIB$$5167ccd.invoke(<generated>) at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228) at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:355) at org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration$$EnhancerBySpringCGLIB$$420668b7.methodSecurityInterceptor(<generated>) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:162)
source share