This repository was archived by the owner on May 31, 2022. It is now read-only.
This repository was archived by the owner on May 31, 2022. It is now read-only.
How to define order of spring security filter chain #1024
Closed
Description
How to define order of spring security filter chain
I am using the following dependency :
- spring-boot 1.5.2.RELEASE
- spring-boot-starter-security
- spring-security-oauth2 2.1.0.RELEASE
I have configured two springSecurityFilterChain using:
- (1) WebSecurityConfigurerAdapter as first security layer (Basic auth)
- (2) ResourceServerConfigurerAdapter as second security layer. (Bearer auth)
My endpoint should be secured like this :
- /login (anonymous)
- /ping (anonymous)
- /oauth/** : filter (1)
- /**: filters (1, 2)
(1) look like this:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(2)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.NEVER)
.and()
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.GET, HttpPathStore.PING).permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/logout").hasRole("USER")
.antMatchers("/**").hasRole("USER")
.anyRequest().authenticated()
.and()
.exceptionHandling()
.accessDeniedHandler(accessDeniedHandler)
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.formLogin()
.loginProcessingUrl(HttpPathStore.LOGIN)
.successHandler(authenticationSuccessHandler)
.failureHandler(authenticationFailureHandler)
.permitAll()
.and()
.logout()
.logoutUrl(HttpPathStore.LOGOUT)
.logoutSuccessUrl(HttpPathStore.LOGIN_FROM_LOGOUT)
.logoutSuccessHandler(logoutSuccessHandler)
.permitAll();
}
...
}
(2) look like this:
@Configuration
@EnableResourceServer
@Order(3)
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.GET, HttpPathStore.PING).permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/logout").permitAll()
.antMatchers(
"/**"
).access("#oauth2.hasScope('write') " +
"and #oauth2.clientHasRole('ROLE_CLIENT') " +
"and hasRole('USER')");
}
...
}
Problem
If I set @Order
on:
- (1) :
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
- (2) : [DEFAULT]
Expected: as a user with a session and without a jwt, I expect to see the the response 401
from (2)
Result: as a user with a session and without a jwt, I have the response 401
from (1).
If I set @Order
on:
- (1) :
@Order(2)
- (2) :
@Order(3)
Expected: Order the web securityFilterChain before OAuth securityFilterhChain
Result: OAuth securityFilterChain configuration seems to be ignored by spring.
Is there a way to get my configuration to have OAuth security after Basic security ?
Activity
kazuki43zoo commentedon Mar 17, 2017
Is related with https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-1.5-Release-Notes#oauth-2-resource-filter ?
kopax commentedon Mar 17, 2017
Yes it is on the same topic. I can't tell you if my issue is due to these changes ?
Do you wan't me to redo the test on spring-boot 1.4.1.RELEASE ?
kopax commentedon Mar 19, 2017
@kazuki43zoo according to your link and the setup I want. What @order value should I use for
WebSecurityConfigurerAdapter
andResourceServerConfigurerAdapter
?kazuki43zoo commentedon Mar 19, 2017
Could you try as follow ?
kopax commentedon Mar 19, 2017
@kazuki43zoo I would like to know if there is a difference between this
and this
With what
@Order
exactly?I did try with
@Order(2)
, no@Order
annotation onResourceServerConfig
.Same thing as before, having
@Order(2)
onWebMvcSecurity
result in an ignored OAuth2 security filter chain.kazuki43zoo commentedon Mar 20, 2017
In my understand ...
Default orders are as follow on Spring Boot:
WebSecurityConfigurerAdapter
->100
2147483639
(=SecurityProperties.ACCESS_OVERRIDE_ORDER
-1
)In other words, a security filter chain that configure by a extends class of
WebSecurityConfigurerAdapter
will apply by default. (resource server filter chain will be not used)If you want to apply a resource server filter chain for
/oauth/***
, you need to specify order as follow:ACCESS_OVERRIDE_ORDER
(=2147483640
)2147483639
)or
100
)99
or under (e.g:security.oauth2.resource.filter-order=99
)And specify a matcher pattern on (2) as follow:
As result...
You can use a resource server filter chain for request that matches
/oauth/**
and you can use a security filter chain that configure by a extends class ofWebSecurityConfigurerAdapter
for other request (e.g:/login
,/ping
and more ... ).If you need more information, i think you should be provide a reproduce project that can be run on GitHub.
And i think your question should be posted to the StackOverflow.
Thanks.
kopax commentedon Mar 20, 2017
Thanks for the quick reply.
It seems from the javadoc that http.antMatcher("/oauth/**") is the same as http.requestMatchers().antMatchers("/oauth/**)
I have tried both of the configuration. They seems to be able to protect the endpoint
/oauth/**
, but all the endpoints/**
should be OAuth secure.I have created a demo repository.
There's a README with a sum up of the security strategy.
Reproduction
Clone the project
start the server
get a cookie
authenticate the cookie
try to get a secured oauth resource at
/
Expected
http status code
401
due to missing header AuthorizationResult
http status code
200
Useful information:
Spring server:
Security account (cookie):
admin
verysecret
OAuth account (jwt):
myfirstapp
test
http://localhost:8081/
http://localhost:8081/oauth/token
http://localhost:8081/oauth/authorize
code
http://localhost:8081/cb/myfirstapp
kopax commentedon Mar 20, 2017
Hi, It is still possible to access without a Bearer. See my reply on PR
Every configuration I have tried just can't work together on the same endpoint.
As soon a route is added to (1), it get canceled in (2).
Are you absolutely sure that spring-security and spring-security-oauth can work on the same endpoint ?
It's also possible that the API must have separate endpoints.
(I haven't found any project that use both plugin on top of each for a defined endpoint.)
stevemenke commentedon May 4, 2017
I am having the same problem. I want ldap authentication for some resources and oauth on others and can only get one or the other to work. Not both. Have you made any progress or do you have a work around?
kopax commentedon May 4, 2017
It is one or the other. You can't have both.
Brandon0204 commentedon Oct 26, 2017
I have the same problem
masamitsunamioka commentedon Mar 17, 2018
Could you try following code. It works fine for me.
https://spring.io/guides/topicals/spring-security-architecture/
"The most important feature of this dispatch process is that only one chain ever handles a request."
lilalinux commentedon Apr 14, 2018
@Namioka Shouldn't ResourceServerConfiguration only match negatively on /login and /logout? And WebSecurityConfiguration negatively on /oauth/**?
masamitsunamioka commentedon Apr 29, 2018
@lilalinux '/oauth/authorize' and '/oauth/confirm_access' require the user authentication (Not resource server authentication by access tokens).
7 remaining items