Spring Security OAuth2: how to add multiple Security Filter Chain of type ResourceServerConfigurer?

akuma8

I set up a Spring Boot multi modules (5 modules) app with Spring Security OAuth2. Everything works well but as the application is growing I want to separate the security part in each module. The main module enables everything:

@SpringBootApplication
@EnableResourceServer
@EnableAuthorizationServer
@EnableWebSecurity(debug = true)
public class Application {  
  ...
}

Now in each module I defined a bean of type ResourceServerConfigurer

@Configuration
@Order(2)
public class Module1SecurityFilterChain extends ResourceServerConfigurerAdapter {

   @Override
   public void configure( HttpSecurity http ) throws Exception {
      http.sessionManagement().sessionCreationPolicy( STATELESS );
      http.antMatcher( "/module1/**")
            .authorizeRequests()
            .antMatchers( "/module1/resource").authenticated()
            .antMatchers( "/module1/test" ).authenticated()
            .anyRequest().access( "#oauth2.hasScope('webclient')" );
   }
}

Same thing with module2:

@Configuration
@Order(1)
public class Module2SecurityFilterChain extends ResourceServerConfigurerAdapter {

   @Override
   public void configure( HttpSecurity http ) throws Exception {
      http.sessionManagement().sessionCreationPolicy( STATELESS );
      http.antMatcher( "/module2/**")
            .authorizeRequests()
            .antMatchers( "/module2/resource").authenticated()
            .antMatchers( "/module2/test" ).authenticated()
            .anyRequest().access( "#oauth2.hasScope('webclient')" );
   }
}

And so on...

The problem is that only one FilterChain is registered, the one whith @Order(2). I took a look at the doc of ResourceServerConfigurer and it states this:

... if more than one configures the same preoperty, then the last one wins. The configurers are sorted by Order before being applied

How can I proceed to bypass this limitation? Thanks a lot.

EDIT

Doing this (extending WebSecurityConfigurerAdapter instead of ResourceServerConfigurerAdapter):

@Configuration
@Order(1)
public class Module2SecurityFilterChain extends WebSecurityConfigurerAdapter {...}

seems to register the filter chain but there is another problem, when I authenticate a user (getting token on /oauth/token) I can't acces a resource protected by this chain, I got a 403 Forbidden. How does this black box work?

jzheaux

You can configure multiple matchers using across multiple beans by using requestMatchers().antMatchers(String...) like so:

@Configuration
public class Module2SecurityFilterChain extends ResourceServerConfigurerAdapter {

   @Override
   public void configure(HttpSecurity http) throws Exception {
       http
           .requestMatchers()
               .antMatchers("/module2/**")
           .authorizeRequests()
               .antMatchers("/module2/resource").authenticated()
               .antMatchers("/module2/test").authenticated()
               .anyRequest().access("#oauth2.hasScope('webclient')");
   }
}

It's a little confusing, but when you call http.antMatcher(String), this is stating that you want to match only against that one endpoint. So, calling it twice (once in Module1SecurityFilterChain and then again in Module2SecurityFilterChain), the second call overrides the first.

However, using http.requestMatchers().antMatchers(String) indicates that the given String should be added to the existing list of endpoints being already matched. You can think of antMatcher as a bit like "setMatcher" and antMatchers like "appendMatcher".

この記事はインターネットから収集されたものであり、転載の際にはソースを示してください。

侵害の場合は、連絡してください[email protected]

編集
0

コメントを追加

0

関連記事

分類Dev

Spring Security OAuth2はJSONを受け入れる

分類Dev

Spring Security OAuth2ピュアリソースサーバー

分類Dev

Spring Boot Security OAuth2 Get Access_token from Cookie

分類Dev

Spring boot 2.0.3 + Security + Oauth2 autoconfigure

分類Dev

GoogleでのSpring Security OAuth2ログイン

分類Dev

Spring Security - Oauth implementations

分類Dev

what is the filter responsible for keeping the authentication object in security context in spring security

分類Dev

NoClassDefFoundError:javax / xml / bind / UnmarshalException-Spring Security oauth2

分類Dev

NoClassDefFoundError:javax / xml / bind / UnmarshalException-Spring Security oauth2

分類Dev

OAuth2LoginAuthenticationFilter Spring Security

分類Dev

Spring Security OAuth2 | InsufficientAuthenticationException

分類Dev

How to enable /oauth/check_token with Spring Security Oauth2 using XML

分類Dev

Spring Security OAuth2:InsufficientAuthenticationException

分類Dev

Configuration of Microsoft Graph OAuth2 authentication in Spring Security - Error AADSTS90014

分類Dev

Spring Boot Security OAuth2:WebSecurityConfigurerAdapter:302 / errorにリダイレクト

分類Dev

Spring Security 5.1.1Spring-security-oauth2認証サーバーに接続するOAuth2クライアント

分類Dev

Wicket Authorization with Spring Security Filter Chain, redirection loop

分類Dev

Incremental authorization for Google OAuth2 Sign in with Spring Security

分類Dev

PowerShell: How to add 1 user to multiple Active Directory Security Groups - Security tab of the security group with write permission

分類Dev

Migrating from Spring Boot Oauth2 to Spring Security 5

分類Dev

How to use Spring Security 5 and OAuth2 Client to get refresh tokens and make API calls?

分類Dev

How to use Spring Security 5 and OAuth2 Client to get refresh tokens and make API calls?

分類Dev

OAuth2 security in REST GET API

分類Dev

Confusion in Spring Security Filter Chain

分類Dev

How to use SSO on multiple spring security web applications without SAML?

分類Dev

Where is an Example Spring Security OAuth2 Client Configuration using XML for Authorization Code?

分類Dev

security:filter-chain pattern match url have symbol '?'

分類Dev

Spring oauth2 / HttpSecurity http / ResourceServerConfigurerおよびWebSecurityConfigurerAdapter

分類Dev

Spring Security - oAuth2 実装のための UserDetailsService?

Related 関連記事

  1. 1

    Spring Security OAuth2はJSONを受け入れる

  2. 2

    Spring Security OAuth2ピュアリソースサーバー

  3. 3

    Spring Boot Security OAuth2 Get Access_token from Cookie

  4. 4

    Spring boot 2.0.3 + Security + Oauth2 autoconfigure

  5. 5

    GoogleでのSpring Security OAuth2ログイン

  6. 6

    Spring Security - Oauth implementations

  7. 7

    what is the filter responsible for keeping the authentication object in security context in spring security

  8. 8

    NoClassDefFoundError:javax / xml / bind / UnmarshalException-Spring Security oauth2

  9. 9

    NoClassDefFoundError:javax / xml / bind / UnmarshalException-Spring Security oauth2

  10. 10

    OAuth2LoginAuthenticationFilter Spring Security

  11. 11

    Spring Security OAuth2 | InsufficientAuthenticationException

  12. 12

    How to enable /oauth/check_token with Spring Security Oauth2 using XML

  13. 13

    Spring Security OAuth2:InsufficientAuthenticationException

  14. 14

    Configuration of Microsoft Graph OAuth2 authentication in Spring Security - Error AADSTS90014

  15. 15

    Spring Boot Security OAuth2:WebSecurityConfigurerAdapter:302 / errorにリダイレクト

  16. 16

    Spring Security 5.1.1Spring-security-oauth2認証サーバーに接続するOAuth2クライアント

  17. 17

    Wicket Authorization with Spring Security Filter Chain, redirection loop

  18. 18

    Incremental authorization for Google OAuth2 Sign in with Spring Security

  19. 19

    PowerShell: How to add 1 user to multiple Active Directory Security Groups - Security tab of the security group with write permission

  20. 20

    Migrating from Spring Boot Oauth2 to Spring Security 5

  21. 21

    How to use Spring Security 5 and OAuth2 Client to get refresh tokens and make API calls?

  22. 22

    How to use Spring Security 5 and OAuth2 Client to get refresh tokens and make API calls?

  23. 23

    OAuth2 security in REST GET API

  24. 24

    Confusion in Spring Security Filter Chain

  25. 25

    How to use SSO on multiple spring security web applications without SAML?

  26. 26

    Where is an Example Spring Security OAuth2 Client Configuration using XML for Authorization Code?

  27. 27

    security:filter-chain pattern match url have symbol '?'

  28. 28

    Spring oauth2 / HttpSecurity http / ResourceServerConfigurerおよびWebSecurityConfigurerAdapter

  29. 29

    Spring Security - oAuth2 実装のための UserDetailsService?

ホットタグ

アーカイブ