#1024
IssueI am trying to secure oauth authentication and resource using spring-security
I have ResourceServerConfigurerAdapter
class annotated with @Order(99)
but the filter chain seems to be ignored.
These are my rules :
An anonymous user should be able to access only these endpoints
An authenticated user with ROLE_USER
should be able to access only these endpoints
An authenticated user using a jwt can access these endpoints
Reproduction
-
Clone the project
git clone https://github.com/kopax/spring-security-oauth-issues-1024 && cd spring-security-oauth-issues-1024
-
start the server
./gradlew build --info && java -jar build/libs/api-oauth2.jar --spring.profiles.active=default
-
get a cookie
export COOKIE=$(curl -v --silent http://localhost:8081/ 2>&1 | grep cookie -i | awk -F ' ' '{print $3}')
-
authenticate the cookie
export COOKIE=$(curl --cookie "$COOKIE" -d username=admin -d password=verysecret -v --silent http://localhost:8081/login 2>&1 | grep cookie -i | awk -F ' ' '{print $3}')
-
try to get a secured oauth resource at
/
curl --cookie "$COOKIE" -v http://localhost:8081/
Expected
http status code 401
due to missing header Authorization
Result
http status code 200
Useful information:
Spring server:
Security account (cookie):
- username:
admin
- password:
verysecret
OAuth account (jwt):
- client_id:
myfirstapp
- client_secret:
test
- redirect_uri:
http://localhost:8081/
- access_token_uri:
http://localhost:8081/oauth/token
- authorization_uri:
http://localhost:8081/oauth/authorize
- authorization_grant:
code
- redirect_uri:
http://localhost:8081/cb/myfirstapp