javaspring-bootspring-securityoauth-2.0spring-security-oauth2
Getting 403 error in Spring security oauth while accessing application specific urls (access_token is valid and csrf is disabled)
UPDATE
(Answer by Chids is for the problem that I posted earlier which was getting 403 error for /oauth/token. That error is resolved and am stuck at the next step .I have modified the question accordingly.)
Problem:
I am trying to implement OAuth 2.0 with Spring security. And I am successful in obtaining the access_token by making a post request to /oauth/token.
But when I use this access token to use any other secured url I am getting 403.
I have followed multiple questions on SO but all of them suggest to disable csrf for my problem. Issue is I have already disabled that but still getting error.
Can someone guide me whether I am constructing the post request in a wrong way or whether some config is missing.
My post request through postman looks like:
Config on google:
Resource Server
@Configuration
@EnableResourceServer
@Order(3)
public class Oauth2ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.requestMatchers().antMatchers("/auth/**")
.and()
.authorizeRequests()
.antMatchers("/auth/**").authenticated();
}
}
Authorization server
@Configuration
@EnableAuthorizationServer
public class Oauth2AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
@Autowired
private UserApprovalHandler handler;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authManager;
@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("568176070083-1lc20949a0q58l0rhmq93n95kvu8s5o6.apps.googleusercontent.com")
.secret("lNfK3wOaVibgu96il6WLrkTh")
.authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write", "trust")
.accessTokenValiditySeconds(120)
.refreshTokenValiditySeconds(600);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore).userApprovalHandler(handler)
.authenticationManager(authManager);
}
}
Security Config
@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)
@ComponentScan(basePackages = "com.saml.demo")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password("password").roles("USER")
.and()
.withUser("admin").password("admin123").roles("ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.anonymous().disable()
.authorizeRequests()
.antMatchers("/oauth/token").permitAll()
.anyRequest().authenticated();
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Bean
@Autowired
public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception {
TokenApprovalStore store = new TokenApprovalStore();
store.setTokenStore(tokenStore);
return store;
}
}
Solution
It should be because, you are disabling all anonymous access in your configure block. You can change it to the following
@Override
protected void configure(final HttpSecurity http) throws Exception {
// @formatter:off
http.authorizeRequests().antMatchers("/login").permitAll().antMatchers("/oauth/token/revokeById/**").permitAll()
.antMatchers("/tokens/**").permitAll().anyRequest().authenticated().and().formLogin().permitAll().and()
.csrf().disable();
// @formatter:on
}
- XBee using the Java Lib on Raspberry Pi
- Lib folder is missing when creating java project in Eclipse Neon.2 Release (4.6.2)
- Activiti Tomcat configuration
- Why do I get "Cannot resolve symbol" when trying to use class from library?
- How to set SameSite and Secure attribute to JSESSIONID cookie
- Failed to resolve: com.github Affected Modules
- Failed to resolve: lib
- class loading in tomcat on demand when 2 versions of a lib are present?
- JPA: Duplicate Entry When Adding Child Entity (One-To-Many)
- NoClassDefFoundError when running app with external lib with Tomcat
- NoClassDefFoundError from inside a jar
- How to run a jar with external libs
- Import json-simple from Maven failed
- How to override default jar present inside jre/lib folder
- How do you access Kotlin Library Sealed Classes as Error Handling in Java?
- How do I properly create a Library in Java?
- Is there a way to print cron-expressions in human readable form?
- How to force Maven in IntelliJ to pull specific dependency from local .m2 repository
- package com.fasterxml.jackson.databind.annotation does not exist
- How to use custom class annotation in testng listener java
- How to map this Json with rest template spring boot
- Avoid Jackson serialization on non fetched lazy objects
- Images not loading after creating Jar
- LoggerFactory.getLogger cannot be resolved to a type
- Jackson triggering JPA Lazy Fetching on serialization
- Detect on/off Key Press Android
- Is there a free package for reading, manipulating and writing ASN.1 in Java?
- Can you store a variable inside a if-clause?
- Where to download eclipse IDE (there's 2 main links and they all both completely different installers)
- Mocking object called in lambda invoked from mocked object