Good afternoon, I have a problem with an application in springboot 2.7.1 that I updated to version 3.1.1 my application uses CustomOpaqueTokenIntrospector to validate a token, the problem is that in version 3.1.1 "WebSecurityConfigurerAdapter", "cors","antMatchers", "oauth2ResourceServer().opaqueToken()" are deprecated, and honestly I'm new to this authentication and authorization. Could you help me with an answer on how I could correct my problem, I have attached the code of my configuration classes.
Class OpaqueSecurityConfig:
package ec.edu.espe.generalapi.Config.security;
import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
import org.springframework.boot.web.client.RestTemplateBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
@Configuration
public class OpaqueSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors();
http
.authorizeRequests(authz -> authz
.antMatchers(HttpMethod.GET, "/public/**", "/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html", "/apiGeneral-docs/**", "swagger-ui-GeneralApi/**", "/swagger-ui-GeneralApi.html/**").permitAll()
.antMatchers(HttpMethod.POST, "/public/**").permitAll()
.anyRequest().authenticated())
.oauth2ResourceServer().opaqueToken();
}
@Bean
OpaqueTokenIntrospector tokenIntrospector(RestTemplateBuilder builder, OAuth2ResourceServerProperties resourceServerProps) {
return new CustomOpaqueTokenIntrospector(builder, resourceServerProps);
}
}
Class CustomOpaqueTokenIntrospector:
package ec.edu.espe.generalapi.Config.security;
import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
import org.springframework.boot.web.client.RestTemplateBuilder;
import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector;
import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
import org.springframework.web.client.RestOperations;
import java.time.Duration;
public class CustomOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
private OAuth2ResourceServerProperties.Opaquetoken opaqueTokenProps;
private RestTemplateBuilder builder;
CustomOpaqueTokenIntrospector(RestTemplateBuilder builder, OAuth2ResourceServerProperties resourceServerProps) {
this.opaqueTokenProps = resourceServerProps.getOpaquetoken();
this.builder = builder;
}
@Override
public OAuth2AuthenticatedPrincipal introspect(String token) {
// System.out.println(token);
RestOperations restOperations = builder
.defaultHeader("Authorization", "Bearer " + token)
.setConnectTimeout(Duration.ofSeconds(60))
.setReadTimeout(Duration.ofSeconds(60))
.build();
return new NimbusOpaqueTokenIntrospector(opaqueTokenProps.getIntrospectionUri(), restOperations).introspect(token);
}
}
and finally:
build.gradle
plugins {
id 'java'
id 'org.springframework.boot' version '3.1.3'
id 'io.spring.dependency-management' version '1.1.3'
}
group = 'example'
version = '0.0.1-SNAPSHOT'
java {
sourceCompatibility = '17'
}
repositories {
mavenCentral()
}
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server:3.0.0'
implementation 'org.springframework.boot:spring-boot-gradle-plugin:2.7.0'
compileOnly 'org.projectlombok:lombok'
implementation 'org.springdoc:springdoc-openapi-ui:1.6.12'
implementation 'org.springdoc:springdoc-openapi-security:1.6.12'
implementation group: 'org.postgresql', name: 'postgresql', version: '42.3.1'
runtimeOnly 'com.nimbusds:oauth2-oidc-sdk:9.2.4'
implementation 'org.springframework.boot:spring-boot-starter-actuator:2.6.1'
runtimeOnly 'com.oracle.database.jdbc:ojdbc8'
annotationProcessor 'org.projectlombok:lombok'
testImplementation 'org.springframework.boot:spring-boot-starter-test'
}
tasks.named('test') {
useJUnitPlatform()
}
If the problem is in migration and nothing else, i mean to replace old configuration.
You should remove extends WebSecurityConfigurerAdapter
.
The configuration class will look so:
@Configuration
@EnableWebSecurity
public class OpaqueSecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.cors(AbstractHttpConfigurer::disable);
http.authorizeHttpRequests(request -> {
request.requestMatchers(HttpMethod.GET,
"/public/**", "/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html", "/apiGeneral-docs/**", "swagger-ui-GeneralApi/**", "/swagger-ui-GeneralApi.html/**").permitAll()
.requestMatchers(HttpMethod.POST, "/public/**").permitAll()
.anyRequest().authenticated();
});
http.oauth2ResourceServer(c -> c.opaqueToken(Customizer.withDefaults()));
return http.build();
}
@Bean
OpaqueTokenIntrospector tokenIntrospector(RestTemplateBuilder builder, OAuth2ResourceServerProperties resourceServerProps) {
return new CustomOpaqueTokenIntrospector(builder, resourceServerProps);
}
}
But i really suggest you to check next resources:
spring-security-without-the-websecurityconfigureradapter
About gradle
build file also update the version for
implementation 'org.springframework.boot:spring-boot-gradle-plugin:**2.7.0**'
to one that you use in project.