I am running a sample resource server using Spring Boot and when I run it without adding a custom SecurityFilterChain bean, everything works fine. When I provide a custom SecurityFilterChain it gives a 401 and sometimes a 403.
Here is my Gradle file:
plugins {
java
id("org.springframework.boot") version "3.2.0"
id("io.spring.dependency-management") version "1.1.4"
}
group = "com.resource.server"
version = "0.0.1-SNAPSHOT"
java {
sourceCompatibility = JavaVersion.VERSION_17
}
repositories {
mavenCentral()
}
dependencies {
implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server")
implementation("org.springframework.boot:spring-boot-starter-web")
testImplementation("org.springframework.boot:spring-boot-starter-test")
}
tasks.withType<Test> {
useJUnitPlatform()
}
Here is what I have in my application.properties:
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://mydomain.auth0.com/
spring.security.oauth2.resourceserver.jwt.issuer-audience=aud-name
Here is my SecurityFilterChain class
package com.resource.server.resourceserver;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import static org.springframework.security.config.Customizer.withDefaults;
@Configuration
public class SecurityConfiguration {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authz) -> authz
.anyRequest().authenticated()
)
.httpBasic(withDefaults());
return http.build();
}
}
Here is the basic controller I use to test the application:
package com.resource.server.resourceserver;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class HelloController {
@RequestMapping("/hello")
public String sayHi(){
return "Hi";
}
}
Here is what I get in the logs:
2023-12-21T08:13:55.404+02:00 INFO 181669 --- [nio-8082-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2023-12-21T08:13:55.405+02:00 INFO 181669 --- [nio-8082-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 1 ms
2023-12-21T08:13:55.408+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.security.web.FilterChainProxy : Securing GET /
2023-12-21T08:13:55.409+02:00 WARN 181669 --- [nio-8082-exec-1] o.s.w.s.h.HandlerMappingIntrospector : Cache miss for REQUEST dispatch to '/' (previous null). Performing CorsConfiguration lookup. This is logged once only at WARN level, and every time at TRACE.
2023-12-21T08:13:55.414+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2023-12-21T08:13:55.420+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.s.w.s.HttpSessionRequestCache : Saved request http://localhost:8082/?continue to session
2023-12-21T08:13:55.420+02:00 DEBUG 181669 --- [nio-8082-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
2023-12-21T08:13:55.420+02:00 DEBUG 181669 --- [nio-8082-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@6dd20239
2023-12-21T08:13:55.422+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.security.web.FilterChainProxy : Securing GET /error
2023-12-21T08:13:55.422+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2023-12-21T08:13:55.422+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.s.w.s.HttpSessionRequestCache : Saved request http://localhost:8082/error?continue to session
2023-12-21T08:13:55.422+02:00 DEBUG 181669 --- [nio-8082-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
2023-12-21T08:13:55.423+02:00 DEBUG 181669 --- [nio-8082-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@6dd20239
I've tried a few tutorials and tried starting from scratch. I've also tried Googling the log error messages but I did not find anything that really made much sense.
I made this update and it helped fix it - code from here: https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html. I don't quite understand what was the issue with the initial version though. If anyone could help me understand, it would be great
@Configuration
@EnableWebSecurity
public class DirectlyConfiguredJwkSetUri {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(jwt -> jwt
.jwkSetUri("https://idp.example.com/.well-known/jwks.json")
)
);
return http.build();
}
}```
The main different of first way and second one of your configuration is in
.httpBasic(withDefaults()); that mean you enabled HTTP Basic authentication for an application, that is wrong in your case because you have to configure Resource Server based on your gradle dependencies imports:
implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server")
And the second configuration fix it because you declared how to threat it.
oauth2ResourceServer()
And also how you pointed you have a JWT token that is default one in this kind of configuration. More deep details about it Resource Server JWT
Also
.jwt(jwt -> jwt
.jwkSetUri("https://idp.example.com/.well-known/jwks.json")
)
If the authorization server doesn’t support any configuration endpoints, or if Resource Server must be able to start up independently from the authorization server