Issue #1024
I am trying to secure oauth authentication and resource using spring-security
I have ResourceServerConfigurerAdapter class annotated with @Order(99) but the filter chain seems to be ignored.
These are my rules :
An anonymous user should be able to access only these endpoints
An authenticated user with ROLE_USER should be able to access only these endpoints
An authenticated user using a jwt can access these endpoints
Reproduction
-
Clone the project
git clone https://github.com/kopax/spring-security-oauth-issues-1024 && cd spring-security-oauth-issues-1024 -
start the server
./gradlew build --info && java -jar build/libs/api-oauth2.jar --spring.profiles.active=default -
get a cookie
export COOKIE=$(curl -v --silent http://localhost:8081/ 2>&1 | grep cookie -i | awk -F ' ' '{print $3}') -
authenticate the cookie
export COOKIE=$(curl --cookie "$COOKIE" -d username=admin -d password=verysecret -v --silent http://localhost:8081/login 2>&1 | grep cookie -i | awk -F ' ' '{print $3}') -
try to get a secured oauth resource at
/curl --cookie "$COOKIE" -v http://localhost:8081/
Expected
http status code 401 due to missing header Authorization
Result
http status code 200
Useful information:
Spring server:
Security account (cookie):
- username:
admin - password:
verysecret
OAuth account (jwt):
- client_id:
myfirstapp - client_secret:
test - redirect_uri:
http://localhost:8081/ - access_token_uri:
http://localhost:8081/oauth/token - authorization_uri:
http://localhost:8081/oauth/authorize - authorization_grant:
code - redirect_uri:
http://localhost:8081/cb/myfirstapp