spring-attic/spring-security-oauth

Dual security in spring boot application - OAuth2 (jwt token bearer) + X509 (certificates)

icstreispe opened this issue · 0 comments

icstreispe commented

tried to create a spring boot configuration with dual security checks on requests (Oauth2 token bearer and X509 certificates). I had 2 alternative ideas in mind, but cannot make it work either

  1. dedicated endpoints for each type of securyt validation (/certif for certification validation, /token for token validation)
  2. all endpoints checked with either token or certificate validation anything sucessfull would apply

This is my configuration that tries to achieve idea no 1:

@EnableResourceServer
@Configuration
@Order(1)
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

    @Value("${xxx.auth.resourceId}")
    private String resourceId;

    @Autowired
    private DefaultTokenServices tokenServices;

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.resourceId(resourceId)
                .tokenServices(tokenServices)
                .tokenExtractor(new BearerTokenExtractor());
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.requestMatchers()
                .antMatchers("/unsecured/**")
                .antMatchers("/token/**")
            .and().authorizeRequests()
                .antMatchers("/unsecured/**").permitAll()
                .anyRequest().authenticated()
            ;
     }
}


@EnableResourceServer
@Configuration
@Order(2)
public class X509ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        
                http.requestMatchers()
                        .antMatchers("/certif/**")
                .and()
                .authorizeRequests()
                        .antMatchers("/certif/**").hasAuthority("AUTH")
                .and().x509().subjectPrincipalRegex("CN=(.*?)(?:,|$)").userDetailsService(userDetailsService());
    }

    @Bean
    public UserDetailsService userDetailsService() {
        return new UserDetailsService() {
            @Override
            public UserDetails loadUserByUsername(String username) {
                if (username.startsWith("xxx") || username.startsWith("XXX")) {
                    return new User(username, "",
                            AuthorityUtils
                                    .commaSeparatedStringToAuthorityList("AUTH"));
                }
                throw new UsernameNotFoundException("User not found!");
            }
        };
    }
}

For some reason I cannot make it work because filter OAuth2AuthenticationProcessingFilter seems to be deleting the authorization token created by filter X509AuthenticationFilter when I make a call with a certificate to /certif/info. I must mention that ResourceServerConfiguration is working ok when used alone and the /token/info endpoint is called with a token.

Mentioned filters are in spring-security-oauth:2.3.8 & spring-security-web:5.6.2
Orders have been changed in every direction but they seem to have no effect on how the filters are applied.
Any idea what is going on and how can I avoid this problem in order to achieve the desired behaviour?