Unable to have a secure and non secure endpoint in a single Oauth secured Spring controller -

-

i putting rest api using spring boot secured via oauth2. have security application built working fine managing jwt tokens.

i putting separate application handle general user profile resource requests such forgot password, registration , profile operations. annotated enableoauth2resource correctly adding oauth2authenticationprocessingfilter filter chain.

@springbootapplication @enableoauth2resource public class profileapplication extends springbootservletinitializer {      public static void main(string[] args) throws ioexception {         springapplication.run(profileapplication.class, args);     }      @override     protected springapplicationbuilder configure(springapplicationbuilder application) {         return application.sources(profileapplication.class);     } }

the challenge facing cannot find way configure security post requests /profiles endpoint unsecured while requests or put pass in derived @authenticationprincipal provided bearer token.

i want have following in place within api post /profile create new user - no security /profile/{id} user id - requires admin permission or user authd post /password/reset - starts password reset - no security

i have following bean configure security

@configuration @enableglobalmethodsecurity(prepostenabled = true) @order(-10) //securityproperties.access_override_order) class securityconfig extends websecurityconfigureradapter {      @override      protected void configure(httpsecurity http) throws exception {         http.authorizerequests()                 .antmatchers("/", "/public/**").permitall()                                 .antmatchers(httpmethod.post, "/profiles/**").permitall()                 .antmatchers(httpmethod.get, "/profiles/**").fullyauthenticated()                 .antmatchers("/password/**").permitall()                 .anyrequest().fullyauthenticated()                 .and()                 .csrf().disable();     } }

with above endpoint invocation fails 403 error without attempt lookup current user token post go through. looking in logs no longer see oauth2authenticationprocessingfilter in filter chain. attempt addd additional filters appears cause no longer registered.

this controller method looks like:

@requestmapping(method = {requestmethod.get}, value="/profiles/{login:.+}") @responsebody public responseentity<profile> get(@authenticationprincipal principal currentuser, @pathvariable string login) {

if set order securityproperties.access_override_order request works , see lookup against oauth service based on profile in jwt bearer token post requests either profile or password controller fails 401. seems code never reaches filter , instead being intercepted oauth2authenticationprocessingfilter , request failing auth off bat.

is there way partially secure spring boot application when using @enableoauth2resource? have setup different configuration bean provide necessary overrides , if so, based on interface?

i think should move oauth2 resources request matchers in securityconfig , allow them handled resource server filter - class extending resourceserverconfigureradapter.

my answer inspired dave syer's answer given here. can find security config here.

or else try giving higher order bean.


Comments

  1. Natural gas25 February 2018 at 11:40

    Nice blog... Secure endpoint is really very important for network security. I found lot of information on secure endpoint. Thanks for sharing

    ReplyDelete

Post a Comment

Popular posts from this blog

yii2 - Yii 2 Running a Cron in the basic template -

-
i have seen instructions on running cron in advanced template, cant figure out how on basic template. have following controller in basic controllers folder. <?php namespace app\controllers; use yii\console\controller; /** * cron controller */ class croncontroller extends controller { public function actionindex() { echo "cron service runnning"; } public function actionmail($to) { echo "sending mail " . $to; } } i have navigated root of application , tried these comands yii cron php yii cron im getting unknown comand "cron" i know old question failed find actual answer this. if @ code yii exec file you'll notice requires /common/config/aliases.php file console/config/main.php. can naturally change these or copy on these advanced template. hope solves problem wanting same thing.
Read more

asp.net - 'System.Web.HttpContext' does not contain a definition for 'GetOwinContext' Mystery -

-
i realize question might seem trivial some, it's these types of things find myself fighting quite bit , want make sense of despite seeming losing battle in .net (for me anyway). so, if following: using system.web; ... applicationuser user = system.web.httpcontext.getowincontext().getusermanager<applicationusermanager>().findbyid(system.web.httpcontext.user.identity.getuserid()); that produces error in title , red getowincontext() , error cannot resolve symbol 'getowincontext()' however, if following (remove system.web in front of httpcontext ), works expected (or @ least no errors): using system.web; ... applicationuser user = httpcontext.getowincontext().getusermanager<applicationusermanager>().findbyid(system.web.httpcontext.user.identity.getuserid()); however, if (same line that's working using system.web commented out): //using system.web; ... applicationuser user = httpcontext.getowincontext().getusermana...
Read more

mercurial graft feature, can it copy? -

-
there new feature in mercurial 3, called 'graft' (graft local). job of moving change-set different branch. is there way "copy" change-set branch? i interested in in moving stuff qa branch production branch, still need code reside in qa. want copy. found , have tried few things, maybe it'll become clear more tinkering , reading... does have better way of 'cherry picking' change-sets move cross branch (or trunk)??? graft copies changesets, doesn't move them. hg graft (emphasis mine): this command uses mercurial's merge logic copy individual changes other branches without merging branches in history graph. known 'backporting' or 'cherry-picking' . default, graft copy user, date, , description source changesets.
Read more