Spring Security OAuth2およびフォームログイン構成

Question

私のプロジェクトは、JSF管理パネルとRESTfullサービスという2つの異なる部分で構成されています。ユーザーがナビゲートするURLに応じて異なる認証方法を使用するようにSpring Securityをセットアップしようとしています。

要件は

JSFページに移動するユーザーには、フォーム認証を使用して認証するログイン画面が表示されます。
RESTサービスに移動するユーザーは、トークンの付与に基本認証を伴うOAuth2暗黙認証を使用します。

個別の構成はそれ自体で機能しますが、問題は、両方を1つの構成に結合しようとする場合です。その場合、RESTプロバイダーが邪魔になり、各要求を認証してもリクエストは管理URLに送信されます（これは春のセキュリティ注文から文書化されています）。

私のサンプル構成は次のとおりです。

フォームログイン（JSF）の場合

@Override @Order(1) protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeRequests() .antMatchers("/resources/**").permitAll() .antMatchers("/templates/**").permitAll() .antMatchers("/401.html").permitAll() .antMatchers("/404.html").permitAll() .antMatchers("/500.html").permitAll() .antMatchers("/api/**").permitAll() .antMatchers("/ui/admin.xhtml").hasAnyAuthority("admin", "ADMIN") .antMatchers("/thymeleaf").hasAnyAuthority("admin", "ADMIN") //.anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .defaultSuccessUrl("/ui/index.xhtml") .failureUrl("/login?error=1") .permitAll() .and() .logout() .permitAll() .and() .rememberMe() .and().exceptionHandling().accessDeniedPage("/error/403");

OAuth2セキュリティー構成（REST）

@EnableResourceServer @Order(2) public class RestSecurityConfig extends WebSecurityConfigurerAdapter { @Inject private UserRepository userRepository; @Inject private PasswordEncoder passwordEncoder; @Bean ApplicationListener<AbstractAuthorizationEvent> loggerBean() { return new AuthenticationLoggerListener(); } @Bean AccessDeniedHandler accessDeniedHandler() { return new AccessDeniedExceptionHandler(); } @Bean AuthenticationEntryPoint entryPointBean() { return new UnauthorizedEntryPoint(); } /*Override public void configure(WebSecurity web) throws Exception { web.ignoring() .antMatchers( "/resources/**" , "/templates/**" , "/login" , "/logout" , "/ui/**" , "/401.html" , "/404.html" , "/500.html" ); }*/ @Override protected void configure(HttpSecurity http) throws Exception { ContentNegotiationStrategy contentNegotiationStrategy = http.getSharedObject(ContentNegotiationStrategy.class); if (contentNegotiationStrategy == null) { contentNegotiationStrategy = new HeaderContentNegotiationStrategy(); } MediaTypeRequestMatcher preferredMatcher = new MediaTypeRequestMatcher(contentNegotiationStrategy, MediaType.APPLICATION_FORM_URLENCODED, MediaType.APPLICATION_JSON, MediaType.MULTIPART_FORM_DATA); http.authorizeRequests() .antMatchers("/ui/**").permitAll() .and() .anonymous().disable() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and().httpBasic() .and() .exceptionHandling() .accessDeniedHandler(accessDeniedHandler()) // handle access denied in general (for example comming from @PreAuthorization .authenticationEntryPoint(entryPointBean()) // handle authentication exceptions for unauthorized calls. .defaultAuthenticationEntryPointFor(entryPointBean(), preferredMatcher) .and() .authorizeRequests() .antMatchers("/api/**").fullyAuthenticated(); } @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(new UserDetailsService() { @Override public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException { User user = userRepository.findOneByUsername(s); if (null == user) { // leave that to be handled by log listener throw new UsernameNotFoundException("The user with email " + s + " was not found"); } return (UserDetails) user; } }).passwordEncoder(passwordEncoder); } @Configuration @EnableAuthorizationServer protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter { @Autowired private AuthenticationManager authenticationManager; @Bean public JwtAccessTokenConverter accessTokenConverter() { return new JwtAccessTokenConverter(); } @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer.tokenKeyAccess("isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')").checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')"); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.authenticationManager(authenticationManager).accessTokenConverter(accessTokenConverter()); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory() .withClient("xxx") .resourceIds(xxx) .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit") .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT") .scopes("read", "write", "trust", "update") .accessTokenValiditySeconds(xxx) .refreshTokenValiditySeconds(xxx) .secret("xxx") } } }

これらの構成はさまざまなクラスに存在し、順序は手動で設定されます。

この問題の解決策はありますか？

ベスト、

Kamill Sokol · Accepted Answer

セキュリティ構成を調整しようとしました。残念ながら、リファレンスアプリケーションがないため、この構成を検証できません。

多分それはあなたを助けることができます：

@Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserRepository userRepository; @Autowired private PasswordEncoder passwordEncoder; @Autowired protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(new UserDetailsService() { @Override public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException { User user = userRepository.findOneByUsername(s); if (null == user) { throw new UsernameNotFoundException("The user with email " + s + " was not found"); } return (UserDetails) user; } }).passwordEncoder(passwordEncoder); } @Override public void configure(WebSecurity webSecurity) throws Exception { webSecurity .ignoring() .antMatchers("/resources/**" , "/templates/**" , "/login" , "/logout" , "/ui/**" , "/401.html" , "/404.html" , "/500.html"); } @Configuration @EnableAuthorizationServer public static class OAuth2Configuration extends AuthorizationServerConfigurerAdapter { @Autowired private AuthenticationManager authenticationManager; @Bean public JwtAccessTokenConverter accessTokenConverter() { return new JwtAccessTokenConverter(); } @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer.tokenKeyAccess("isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')").checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')"); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.authenticationManager(authenticationManager).accessTokenConverter(accessTokenConverter()); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory() .withClient("xxx") .resourceIds("xxx") .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit") .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT") .scopes("read", "write", "trust", "update") .accessTokenValiditySeconds(xxx) .refreshTokenValiditySeconds(xxx) .secret("xxx"); } } @Configuration @Order(1) public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeRequests() .antMatchers("/ui/admin.xhtml").hasAnyAuthority("admin", "ADMIN") .antMatchers("/thymeleaf").hasAnyAuthority("admin", "ADMIN") .and() .formLogin() .loginPage("/login") .defaultSuccessUrl("/ui/index.xhtml") .failureUrl("/login?error=1") .permitAll() .and() .logout() .permitAll() .and() .rememberMe() .and().exceptionHandling().accessDeniedPage("/error/403"); } } @Order(2) @Configuration @EnableResourceServer public static class CustomResourceServerConfigurerAdapter extends ResourceServerConfigurerAdapter { @Bean ApplicationListener<AbstractAuthorizationEvent> loggerBean() { return new AuthenticationLoggerListener(); } @Bean AccessDeniedHandler accessDeniedHandler() { return new AccessDeniedExceptionHandler(); } @Bean AuthenticationEntryPoint entryPointBean() { return new UnauthorizedEntryPoint(); } @Override public void configure(HttpSecurity http) throws Exception { ContentNegotiationStrategy contentNegotiationStrategy = http.getSharedObject(ContentNegotiationStrategy.class); if (contentNegotiationStrategy == null) { contentNegotiationStrategy = new HeaderContentNegotiationStrategy(); } MediaTypeRequestMatcher preferredMatcher = new MediaTypeRequestMatcher(contentNegotiationStrategy, MediaType.APPLICATION_FORM_URLENCODED, MediaType.APPLICATION_JSON, MediaType.MULTIPART_FORM_DATA); http.authorizeRequests() .and() .anonymous().disable() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and().httpBasic() .and() .exceptionHandling() .accessDeniedHandler(accessDeniedHandler()) // handle access denied in general (for example comming from @PreAuthorization .authenticationEntryPoint(entryPointBean()) // handle authentication exceptions for unauthorized calls. .defaultAuthenticationEntryPointFor(entryPointBean(), preferredMatcher) .and() .authorizeRequests() .antMatchers("/api/**").fullyAuthenticated(); } } }