Develop Reference

Spring Boot Oauth2 authorization server not accepting valid tokens

I have problems setting up a simple microservice system using Spring Boot's OAuth2 capabilities.
What I want to do is to set up a Spring Boot Authorization Server handling registration, authorization and user data management. Besides that, I'd like to set up a Resource Server handling the logic of the application.
Because all data is stored related to the user's ID, the resource server has to request the ID from authorization server. Therefore, I've set up the following user info endpoint:
#Controller
public class UserInfoEndpoint {
private UserManagementBean userManagementBean;
#Autowired
public UserInfoEndpoint(final UserManagementBean userManagementBean) {
this.userManagementBean = userManagementBean;
}
#GetMapping("/user/me")
#ResponseBody
public Principal user(final Principal principal) throws PRPException {
User user = userManagementBean.loadUser(principal.getName());
#SuppressWarnings("unused")
Principal retVal = new Principal() {
#Override
public String getName() {
return user.getId().toString();
}
public String getPrimaryEmail() {
return user.getPrimaryEmail();
}
};
return retVal;
}
}
At the moment, I'm using JWK to sign the tokens. I am able to access this endpoint with Postman, where I get the following result:
{
"primaryEmail": "eric#live.de",
"name": "3"
}
However, when trying to obtain user information with the resource server
#Bean
#RequestScope
public OAuth2Authentication userInfo(final HttpServletRequest request) {
UserInfoTokenServices services = new UserInfoTokenServices("http://localhost:8081/user/me", "PRPBackend");
services.setPrincipalExtractor(principalExtractor());
String authHeader = request.getHeader(HttpHeaders.AUTHORIZATION);
String tokenString = authHeader.replace("Bearer ", "").replace("bearer ", "");
DefaultOAuth2AccessToken accessToken = new DefaultOAuth2AccessToken(tokenString);
AuthorizationCodeResourceDetails resource = new AuthorizationCodeResourceDetails();
resource.setAccessTokenUri("http://localhost:8081/oauth/token");
resource.setClientId("PRPBackend");
resource.setClientSecret("secret");
resource.setUserAuthorizationUri("http://localhost:8081/oauth/authorize");
resource.setAuthenticationScheme(AuthenticationScheme.header);
resource.setClientAuthenticationScheme(AuthenticationScheme.header);
OAuth2ClientContext clientContext = new DefaultOAuth2ClientContext();
clientContext.setPreservedState("key", "abcdef");
clientContext.setAccessToken(accessToken);
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(resource, clientContext);
services.setRestTemplate(restTemplate);
OAuth2Authentication authentication = services.loadAuthentication(tokenString);
return authentication;
}
the authorization server tells me, that the user is anonymous.
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 4 of 13 in additional filter chain; firing Filter: 'CorsFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 5 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /user/me' doesn't match 'POST /logout'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 7 of 13 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /user/me' doesn't match 'POST /login'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 8 of 13 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.s.HttpSessionRequestCache : saved request doesn't match
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 9 of 13 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#74903b51: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.security.web.FilterChainProxy : /user/me at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/actuator/**'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/favicon.ico'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/login'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/confirm/**'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/signup'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/oauth/authorize'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/css/**'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/me'; against '/img/**'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /user/me' doesn't match 'OPTIONS /oauth/token'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /user/me' doesn't match 'POST /oauth/token'
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /user/me; Attributes: [authenticated]
2019-12-16 06:28:30.532 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#74903b51: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2019-12-16 06:28:30.533 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#33824388, returned: -1
2019-12-16 06:28:30.545 DEBUG 7018 --- [nio-8081-exec-2] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:92) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108) [spring-boot-actuator-2.2.1.RELEASE.jar:2.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at com.prp.auth.security.filter.SimpleCorsFilter.doFilter(SimpleCorsFilter.java:38) [main/:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1579) [tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.27.jar:9.0.27]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_222]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_222]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.27.jar:9.0.27]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_222]
and returns the login page.
I've tried several configs, but nothing worked. Here's my security config of the authorization server:
#Override
protected void configure(final HttpSecurity http) throws Exception {
// #formatter:off
http.requestMatchers().and()
.authorizeRequests()
.and()
.authorizeRequests()
.antMatchers("/actuator/**", "/favicon.ico").permitAll()
.antMatchers(HttpMethod.GET, "/login", "/confirm/**", "/signup",
"/oauth/authorize", "/css/**", "/img/**").permitAll()
.antMatchers(HttpMethod.OPTIONS, "/oauth/token").permitAll()
.antMatchers(HttpMethod.POST, "/oauth/token").permitAll()
.and().formLogin().loginPage("/login").permitAll()
.and().authorizeRequests().anyRequest().authenticated()
.and().headers().frameOptions().disable()
.and().cors().configurationSource(new CorsConfigurationSource() {
#Override
public CorsConfiguration getCorsConfiguration(final HttpServletRequest request) {
CorsConfiguration conf = new CorsConfiguration();
List<String> allowedOrigins = new ArrayList<>();
allowedOrigins.add("http://localhost:8000");
conf.setAllowedOrigins(allowedOrigins);
List<String> allowedMethods = new ArrayList<>();
allowedMethods.add("POST");
conf.setAllowedMethods(allowedMethods);
return conf;
}
});
}
EDIT:
I've been trying to access the same endpoint via Postman and JQuery. Postman is able to fetch the user's data, the JQuery implementation gets the same error as described above.
One more edit:
The JQuery request I'm testing with is the following:
fetchUser() {
let ref = this;
console.log("Calling URL to load user information: " + localStorageManager.loadOauthProvider() + "/user/me");
$.ajax({
url: localStorageManager.loadOauthProvider() + "/user/me",
method: "GET",
headers: ref.oauth2.authorizationHeader,
success: function(data, status, xhr) {
console.log("Fetch user response: " + JSON.stringify(data));
},
error: function(xhr, status, error) {
console.log("Error: " + error);
}
});
}
The result:
Fetch user response: "<!doctype html>\n<html>\n<head>\n<meta charset=\"utf-8\">\n<meta name=\"viewport\"\n\tcontent=\"width=device-width, initial-scale=1, shrink-to-fit=no\">\n<meta name=\"description\" content=\"\">\n<meta name=\"author\" content=\"\">\n<link rel=\"icon\" href=\"/img/favicon.ico\">\n\n<title>Login</title>\n<link rel=\"stylesheet\"\n\thref=\"/css/bootstrap.min.css\" />\n\n<!-- Custom styles for this template -->\n<link rel=\"stylesheet\" type=\"text/css\" href=\"/css/login.css\" />\n\n</head>\n\n<body class=\"text-center\">\n\n\t<form name=\"login\" action=\"/login\" method=\"post\"\n\t\tclass=\"form-signin\">\n\t\t<h1 class=\"h3 mb-3 font-weight-normal\">LEVO</h1>\n\t\t<img class=\"mb-4\" src=\"/img/logo.png\" alt=\"\" width=\"72\"\n\t\t\theight=\"72\">\n\t\t<h1 class=\"h3 mb-3 font-weight-normal\">\n\t\t\t<span>Anmelden</span>\n\t\t</h1>\n\t\t\n\t\t\n\t\t<label for=\"username\" class=\"sr-only\">E-Mail</label>\n\t\t<input type=\"text\" id=\"username\" name=\"username\" class=\"form-control\"\n\t\t\tplaceholder=\"E-Mail\" required autofocus>\n\t\t<label for=\"password\" class=\"sr-only\"></label>\n\t\t<input type=\"password\" id=\"password\" name=\"password\"\n\t\t\tclass=\"form-control\" placeholder=\"Passwort\"\n\t\t\trequired>\n\t\t<div class=\"checkbox mb-3\">\n\t\t\t<label> <input type=\"checkbox\" value=\"remember-me\"> <span>Angemeldet bleiben</span>\n\t\t\t</label>\n\t\t</div>\n\t\t<button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">\n\t\t\t<span>Anmelden</span>\n\t\t</button>\n\t\t<a class=\"nav-link\" href=\"/signup\">\n\t\t\t<span data-feather=\"home\"></span>\n\t\t\t<span>Hier registrieren</span>\n\t\t</a>\n\n\t\t<p class=\"mt-5 mb-3 text-muted\">© Levo 2019</p>\n\t</form>\n\n\n</body>\n</html>"
Postman is creating the following request, which works:
GET /user/me HTTP/1.1 Host: localhost:8081 Authorization: Bearer [...]

From my point of view your SecurityConfig handles not what you expect. Your first rule http.requestMatchers().and().authorizeRequests() means:
requestMatchers() configures if an URL will be processed by that SecurityFilterChain. So if an URL does not match it , the whole SecurityFilterChain will be skipped which means Spring Security will not handle this URL after that. If you do not configure it, the default is to match all URLs.
So you need to define your antMatchers Resources which should be processed by this SecurityFilerChain. If you change this rule to the following basic config http.requestMatchers().antMatchers("/")... the user endpoint should work as expected.
The reason behind this is, that the endpoint /user/me should not be handled/overridden by this SecurityConfigChain. So if you have enabled the ResourceServer of Spring in a default way, the default config is used for this endpoint.
So in this antMatchers("/") you should define all resources which should be handled by this security filter but not the user/me.

You have both #EnableAuthorizationServer, #EnableResourceServer in AuthServerConfig which might be causing the issue. Remove #EnableResourceServer as you are extending the AuthorizationServerConfigurerAdapter with AuthServerConfig
Change
#Configuration
#EnableAuthorizationServer
#EnableResourceServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter
To
#Configuration
#EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter

How to Authorize Rest API call after the successful authentication in Springboot and Spring Security

I have a Restful APIs developed using Springboot. Also, I have implementioned external ldap authentication.
http://localhost:8080/login?username=test&password=test goes through the ldap authentication and it is working fine as expected.
My Spring security implementation is below. I am restricting all the API calls and needs to be authenticated.
#Configuration
#EnableWebSecurity
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
...
...
}
My login request works and all the API calls are not getting authenticated, even after the successful login. I can see the logs show that ldap authentication is success and creates the SecurityContext. And my next API call does not have this SecurityContext created in the previous login request.
My logs are below.
2019-10-11 02:22:31.567 DEBUG 39216 --- [nio-8080-exec-1]
o.s.security.web.FilterChainProxy :
/login?username=test&password=test at position 5 of 11 in additional
filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2019-10-11 02:22:31.567 DEBUG 39216 --- [nio-8080-exec-1]
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request :
'/login'; against '/login' 2019-10-11 02:22:31.567 DEBUG 39216 ---
[nio-8080-exec-1] w.a.UsernamePasswordAuthenticationFilter : Request
is to process authentication 2019-10-11 02:22:31.570 DEBUG 39216 ---
[nio-8080-exec-1] o.s.s.authentication.ProviderManager :
Authentication attempt using
portal.services.security.CustomActiveDirectoryLdapAuthenticationProvider
2019-10-11 02:22:32.767 DEBUG 39216 --- [nio-8080-exec-1]
o.s.s.ldap.SpringSecurityLdapTemplate : Searching for entry under
DN '', base = 'dc=abc,dc=com', filter = '(&(objectClass=Person)
((sAMAccountName=12323)))' 2019-10-11 02:22:32.777 DEBUG 39216 ---
[nio-8080-exec-1] o.s.s.ldap.SpringSecurityLdapTemplate : Found DN:
CN=Test Name,OU=Users,DC=com 2019-10-11 02:22:32.779 INFO 39216 ---
[nio-8080-exec-1] o.s.s.ldap.SpringSecurityLdapTemplate : Ignoring
PartialResultException 2019-10-11 02:22:32.896 DEBUG 39216 ---
[nio-8080-exec-1] o.s.s.l.u.LdapUserDetailsMapper : Mapping
user details from context with DN: CN=test name,OU=Users,DC=com
2019-10-11 02:22:32.899 DEBUG 39216 --- [nio-8080-exec-1]
s.CompositeSessionAuthenticationStrategy : Delegating to
org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy#45a4b042
2019-10-11 02:22:32.899 DEBUG 39216 --- [nio-8080-exec-1]
w.a.UsernamePasswordAuthenticationFilter : Authentication success.
Updating SecurityContextHolder to contain:
org.springframework.security.authentication.UsernamePasswordAuthenticationToken#ff0ce9d1:
Principal:
org.springframework.security.ldap.userdetails.LdapUserDetailsImpl#7a480d2:
Dn: CN=Test name,OU=Users,DC=com; Username: test; Password:
[PROTECTED]; Enabled: true; AccountNonExpired: true;
CredentialsNonExpired: true; AccountNonLocked: true; Granted
Authorities: ADMIN; Credentials: [PROTECTED]; Authenticated: true;
Details: Users; Granted Authorities: ADMIN 2019-10-11 02:22:33.117
DEBUG 39216 --- [nio-8080-exec-1]
o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header
since it did not match the requestMatcher
org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#17741df1
2019-10-11 02:22:33.117 DEBUG 39216 --- [nio-8080-exec-1]
s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now
cleared, as request processing completed 2019-10-11 02:22:33.650 DEBUG
39216 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy :
/admin/getCutOffDays at position 1 of 11 in additional filter chain;
firing Filter: 'WebAsyncManagerIntegrationFilter' 2019-10-11
02:22:33.650 DEBUG 39216 --- [nio-8080-exec-2]
o.s.security.web.FilterChainProxy : /admin/getCutOffDays at
position 2 of 11 in additional filter chain; firing Filter:
'SecurityContextPersistenceFilter' 2019-10-11 02:22:33.654 DEBUG 39216
--- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /admin/getCutOffDays at position 3 of 11 in additional filter chain;
firing Filter: 'HeaderWriterFilter' 2019-10-11 02:22:33.654 DEBUG
39216 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy :
/admin/getCutOffDays at position 4 of 11 in additional filter chain;
firing Filter: 'LogoutFilter' 2019-10-11 02:22:33.654 DEBUG 39216 ---
[nio-8080-exec-2] o.s.s.web.util.matcher.OrRequestMatcher : Trying to
match using Ant [pattern='/logout', GET] 2019-10-11 02:22:33.655 DEBUG
39216 --- [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher :
Request 'OPTIONS /admin/getCutOffDays' doesn't match 'GET /logout
2019-10-11 02:22:33.655 DEBUG 39216 --- [nio-8080-exec-2]
o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant
[pattern='/logout', POST] 2019-10-11 02:22:33.655 DEBUG 39216 ---
[nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request
'OPTIONS /admin/getCutOffDays' doesn't match 'POST /logout 2019-10-11
02:22:33.655 DEBUG 39216 --- [nio-8080-exec-2]
o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant
[pattern='/logout', PUT] 2019-10-11 02:22:33.655 DEBUG 39216 ---
[nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request
'OPTIONS /admin/getCutOffDays' doesn't match 'PUT /logout 2019-10-11
02:22:33.656 DEBUG 39216 --- [nio-8080-exec-2]
o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant
[pattern='/logout', DELETE] 2019-10-11 02:22:33.656 DEBUG 39216 ---
[nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request
'OPTIONS /admin/getCutOffDays' doesn't match 'DELETE /logout
2019-10-11 02:22:33.656 DEBUG 39216 --- [nio-8080-exec-2]
o.s.s.web.util.matcher.OrRequestMatcher : No matches found 2019-10-11
02:22:33.657 DEBUG 39216 --- [nio-8080-exec-2]
o.s.security.web.FilterChainProxy : /admin/getCutOffDays at
position 5 of 11 in additional filter chain; firing Filter:
'UsernamePasswordAuthenticationFilter' 2019-10-11 02:22:33.657 DEBUG
39216 --- [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher :
Request 'OPTIONS /admin/getCutOffDays' doesn't match 'POST /login
2019-10-11 02:22:33.657 DEBUG 39216 --- [nio-8080-exec-2]
o.s.security.web.FilterChainProxy : /admin/getCutOffDays at
position 6 of 11 in additional filter chain; firing Filter:
'RequestCacheAwareFilter' 2019-10-11 02:22:33.657 DEBUG 39216 ---
[nio-8080-exec-2] o.s.security.web.FilterChainProxy :
/admin/getCutOffDays at position 7 of 11 in additional filter chain;
firing Filter: 'SecurityContextHolderAwareRequestFilter' 2019-10-11
02:22:33.659 DEBUG 39216 --- [nio-8080-exec-2]
o.s.security.web.FilterChainProxy : /admin/getCutOffDays at
position 8 of 11 in additional filter chain; firing Filter:
'AnonymousAuthenticationFilter' 2019-10-11 02:22:33.660 DEBUG 39216
--- [nio-8080-exec-2] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token:
'org.springframework.security.authentication.AnonymousAuthenticationToken#25109219:
Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated:
true; Details:
org.springframework.security.web.authentication.WebAuthenticationDetails#b364:
RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted
Authorities: ROLE_ANONYMOUS' 2019-10-11 02:22:33.661 DEBUG 39216 ---
[nio-8080-exec-2] o.s.security.web.FilterChainProxy :
/admin/getCutOffDays at position 9 of 11 in additional filter chain;
firing Filter: 'SessionManagementFilter' 2019-10-11 02:22:33.662 DEBUG
39216 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy :
/admin/getCutOffDays at position 10 of 11 in additional filter chain;
firing Filter: 'ExceptionTranslationFilter' 2019-10-11 02:22:33.671
DEBUG 39216 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy
: /admin/getCutOffDays at position 11 of 11 in additional filter
chain; firing Filter: 'FilterSecurityInterceptor' 2019-10-11
02:22:33.673 DEBUG 39216 --- [nio-8080-exec-2]
o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request :
'/admin/getCutOffDays'; against '/login' 2019-10-11 02:22:33.674 DEBUG
39216 --- [nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor :
Secure object: FilterInvocation: URL: /admin/getCutOffDays;
Attributes: [authenticated] 2019-10-11 02:22:33.674 DEBUG 39216 ---
[nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor :
Previously Authenticated:
org.springframework.security.authentication.AnonymousAuthenticationToken#25109219:
Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated:
true; Details:
org.springframework.security.web.authentication.WebAuthenticationDetails#b364:
RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted
Authorities: ROLE_ANONYMOUS 2019-10-11 02:22:33.688 DEBUG 39216 ---
[nio-8080-exec-2] o.s.s.access.vote.AffirmativeBased : Voter:
org.springframework.security.web.access.expression.WebExpressionVoter#74f28afc,
returned: -1 2019-10-11 02:22:33.696 DEBUG 39216 --- [nio-8080-exec-2]
o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is
anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is
denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)
~[spring-security-core-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
~[spring-security-core-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)
~[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
~[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
I am expecting my request to /admin/getCutOffDays should retrieve the data as it is authenticated in the previous login request.
Below is my Controller.
#RequestMapping("/admin")
#RestController
public class AdminController {
#PreAuthorize("hasAuthority('ADMIN')")
#GetMapping("/getCutOffDays")
public long getCutOffDays() {
return adminService.getSequenceId(CUT_OFF_DAYS);
}
}
Can anyone help me figure out what am I missing here.

To answer your question correctly, I would need to have some more input from your side. I'll try to answer it by making some assumptions.
I'm assuming you're authenticating your application and then making a REST call afterward. First (as already mentioned in the answers), you have a STATELESS session policy. It means the session won't be available for the subsequent Http requests.
You can handle it by:
Implementing a token-based (transparent/opaque) authentication.
Implementing a basic-authentication.
In both cases, every request to your REST APIs requires an Authorization Header (or a Cookie, depends on the approach).

Spring Boot Security ignores cors configuration

I added Spring Security (5.0.0.RELEASE) with JWT Authentication to Spring Boot (1.5.7.RELEASE), but the CORS seems to not work.
I added the CORS configuration as described here.
I also tried adding #CrossOrigin to the controllers, but it doesn't seem to change anything.
When calling POST and GET requests from the front-end (Angular JS 5) there doesn't seem to be any CORS problem, but when calling DELETE I get CORS error.
Here's the security configuration:
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class WebSecurity extends WebSecurityConfigurerAdapter {
private UserDetailsService userDetailsService;
private BCryptPasswordEncoder bCryptPasswordEncoder;
public WebSecurity(UserDetailsService userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder) {
this.userDetailsService = userDetailsService;
this.bCryptPasswordEncoder = bCryptPasswordEncoder;
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.csrf()
.disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()
.antMatchers(HttpMethod.GET, ACTIVATE_URL).permitAll()
.antMatchers(AUTH_WHITELIST).permitAll()
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager()))
// this disables session creation on Spring Security
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
}
#Bean
CorsConfigurationSource corsConfigurationSource() {
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration configuration = new CorsConfiguration().applyPermitDefaultValues();
configuration.setAllowedOrigins(Collections.singletonList("*"));
configuration.addAllowedMethod(HttpMethod.TRACE);
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
And here are the headers from postman when sending OPTIONS request:
Allow →DELETE,GET,HEAD,POST
Cache-Control →no-cache, no-store, max-age=0, must-revalidate
Content-Length →0
Date →Fri, 12 Jan 2018 13:22:08 GMT
Expires →0
Pragma →no-cache
X-Content-Type-Options →nosniff
X-Frame-Options →DENY
X-XSS-Protection →1; mode=block
The allow-access-control-origin header is missing, as well as the HTTP TRACE I added to see if the configuration is working.
And the spring security debug logs:
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#7ce27d90
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 4 of 13 in additional filter chain; firing Filter: 'CorsFilter'
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 5 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'GET /logout
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'POST /logout
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'PUT /logout
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'DELETE /logout
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 6 of 13 in additional filter chain; firing Filter: 'JWTAuthenticationFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/users/login'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 7 of 13 in additional filter chain; firing Filter: 'JWTAuthorizationFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 8 of 13 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 9 of 13 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'POST /api/users/register
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'GET /api/users/activate/**
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/users/login'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/users/request-reset-password'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/users/reset-password'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/stories'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/stories/*'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/stories/7; Attributes: [permitAll]
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2018-01-12 14:22:08.623 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#703f0616, returned: 1
2018-01-12 14:22:08.623 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2018-01-12 14:22:08.623 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2018-01-12 14:22:08.623 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 reached end of additional filter chain; proceeding with original chain
2018-01-12 14:22:08.630 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2018-01-12 14:22:08.630 DEBUG 15619 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
And here are the logs for Invalid CORS request:
2018-01-12 15:47:09.445 DEBUG 17909 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/users/bank-accounts/ at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-01-12 15:47:09.445 DEBUG 17909 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/users/bank-accounts/ at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-01-12 15:47:09.445 DEBUG 17909 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/users/bank-accounts/ at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-01-12 15:47:09.445 DEBUG 17909 --- [nio-8080-exec-2] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#7d9c9d3c
2018-01-12 15:47:09.446 DEBUG 17909 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/users/bank-accounts/ at position 4 of 13 in additional filter chain; firing Filter: 'CorsFilter'
2018-01-12 15:47:09.446 DEBUG 17909 --- [nio-8080-exec-2] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

When using a breakpoint as dur sugested it turned out allowMethods was always null
Adding the following line to corsConfigurationSource fixed it:
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "DELETE", "OPTIONS"));

How to configure a Oauth2 authorization server with Spring?

I'm trying to configure a simple Authorization Server based on one of the examples in Github but I got stuck in the token verification part. My current aim is to provide a basic implementation that secures a gateway. What I understand is that Spring automatically makes the redirect to the AS in case there is no token in the user session to allow him to log against it. Once logged, it makes the call to authorize the client and then another one to exchange the given code for a token. In my current implementation, the application is redirected once it has the client code to my client's login page from where it makes a call to oauth/token which is then denied access. I don't fully understand where the call to the client's login page is configured or how it makes then the call to oauth/token to get the token. My understanding is that this is done automatically by a OAuth2RestTemplate and a filter configured automatically by Spring when using the #EnableOAuth2Sso
This is my current code.
#Configuration
#ComponentScan
#EnableAutoConfiguration
#RestController
#SessionAttributes("authorizationRequest")
public class AuthserverApplication extends WebMvcConfigurerAdapter {
public static void main(String[] args) {
SpringApplication.run(AuthserverApplication.class, args);
}
#Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
registry.addViewController("/oauth/confirm_access").setViewName("authorize");
}
#Configuration
#EnableResourceServer
public static class ResourceServer extends ResourceServerConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/user")
.authorizeRequests().anyRequest().authenticated();
}
}
#Configuration
#EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
#Autowired
private AuthenticationManager authenticationManager;
#Autowired
private UserDetailsService userService;
#Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("acme")
.secret("acmesecret")
.authorizedGrantTypes("authorization_code", "refresh_token","password")
.scopes("openid")
.autoApprove(".*");
}
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints
.userDetailsService(userService)
.authenticationManager(authenticationManager);
}
#Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer)
throws Exception {
oauthServer
.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
}
#RequestMapping({"/user"})
public Map<String, String> user(Principal principal) {
Map<String, String> map = new LinkedHashMap<>();
map.put("name", principal.getName());
return map;
}
#Configuration
#Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {
#Autowired
private AuthenticationManager authenticationManager;
#Autowired
private UserDetailsService userDetailsService;
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin().loginPage("/login").permitAll()
.and().authorizeRequests().anyRequest().authenticated()
.and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and().exceptionHandling()
.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"));
}
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.parentAuthenticationManager(authenticationManager)
.userDetailsService(userDetailsService);
}
}
}
With application.properties
server.contextPath=/uaa
security.user.password=password
security.ignored=/css/**,/js/**,/favicon.ico,/webjars/**
logging.level.org.springframework.security=DEBUG
spring.oauth2.resource.userInfoUri: http://localhost:8080/uaa/user
And the client application
#SpringBootApplication
#EnableOAuth2Sso
#RestController
public class ClientApplication extends WebSecurityConfigurerAdapter{
#RequestMapping("/user")
public String home(Principal user) {
return "Hello " + user.getName();
}
public static void main(String[] args) {
new SpringApplicationBuilder(ClientApplication.class).run(args);
}
#Override
public void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/**").authorizeRequests()
.antMatchers("/", "/login**", "/webjars/**").permitAll()
.anyRequest()
.authenticated();
}
}
With the application.yml file
server:
port: 9999
security:
oauth2:
client:
clientId: acme
clientSecret: acmesecret
accessTokenUri: http://localhost:8080/uaa/oauth/token
userAuthorizationUri: http://localhost:8080/uaa/oauth/authorize
tokenName: oauth_token
authenticationScheme: query
clientAuthenticationScheme: form
resource:
userInfoUri: http://localhost:8080/uaa/user
I always get this errors in the browser
Name . Status Type Initiator . Size Time
login 302 x-www-form-urlencoded Other 588 B 9 ms
authorize?client_id=acme&redirect_uri=http://localhost:9999/login&response_type=code&state=5Q67ay 302 login 380 B 66 ms
login?code=qUKZU5&state=5Q67ay 401 document :8080/uaa/oauth/authorize?client_id=acme&redirect_uri=http://localhost:9999/login&response_type=code&state=5Q67ay 663 B 133 ms
And this in the server
017-06-27 13:04:33.316 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-06-27 13:04:33.316 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-06-27 13:04:33.316 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-06-27 13:04:33.316 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#1c2ae5d1
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /oauth/token' doesn't match 'GET /logout
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/logout'
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /oauth/token' doesn't match 'PUT /logout
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /oauth/token' doesn't match 'DELETE /logout
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2017-06-27 13:04:33.317 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2017-06-27 13:04:33.318 DEBUG 25404 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : /oauth/token at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2017-06-27 13:04:33.318 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/oauth/token'
2017-06-27 13:04:33.318 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /oauth/token; Attributes: [fullyAuthenticated]
2017-06-27 13:04:33.318 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2017-06-27 13:04:33.318 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#5fb2cc06, returned: -1
2017-06-27 13:04:33.319 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) [spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:106) [spring-boot-actuator-1.5.2.RELEASE.jar:1.5.2.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:474) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:783) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:798) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1434) [tomcat-embed-core-8.5.11.jar:8.5.11]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.11.jar:8.5.11]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_131]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_131]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.11.jar:8.5.11]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_131]
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using Ant [pattern='/**', GET]
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /oauth/token' doesn't match 'GET /**
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.util.matcher.AndRequestMatcher : Did not match
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.s.HttpSessionRequestCache : Request not saved as configured RequestMatcher did not match
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.a.ExceptionTranslationFilter : Calling Authentication entry point.
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using MediaTypeRequestMatcher
[contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager#62266a9a, matchingMediaTypes=[application/atom+xml, application/x-www-form-urlencoded, application/json, application/octet-stream, application/xml, multipart/form-data, text/xml], useEquals=false, ignoredMediaTypes=[*/*]]
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.m.MediaTypeRequestMatcher : httpRequestMediaTypes=[application/json, application/x-www-form-urlencoded]
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.m.MediaTypeRequestMatcher : Processing application/json
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.m.MediaTypeRequestMatcher : application/atom+xml .isCompatibleWith application/json = false
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.m.MediaTypeRequestMatcher : application/x-www-form-urlencoded .isCompatibleWith application/json = false
2017-06-27 13:04:33.321 DEBUG 25404 --- [nio-8080-exec-8] o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith application/json = true
2017-06-27 13:04:33.324 DEBUG 25404 --- [nio-8080-exec-8] s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint#7a85031c
2017-06-27 13:04:33.325 DEBUG 25404 --- [nio-8080-exec-8] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

I finally found the issue.
In the end it was the combination of two things. I needed to add oauthServer.allowFormAuthenticationForClients() to change the order of filters and allow the authentication based on the user logging information first. And then there was another problem that was related to the property tokenName in the client. It had to be access_token instead of oauth_token to match the name by default Spring uses to find the token in the request.
With those 2 changes it started working.

Oauth2 is rejecting the request for login page how do I fix

I've enabled OAuth2 in my Spring IO 2.0.6 Platform as follows
#EnableWebSecurity
#EnableResourceServer
#EnableAuthorizationServer
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure( final HttpSecurity http ) throws Exception {
http.authorizeRequests()
.antMatchers( "/**" )
.permitAll()
.anyRequest().authenticated()
.and()
.formLogin().and()
.httpBasic();
}
}
but when I go to / for my index.html which has my login form I receive the following.
<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>
here's what appears to be relevant debug level logsj
2016-07-20 17:34:50.063 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.c.web.OrderedRequestContextFilter : Bound request context to thread: org.apache.catalina.connector.RequestFacade#174f5835
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/css/**']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/css/**'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/js/**']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/js/**'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/images/**']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/images/**'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/**/favicon.ico']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/**/favicon.ico'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/error']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/error'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/token']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/oauth/token'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/token_key']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/oauth/token_key'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/check_token']
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/oauth/check_token'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#6c710c23
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/logout'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.o.p.a.BearerTokenExtractor : Token not found in headers. Trying request parameters.
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.o.p.a.BearerTokenExtractor : Token not found in request parameters. Not an OAuth2 request.
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] p.a.OAuth2AuthenticationProcessingFilter : No token in request, will continue chain.
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.session.SessionManagementFilter : Requested session ID B18ACABBAAF00852E3373A4EB0BDDCE2 is invalid.
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-07-20 17:34:50.064 DEBUG 15064 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-07-20 17:34:50.065 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /; Attributes: [#oauth2.throwOnError(authenticated)]
2016-07-20 17:34:50.065 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-07-20 17:34:50.066 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#1a3d182d, returned: -1
2016-07-20 17:34:50.066 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'delegatingApplicationListener'
2016-07-20 17:34:50.066 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'authorizationAuditListener'
2016-07-20 17:34:50.067 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'delegatingApplicationListener'
2016-07-20 17:34:50.067 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'auditListener'
2016-07-20 17:34:50.067 DEBUG 15064 --- [nio-8080-exec-1] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jul 20 17:34:50 CDT 2016, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
2016-07-20 17:34:50.068 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) ~[spring-security-core-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:232) ~[spring-security-core-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:122) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:48) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter(OAuth2AuthenticationProcessingFilter.java:176) [spring-security-oauth2-2.0.10.RELEASE.jar:na]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176) [spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:87) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:103) [spring-boot-actuator-1.3.6.RELEASE.jar:1.3.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:676) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520) [tomcat-embed-core-8.0.36.jar:8.0.36]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476) [tomcat-embed-core-8.0.36.jar:8.0.36]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_92]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_92]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.0.36.jar:8.0.36]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_92]
2016-07-20 17:34:50.068 DEBUG 15064 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Calling Authentication entry point.
2016-07-20 17:34:50.072 DEBUG 15064 --- [nio-8080-exec-1] s.s.o.p.e.DefaultOAuth2ExceptionRenderer : Written [error="unauthorized", error_description="Full authentication is required to access this resource"] as "application/xhtml+xml" using [org.springframework.security.oauth2.http.converter.jaxb.JaxbOAuth2ExceptionMessageConverter#c4b9155]
2016-07-20 17:34:50.072 DEBUG 15064 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
What do I need to do to allow requests through to my /?

It appears I have to do the following, / and /index.html are both required, the rest depends on your layout, though I did have to define allowing the /webjars/ which is surprising
#EnableWebSecurity
#EnableResourceServer
#EnableAuthorizationServer
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
public void configure( final WebSecurity web ) throws Exception {
web.ignoring()
.antMatchers( "/", "/index.html", "/partials/**/*.html" )
.antMatchers( "/webjars/**/*.js" )
.antMatchers( "/webjars/**/*.css" );
}
#Override
protected void configure( final HttpSecurity http ) throws Exception {
super.configure( http );
}
}