I try to add a role hierarchy to my spring Security app I used this configuration
#Configuration
#ComponentScan (basePackages = "com.medkhelifi.security")
public class JwtSecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
JwtTokenProvider jwtTokenProvider;
#Bean
#Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
#Bean
public AffirmativeBased getAccessDecisionManager() {
DefaultWebSecurityExpressionHandler expressionHandler = new DefaultWebSecurityExpressionHandler();
expressionHandler.setDefaultRolePrefix("");
expressionHandler.setRoleHierarchy(roleHierarchy());
WebExpressionVoter webExpressionVoter = new WebExpressionVoter();
webExpressionVoter.setExpressionHandler(expressionHandler);
List<AccessDecisionVoter<? extends Object>> voters = new ArrayList<>();
voters.add(webExpressionVoter);
return new AffirmativeBased(voters);
}
#Bean
public RoleHierarchyImpl roleHierarchy (){
RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
roleHierarchy.setHierarchy("ROLE_ADMIN > ROLE_USER");
return roleHierarchy;
};
public JwtSecurityConfig(){
}
#Override
protected void configure(HttpSecurity http) throws Exception {
//#formatter:off
http
.httpBasic().disable()
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.accessDecisionManager(getAccessDecisionManager())
.antMatchers("/auth/**").permitAll()
.anyRequest().authenticated()
.and()
.apply(new JwtConfigurer(jwtTokenProvider));
//#formatter:on
}
}
The idea is to add ROLE_USER to ROLE_ADMIN hiearchy but it don't work when i try to apply a secured ROLE_USER to one of my request
#RequestMapping(method = RequestMethod.GET)
#Secured("ROLE_USER")
public String index(Principal principal){
return userRepository.findByEmail("admin#gmail.com").toString();
}
I get 403 Forbidden error, but when I replace #Secured("ROLE_USER") by #Secured("ROLE_ADMIN") it works very well.
Related
I have spring web mvc project with Spring Security 4.1.0.RELEASE
In spring controller i try fetch the user from the context
#RestController
public class Test {
#RequestMapping(value="test", method = RequestMethod.POST)
public ResponseEntity<Void> test() {
ContextUser user = (ContextUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
}
}
user is an instance with id = 0, login = null .... It is empty instance.
org.springframework.security.core.Authentication isAuthenticated = true, list of Collection<? extends GrantedAuthority> are correct This behaviour is occurred periodically. It is not every time for this request. I catch this issue only for that request
My configurations
#Configuration
#ComponentScan(basePackages={"com.test.app"},
excludeFilters=#ComponentScan.Filter(type=FilterType.REGEX, pattern={"com.test.app.web.*"}))
#PropertySource(value = { "classpath:application.properties" })
#EnableAspectJAutoProxy
public class AppConfig {
#Autowired
private DataSource dataSource;
//My beans
}
#Component
public class TestUserDetailsService implements UserDetailsService{
#Autowired
private TestUserService service;
#Override
public UserDetails loadUserByUsername(String userName)
throws UsernameNotFoundException {
User user = service.findByLogin(userName);
if (user == null) {
throw new UsernameNotFoundException("Error");
}
return new ContextUser(user);
}
}
public class ContextUser extends User implements UserDetails {
//...
}
#Configuration
#EnableWebSecurity
#EnableAsync
#EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
#Autowired
private TestAuthenticationEntryPoint testAuthenticationEntryPoint;
#Autowired
private TestSimpleUrlAuthenticationSuccessHandler testSimpleUrlAuthenticationSuccessHandler;
#Autowired
private TestSimpleUrlAuthenticationFailureHandler testSimpleUrlAuthenticationFailureHandler;
#Autowired
private LogoutSuccessHandler logoutSuccessHandler;
#Autowired
private TestUserDetailsService testUserDetailsService;
#Bean
#Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
#Override
protected void configure(AuthenticationManagerBuilder registry) throws MyException {
registry.userDetailsService(testUserDetailsService).passwordEncoder(new TestEncoder());
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(new CorsFilter(), ChannelProcessingFilter.class);
http.csrf()
.disable()
.exceptionHandling()
.authenticationEntryPoint(testAuthenticationEntryPoint)
.and().sessionManagement().sessionFixation().migrateSession().maximumSessions(-1).sessionRegistry(sessionRegistry()).and()
.and()
.authorizeRequests()
.antMatchers("/").access("hasAuthority('TEST')")
.anyRequest().authenticated()
.and()
.formLogin()
.successHandler(testSimpleUrlAuthenticationSuccessHandler)
.failureHandler(testSimpleUrlAuthenticationFailureHandler)
.and()
.logout().logoutSuccessHandler(logoutSuccessHandler)
.and()
.headers().cacheControl().disable().frameOptions().sameOrigin();
}
#Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
#Override
public void configure(WebSecurity web) {
web.ignoring().antMatchers("/resources/**");
}
}
Are any ideas why this behaviour is happened?
Maybe should configure session expire time or mistake is in my code?
My controller code fragment.
It shows username even if its logged out.
#GetMapping("/")
public String getProfilePage(Model model, Authentication authentication) {
if (authentication == null) {
return "redirect:/login";
}
UserDetailsImpl details = (UserDetailsImpl) authentication.getPrincipal();
model.addAttribute("user", details.getUser());
model.addAttribute("greeting", details.getUser().getGreeting());
List<UserDetails> lu = sessionRegistry.getAllPrincipals()
.stream()
.filter(principal -> principal instanceof UserDetails)
.map(UserDetails.class::cast)
.collect(Collectors.toList());
for (UserDetails l: lu){
System.out.println(l.getUsername());
}
return "Profile";
}
Cant resolve this problem for a week.
There is some answer Here but it didnt helped resolving my problem.
This is how my SecurityConfig class looks like:
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Qualifier("dataSource")
#Autowired
private DataSource dataSource;
#Autowired
private PasswordEncoder passwordEncoder;
#Autowired
private UserDetailsService userDetailsServiceImpl;
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/expired").permitAll()
.antMatchers("/static/**").permitAll()
.antMatchers("/users").hasAnyAuthority("ADMIN")
.anyRequest().permitAll()
.and()
.formLogin().loginPage("/login")
.usernameParameter("login")
.passwordParameter("password")
.failureUrl("/login?error").permitAll()
.defaultSuccessUrl("/")
.and()
.rememberMe()
.rememberMeParameter("remember-me")
.tokenRepository(tokenRepository())
.and()
.logout()
.deleteCookies("remember-me")
.logoutUrl("/logout")
.logoutSuccessUrl("/login")
.permitAll();
http.csrf().disable();
http
.sessionManagement()
.maximumSessions(1)
// .maxSessionsPreventsLogin(false)
.sessionRegistry(sessionRegistryImpl());
}
#Bean
public SessionRegistryImpl sessionRegistryImpl() {
return new SessionRegistryImpl();
}
#Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
return new HttpSessionEventPublisher();
}
#Bean
public PersistentTokenRepository tokenRepository() {
JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
tokenRepository.setDataSource(dataSource);
return tokenRepository;
}
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsServiceImpl).passwordEncoder(passwordEncoder);
}
}
And added AppInitializer:
#Configuration
public class AppInitializer implements WebApplicationInitializer {
#Override
public void onStartup(ServletContext servletContext) throws ServletException {
servletContext.addListener(HttpSessionEventPublisher.class);
}
}
I am using Spring Boot: v2.0.3.RELEASE and Spring Fox: v2.9.2.
Trying to access http://127.0.0.1:8080/swagger-ui.html results in:
Unable to infer base url. This is common when using dynamic servlet
registration or when the API is behind an API Gateway. The base url is
the root of where all the swagger resources are served. For e.g. if
the api is available at http://example.org/api/v2/api-docs then the
base url is http://example.org/api/. Please enter the location
manually:
Repeatedly clicking OK in the popup bar has no effect.
Here is my Spring Security Configuration:
#Configuration
#EnableWebSecurity
public class WebSecurityConfig {
private UserDetailsService userDetailsService;
private BCryptPasswordEncoder bCryptPasswordEncoder;
private SecurityProperties securityProperties;
private AppProperties AppProperties;
public WebSecurityConfig(UserDetailsService userDetailsService,
BCryptPasswordEncoder bCryptPasswordEncoder,
SecurityProperties securityProperties,
AppProperties AppProperties) {
this.userDetailsService = userDetailsService;
this.bCryptPasswordEncoder = bCryptPasswordEncoder;
this.securityProperties = securityProperties;
this.AppProperties = AppProperties;
}
#Configuration
#Order(1)
public class BasicAuthenticationConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/admin/**")
.csrf().disable()
.httpBasic().and()
.authorizeRequests().anyRequest().hasRole("ADMIN").and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser(AppProperties.getAdminUsername())
.password(bCryptPasswordEncoder.encode(AppProperties.getAdminPassword()))
.roles("ADMIN");
}
}
#Configuration
#Order(2)
public class TokenAuthenticationConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.
cors().and().csrf().disable()
.authorizeRequests()
.antMatchers("/no-auth/**").permitAll()
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthenticationFilter(securityProperties, authenticationManager()))
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/v2/api-docs", "**/swagger-resources/**", "/swagger-ui.html", "/webjars/**")
.antMatchers(HttpMethod.OPTIONS, "/**");
}
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
}
#Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.applyPermitDefaultValues();
corsConfiguration.setAllowedOrigins(Collections.singletonList("*"));
corsConfiguration.setAllowedMethods(Arrays.asList("GET", "POST", "DELETE"));
corsConfiguration.setMaxAge(3600L);
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", corsConfiguration);
return source;
}
}
}
Here is the SpringFox configuration:
#Configuration
#EnableSwagger2
public class SwaggerConfig {
#Autowired
private AppProperties AppProperties;
#Bean
public WebMvcConfigurer mvcConfigurer() {
return new WebMvcConfigurer() {
#Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("swagger-ui.html")
.addResourceLocations("classpath:/META-INF/resources/");
registry.addResourceHandler("/webjars/**")
.addResourceLocations("classpath:/META-INF/resources/webjars/");
}
};
}
#Bean
public Docket api() {
return new Docket(DocumentationType.SWAGGER_2)
.groupName("foo-api")
.apiInfo(apiInfo())
.useDefaultResponseMessages(false)
.produces(Collections.singleton("application/json"))
.select()
.apis(RequestHandlerSelectors.any())
.paths(PathSelectors.any())
.build();
}
private ApiInfo apiInfo() {
return new ApiInfoBuilder()
.title("Foo API")
.termsOfServiceUrl(AppProperties.getApiTosUrl())
.version("1.0").build();
}
}
In my Spring-Security Configuration, I have tried to exclude all Spring-Fox paths as generally advised but it doesn't have any effect. What is going wrong?
I have a project with childA and childB.
I want to configure the security of childA controllers in childA and childB controllers in childB.
So far I have the following SecurityConfig:
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private CookieProperties cookieProperties;
#Autowired
private LdapUserDetailsManager userDetailsService;
#Autowired
private AuthenticationSuccessHandler authenticationSuccessHandler;
#Autowired
private AuthenticationEntryPoint authenticationEntryPoint;
#Autowired
private AuthenticationFailureHandler authenticationFailureHandler;
#Autowired
private AccessDeniedHandler accessDeniedHandler;
#Autowired
private LogoutSuccessHandler logoutSuccessHandler;
#Autowired
private LdapProperties ldapProperties;
#Autowired
private Environment environment;
#Bean(name = BeanIds.AUTHENTICATION_MANAGER)
#Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
#Bean
public LdapDaoAuthenticationProvider ldapDaoAuthenticationProvider(LdapProperties ldapProperties) {
LdapDaoAuthenticationProvider provider = new LdapDaoAuthenticationProvider();
provider.setUserDetailsService(userDetailsService);
provider.setLdapProperties(ldapProperties);
provider.setPasswordEncoder(passwordEncoder());
return provider;
}
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(ldapDaoAuthenticationProvider(ldapProperties));
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatcher(
// how to move this in another file ?
new OrRequestMatcher(
new AntPathRequestMatcher(ChildAHttpPathStore.PATH_SOMETHING),
new AntPathRequestMatcher(ChildBHttpPathStore.PATH_SOMETHING),
)
)
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.NEVER)
.and()
.csrf()
.csrfTokenRepository(corsCookieCsrfTokenRepository())
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, CoreHttpPathStore.PING).permitAll()
.anyRequest().hasAnyAuthority(
UserManagement.ROLE_AUTH_SERVICE
)
.and()
.exceptionHandling()
.accessDeniedHandler(accessDeniedHandler)
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.formLogin()
.loginProcessingUrl(CoreHttpPathStore.LOGIN)
.successHandler(authenticationSuccessHandler)
.failureHandler(authenticationFailureHandler)
.permitAll()
.and()
.logout()
.logoutUrl(CoreHttpPathStore.LOGOUT)
.logoutSuccessUrl(CoreHttpPathStore.LOGIN_FROM_LOGOUT)
.logoutSuccessHandler(logoutSuccessHandler)
.permitAll()
.and()
.headers().cacheControl().disable();
}
#Bean(name = "userPasswordEncoder")
public LdapShaPasswordEncoder passwordEncoder() {
return new LdapShaPasswordEncoder();
}
#Bean
public CookieSerializer cookieSerializer() {
DefaultCookieSerializer serializer = new DefaultCookieSerializer();
if (null != cookieProperties.getName()) { serializer.setCookieName(cookieProperties.getName()); }
if (null != cookieProperties.getPath()) { serializer.setCookiePath(cookieProperties.getPath()); }
if (null != cookieProperties.getHttpOnly()) { serializer.setUseHttpOnlyCookie(cookieProperties.getHttpOnly()); }
if (null != cookieProperties.getMaxAge()) { serializer.setCookieMaxAge(cookieProperties.getMaxAge()); }
if (null != cookieProperties.getSecure()) { serializer.setUseSecureCookie(cookieProperties.getSecure()); }
if (null != cookieProperties.getDomain()) { serializer.setDomainName(cookieProperties.getDomain()); }
return serializer;
}
#Bean
public CorsCookieCsrfTokenRepository corsCookieCsrfTokenRepository(){
CorsCookieCsrfTokenRepository repository = new CorsCookieCsrfTokenRepository();
repository.setCookieHttpOnly(false);
repository.setHeaderName("X-XSRF-TOKEN");
repository.setCookiePath(cookieProperties.getPath());
repository.setCookieDomain(cookieProperties.getDomain());
repository.setCookieName("XSRF-TOKEN");
return repository;
}
}
Is it possible to split this configuration ?
If you need to write Multiple HttpSecurity due to spring security docs the easiest is to create a general configuration with some internal #Configuration classes for configuring HttpSecurity
#EnableWebSecurity
public class MultiHttpSecurityConfig {
#Bean
public UserDetailsService userDetailsService() throws Exception {
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("user").password("password").roles("USER").build());
manager.createUser(User.withUsername("admin").password("password").roles("USER","ADMIN").build());
return manager;
}
#Configuration
#Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/api/**")
.authorizeRequests()
.anyRequest().hasRole("ADMIN")
.and()
.httpBasic();
}
}
#Configuration
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin();
}
}
}
I am trying to configure Spring Security and OAuth2 on java config. I am using Spring Security version 4.0.4.RELEASE and OAuth2 version 2.0.11.RELEASE.
Spring Security config works well. Also I can get an access token with OAuth2 AuthorizationServer, but my ResourceServer does not work correctly. When I set the annotation #EnableResourceServer I can only check my access token and other URLs I cannot open (Security configuration and AuthorizationServer configuration do not work). I see the following error:
<oauth>
<error_description>
An Authentication object was not found in the SecurityContext
</error_description>
<error>unauthorized</error>
</oauth>
If I remove an annotation #EnableResourceServer, my ResourceServer does not check an access token. It just redirects to the authentication page.
This is my code:
#Configuration
#EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class GlobalSecurityConfig extends GlobalMethodSecurityConfiguration {
#Bean(name = "passwordEncoder")
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
#Autowired
#Qualifier("authUserDetailsService")
private UserDetailsService userDetailsService;
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder());
}
#Autowired
#Qualifier("permissionEvaluator")
private PermissionEvaluator permissionEvaluator;
#Bean
public DefaultMethodSecurityExpressionHandler expressionHandler() {
DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
handler.setDefaultRolePrefix("");
handler.setPermissionEvaluator(permissionEvaluator);
return handler;
}
#Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return expressionHandler();
}
}
SecurityConfig:
#Configuration
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Bean(name = "clientAuthenticationEntryPoint")
public OAuth2AuthenticationEntryPoint oauthAuthenticationEntryPoint() {
OAuth2AuthenticationEntryPoint entry = new OAuth2AuthenticationEntryPoint();
entry.setRealmName("myapp/client");
entry.setTypeName("Basic");
return entry;
}
#Autowired
#Qualifier("webExpressionHandler")
private DefaultWebSecurityExpressionHandler expressionHandler;
#Bean
#Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
#Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/html/**", "/webapi/**");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers().antMatchers("/admin/**", "/**")
.and()
.authorizeRequests()
.expressionHandler(expressionHandler)
.antMatchers("/admin/**").access("hasRole('ADMINISTRATOR')")
.antMatchers("/1/admin/**").access("hasRole('ADMINISTRATOR')")
.antMatchers("/profile**").authenticated()
.antMatchers("/oauth/authorize").authenticated()
.and()
.formLogin().loginPage("/login")
.failureUrl("/login?error=1")
.loginProcessingUrl("/login-attempt")
.defaultSuccessUrl("/", false)
.and()
.sessionManagement()
.sessionFixation().migrateSession()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.and()
.exceptionHandling()
.accessDeniedPage("/access-denied")
.and()
.csrf();
}
}
Oauth config:
#Configuration
public class Oauth {
#Configuration
#EnableResourceServer
public static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
private static final String RESOURCE_ID = "my_oauth_server";
#Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId(RESOURCE_ID);
}
#Override
public void configure(HttpSecurity http) throws Exception {
http
.anonymous().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.regexMatchers("/api/v0/.*").authenticated()
.antMatchers("/**").denyAll()
;
}
}
#Configuration
#EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
#Autowired
private AuthenticationManager authenticationManager;
#Autowired
private AuthorizationCodeServices verificationCodeService;
#Autowired
#Qualifier("clientDetails")
private ClientDetailsService clientDetailsService;
#Autowired
#Qualifier("tokenStore")
private TokenStore tokenStore;
#Bean(name = "tokenServices")
public DefaultTokenServices tokenServices() {
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setTokenStore(tokenStore);
tokenServices.setSupportRefreshToken(true);
tokenServices.setClientDetailsService(clientDetailsService);
return tokenServices;
}
#Bean
public ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter() throws Exception {
ClientCredentialsTokenEndpointFilter filter = new ClientCredentialsTokenEndpointFilter();
filter.setAuthenticationManager(authenticationManager);
return filter;
}
#Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(clientDetailsService);
}
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
endpoints.authorizationCodeServices(verificationCodeService);
endpoints.tokenServices(tokenServices());
endpoints.reuseRefreshTokens(true);
}
#Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll()");
oauthServer.checkTokenAccess("permitAll()");
oauthServer.realm("myapp/client");
oauthServer.addTokenEndpointAuthenticationFilter(clientCredentialsTokenEndpointFilter());
oauthServer.allowFormAuthenticationForClients();
}
}
}
So, ResourceServer config overlap other configuration. How can I fix it? I would be thankful for any help.
I see that you want to protect some endpoints with an access token, and other endpoints with normal form login.
Can you try restricting the applicability of your ResourceServerConfiguration to apply only to certain endpoints by something like: http.requestMatcher(new AntPathRequestMatcher("/api/v0/**")).... Do the same for SecurityConfig but for the endpoints you want it to take care of.