Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Auto-configure RequestAttributeSecurityContextRepository for OAuth2 resource server

See original GitHub issue

This appears to have broken in 2.6.X as older versions (I tried 2.5.X) do not exhibit the behavior described below.

Step 1: provide a WebSecurityConfigurerAdapter and configure it with the STATELESS session creation policy:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and().authorizeRequests()
                .antMatchers("/test-user").hasRole("USER")
                .antMatchers("/test-admin").hasRole("ADMIN")
                .antMatchers("/error").authenticated()
                .and().httpBasic();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user").password("{noop}password").roles("USER").and()
                .withUser("admin").password("{noop}password").roles("ADMIN", "USER");
    }
}

Step 2: setup a simple controller

@Controller
public class ExampleController {

    @GetMapping(path = {"test-user", "test-admin"})
    public void test(HttpServletResponse response) {
        response.setStatus(HttpServletResponse.SC_OK);
    }
}

Step 3: run the application and send a request to a resource the user is not authorized to view

curl -v -u user:password http://localhost:8080/test-admin

Expected Behavior: the user receives a HTTP 403 Forbidden response status code and a response body (such as the below):

{
   "timestamp":"2022-02-04T23:42:41.621+00:00",
   "status":403,
   "error":"Forbidden",
   "path":"/test-admin"
}

Actual Behavior: the user receives a HTTP 403 Forbidden response status code with no response body

Note: if the STATELESS session creation policy is removed from the above configuration, it works as expected.

Issue Analytics

State:
Created 2 years ago
Reactions:4
Comments:16 (9 by maintainers)

Top GitHub Comments

1reaction

mbhavecommented, Apr 21, 2022

@datagitlies Spring Boot 2.6.x uses Spring security 5.6.x, so yes it won’t be using spring security 5.7.x

1reaction

svilen-ivanov-kubitcommented, Mar 9, 2022

@svilen-ivanov-kubit A sample would be very helpful, thank you.

I updated our WebSecurityConfigurerAdapter by removing some cruft and the issue is no longer reproducible. Thank you.

Top Results From Across the Web

OAuth2 Autoconfig - Spring

Creating a Resource Server is easy, just add @EnableResourceServer and provide some configuration to allow the server to decode access tokens. If your ......

oauth2 is it okay to have user send password to backend

Authentication: An identify provider like Google is only a partial solution. ... RequestAttributeSecurityContextRepository for OAuth2 resource server#29655.

Spring boot 2.0.3 + Security + Oauth2 autoconfigure

I tried to replicate your use case: I develop an AuthServer with spring cloud security and an ResourceServer. The problem that I see...

Index (spring-security-oauth2-autoconfigure 2.5.5 API)

Configuration properties for Authorization Server Jwt configuration ... Auto-configure a Spring Security OAuth2 resource server.

A Quick Guide to OAuth 2.0 with Spring Security

Create an OAuth 2.0 Server · Build Your Client App · Test the Resource Server · Create an OpenID Connect Application · Create...