Spring Security OAuth2 - @EnableOauth2Sso but accept tokens as authentication, too

Question

I have an application which has @EnableOAuth2Sso on the WebSecurityConfigurerAdapter

After adding @EnableOAuth2Ssothe applica

Answer 1

The reason for the exception was the ordering of the filters like @jah said.

What i did to achieve the authentication of requests, containing an access token in the Authorization-Header, is to create a class ApiTokenAccessFilter which extends OAuth2AuthenticationProcessingFilter. This filter takes a ResourceServerTokenServices constructor parameter and sets the stateless flag to false.

public class ApiTokenAccessFilter extends OAuth2AuthenticationProcessingFilter {

  public ApiTokenAccessFilter(ResourceServerTokenServices resourceServerTokenServices) {

    super();
    setStateless(false);
    setAuthenticationManager(oauthAuthenticationManager(resourceServerTokenServices));
  }

  private AuthenticationManager oauthAuthenticationManager(ResourceServerTokenServices tokenServices) {

    OAuth2AuthenticationManager oauthAuthenticationManager = new OAuth2AuthenticationManager();

    oauthAuthenticationManager.setResourceId("oauth2-resource");
    oauthAuthenticationManager.setTokenServices(tokenServices);
    oauthAuthenticationManager.setClientDetailsService(null);

    return oauthAuthenticationManager;
  }
}

In my security config i used this Filter as follows:

@Configuration
@EnableOAuth2Sso
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Autowired
  private ResourceServerTokenServices tokenServices;

  @Override
  public void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests()
        .anyRequest()
        .authenticated()
        .and()
        .addFilterBefore(new ApiTokenAccessFilter(tokenServices), AbstractPreAuthenticatedProcessingFilter.class);
  }
}

I think this could be easier so i opened an issue on the spring-security-oauth Github repo. I'm not sure whether this solution is the way to go, but i didn't find another alternative.

Answer 2

This is an answer for your first question. You getting this exception because you are trying to add a filter to a filer chain without specifying an order. The filter chain consist of several filters in a fixed order. The exception is thrown in the check for the existenceof the filter to add. The org.springframework.security.config.annotation.AlreadyBuiltException in the AbstractSecurityBuilder when an exception happens inside it. So a wide range of exceptions happening inside the AbstractSecurityBuilder are causing this unrelated exception.

A possible way to add your filter would be to use the addFilterBefore(Filter filter, Class<? extends Filter> beforeFilter) or the addFilterAfter(Filter filter, Class<? extends Filter> afterFilter) methods of HttpSecurity.

Regarding your 2nd question, you should provide more information.