Oauth Authorization Server with Custom Authentication Manager in Java Configuration
I have multiple authentication managers in my application. I distinguish them by the name bean. The oauth authorization server part of my xml looks and works fine:
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices" user-approval-handler-ref="userApprovalHandler" >
<oauth:authorization-code disabled="true" />
<oauth:implicit disabled="false" />
<oauth:refresh-token disabled="false" />
<oauth:client-credentials disabled="false" />
<oauth:password authentication-manager-ref="authenticationManager" />
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter" resource-id="resource-id" token-services-ref="tokenServices" />
<sec:authentication-manager id="clientAuthenticationManager">
<sec:authentication-provider user-service-ref="clientDetailsUserService" />
</sec:authentication-manager>
<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<custom-filter ref="oauthClientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
I am trying to move it to Java config (in some sort of SecurityConfig class) until there is a shortage. I've tried something like:
@Configuration
@EnableAuthorizationServer
protected static class OAuth2AuthConfig extends AuthorizationServerConfigurerAdapter {
@Resource(name = "authenticationManager")
private AuthenticationManager authenticationManager;
@Resource
private OAuth2AuthenticationEntryPoint authenticationEntryPoint;
@Resource(name = "clientDetails")
private ClientDetailsService clientDetailsService;
@Resource
private TokenStore tokenStore;
@Resource
private TokenStoreUserApprovalHandler userApprovalHandler;
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.authenticationEntryPoint(authenticationEntryPoint);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager)
.userApprovalHandler(userApprovalHandler)
.tokenStore(tokenStore);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(clientDetailsService);
}
}
@Configuration
@EnableResourceServer
protected static class OAuth2ResourceConfig extends ResourceServerConfigurerAdapter {
@Resource
private DefaultTokenServices tokenServices;
@Resource(name = "authenticationManager")
private AuthenticationManager authenticationManager;
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID).tokenServices(tokenServices).authenticationManager(authenticationManager);
}
}
however, it still complains about multiple authentication admins, although I am explicitly setting endpoints.authenticationManager(authenticationManager)
.
With some debugging, I can see it trying to set it up in the WebSecurityConfigurerAdapter class and encountering multiple authentication managers in the authenticationManager()
. Can I override it or what is missing?
source to share
- AuthorizationServer - there is a way to prevent Spring from failing
org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#authenticationManager
by simply overriding the methodorg.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerSecurityConfiguration#configure(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder)
- explained - ResourceServer - unfortunately, there is no way to similarly handle the related issue. The best you can do is to reduce the number of instances of global authentication managers to one.
source to share