I'm migrating from spring boot 1.5 to spring boot 2.7.12. I would like to keep for the moment the authentication that was implemented in version 1.5.
When accessing any endpoint, even endpoints that do not exist, it returns the error 401 (Full authentication is required to access this resource unauthorized)
I know that WebSecurityConfigurerAdapter and AuthorizationServerConfigurerAdapter are deprecated. This could be the error and I need to migrate the authentication and authorization or it can be solved somehow keeping the old configuration?
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("customUserDetailsService")
private UserDetailsService userDetailsService;
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
auth.authenticationProvider(authenticationProvider());
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.authorizeRequests()
.antMatchers("/login").permitAll()
.antMatchers("/oauth/token/revokeById/**").permitAll()
.antMatchers("/tokens/**").permitAll()
.anyRequest().authenticated()
.and().formLogin().permitAll()
.and().csrf().disable();
// @formatter:on
}
@Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity.ignoring().antMatchers("/passwordLost/**");
webSecurity.ignoring().antMatchers("/user/email/**");
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(userDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoder());
return authenticationProvider;
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationServerConfigJwt extends AuthorizationServerConfigurerAdapter implements InitializingBean {
@Value(value = "${oauth2.access_token.validity_seconds}")
private int accessTokenValiditySeconds;
@Value(value = "${oauth2.refresh_token.validity_seconds}")
private int refreshTokenValiditySeconds;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Autowired
@Qualifier("customUserDetailsService")
private UserDetailsService userDetailsService;
@Override
public void configure(final AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("xxx")
.secret("xxxx")
.authorizedGrantTypes("password", "authorization_code", "refresh_token")
.scopes("xxx", "xxx", "xxx")
.accessTokenValiditySeconds(accessTokenValiditySeconds)
.refreshTokenValiditySeconds(refreshTokenValiditySeconds);
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
final DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
defaultTokenServices.setSupportRefreshToken(true);
return defaultTokenServices;
}
@Override
public void configure(final AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(), accessTokenConverter()));
endpoints.tokenStore(tokenStore())
.tokenEnhancer(tokenEnhancerChain)
.authenticationManager(authenticationManager)
.userDetailsService(userDetailsService);
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
final KeyStoreKeyFactory keyStoreKeyFactory = new KeyStoreKeyFactory(new ClassPathResource("xxxx"), "xxxx".toCharArray());
converter.setKeyPair(keyStoreKeyFactory.getKeyPair("xxxxx"));
return converter;
}
@Bean
public TokenEnhancer tokenEnhancer() {
return new CustomTokenEnhancer();
}
@Override
public void afterPropertiesSet() throws Exception {
System.out.println("");
}
}
Comment From: philwebb
Spring Boot 1.5 had quite a complex security configuration model which we simplified in 2.0. It's hard to say for sure, but I suspect your WebSecurityConfig.configure rules will need tweaking. Despite the fact that WebSecurityConfigurerAdapter is deprecated, it should still work in in Spring Boot 2.7.
There are some helpful guides related to migration from Boot 1.5 to 2.x at https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-Security-2.0
If you're unable to get it working based on those guides I think it would be best to ask on stackoverflow.com with a Minimal, Reproducible Example. Feel free to paste the link the question here so that we can find it.
As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements and I suspect this is a configuration issue rather than a bug.