Home > Software design >  AccessToken does not get invalid - Spring OAuth2
AccessToken does not get invalid - Spring OAuth2

Time:06-09

i set up spring oauth in my project and authentication seems to work. After testing using PostMan i saw that the AccessToken can be used even after beeing expired...it does not get invalid and the user can still use it to get resources.

I tested this by setting the expiration time of AccessToken to 2 seconds.

Here is some code of my configuration:

POM.xml:

        <!-- Security -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security.oauth</groupId>
            <artifactId>spring-security-oauth2</artifactId>
            <version>2.3.4.RELEASE</version>
        </dependency>   
...

AuthorizationServerConfig:

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

@Autowired
private AuthenticationManager authenticationManager;
@Autowired

private UserDetailsService userDetailsService;
@Autowired
private PasswordEncoder oauthClientPasswordEncoder;
@Autowired
private DbConfig dbConfig;

@Bean
public TokenStore tokenStore() {
    return new JdbcTokenStoreImpl(dbConfig.dataSource());
}

@Bean
public OAuth2AccessDeniedHandler oauthAccessDeniedHandler() {
    return new OAuth2AccessDeniedHandler();
}

@Autowired
public AuthorizationServerConfig(AuthenticationManager authenticationManager, DbConfig dbConfig) {
    this.authenticationManager = authenticationManager;
    this.dbConfig = dbConfig;
}

@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
    oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()").passwordEncoder(oauthClientPasswordEncoder);

}

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
    clients.jdbc(dbConfig.dataSource());
}

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager).userDetai

lsService(userDetailsService);
    }
}

ResourceServerConfig:

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/secured/**").authenticated();
    }
}

ServerSecurityConfig:

@Configuration
@EnableWebSecurity
//@Order(SecurityProperties.BASIC_AUTH_ORDER)
@Import(Encoders.class)
public class ServerSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private PasswordEncoder userPasswordEncoder;

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(userPasswordEncoder);
    }
}

The UserDetailsService etc. I also have configured, but I thing they are not relevant for investigating this Problem. The Problem is more related to the AccessToken itself and not in getting one.

Is this Problem maybe related to the fact that I am using Spring 3.0.0 ?

CodePudding user response:

My guess is that you are trying to migrate an "old" spring-boot app to the new release ?

Since many months, "spring-security-oauth" is no longer supported. See https://spring.io/projects/spring-security-oauth

All oauth2 stuff is available in spring-security-oauth2-server library / spring boot autoconfiguration. Try to remove your dependency, add spring-boot-starter-oauth2-resource-server. Check if your context has a "spring.security.oauth2.resourceserver.jwt.issuer-uri" property, value is a jwks ressource with keys used to signed bearer token.

Now, Let spring-boot autoconfigure your context. Bearer token is validated with a OAuth2TokenValidator, default implementation only checks that expiration is not null. Then bearer token is authenticated and use a JwtDecoder to do so. "spring.security.oauth2.resourceserver.jwt.issuer-uri" triggers creation of a JwtDecoder with Nimbus library at start-up. This implementation checks the expiration (see OAuth2ResourceServerJwtConfiguration spring-boot configuration). (Generate a 401 response).

You can also provide your own JwtDecoder and check expiration or others jwt claims checks.

I Hope it is clear enought :)

Page link:https//www.codepudding.com/Softwaredesign/436183.html

Prev:Sudden .htaccess parsing error: 500 Internal Server Error
Next:geom_vline for values over a threshold on Y-axis
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding