Skip to content

Document the need to provide a SecurityWebFilterChain or WebSecurityConfigurerAdapter when using multiple OAuth 2 security components #18507

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
philsttr opened this issue Oct 4, 2019 · 4 comments
Closed

Document the need to provide a SecurityWebFilterChain or WebSecurityConfigurerAdapter when using multiple OAuth 2 security components #18507

philsttr opened this issue Oct 4, 2019 · 4 comments
Labels
type: documentation A documentation update
Milestone
2.2.0

Comments

@philsttr
Copy link

philsttr commented Oct 4, 2019

When I recently upgraded an application from spring boot 2.2.0.M6 to 2.2.0.RC1 that uses both OAuth2 Resource Server (opaque token support) and OAuth2 Client, I found that the OAuth2 Resource Server opaque token auto configuration is no longer applied. So this appears to be a change/regression from 2.2.0.M6 -> 2.2.0.RC1

In 2.2.0.M6, I see the following in the autoconfiguration report, indicating a successful configuration of the opaque token support:

   ReactiveOAuth2ResourceServerOpaqueTokenConfiguration.WebSecurityConfiguration matched:
      - @ConditionalOnBean (types: org.springframework.security.web.server.SecurityWebFilterChain; SearchStrategy: all) did not find any beans (OnBeanCondition)

   ReactiveOAuth2ResourceServerOpaqueTokenConfiguration.WebSecurityConfiguration#springSecurityFilterChain matched:
      - @ConditionalOnBean (types: org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenIntrospector; SearchStrategy: all) found bean 'opaqueTokenIntrospector' (OnBeanCondition)

In 2.2.0.RC1, I see the following in the autoconfiguration report:

   ReactiveOAuth2ResourceServerOpaqueTokenConfiguration.WebSecurityConfiguration:
      Did not match:
         - @ConditionalOnBean (types: org.springframework.security.web.server.SecurityWebFilterChain; SearchStrategy: all) found beans of type 'org.springframework.security.web.server.SecurityWebFilterChain' springSecurityFilterChain (OnBeanCondition)

It appears that when the OAuth2 Client AutoConfiguration executes, it defines a SecurityWebFilterChain, which prevents the ReactiveOAuth2ResourceServerOpaqueTokenConfiguration.WebSecurityConfiguration from applying.

If I remove the OAuth2 Client configuration properties, the Resource Server is configured properly.

Here is an example project with a unit test that shows the behavior. The test fails when using 2.2.0.RC1, but if you change the spring boot version to 2.2.0.M6, the test will pass.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Oct 4, 2019
@mbhave
Copy link
Contributor

mbhave commented Oct 4, 2019

Thanks for the sample @philsttr. This is indeed caused due to the fact that ReactiveOAuth2ClientAutoConfiguration now explicitly defines a bean of type SecurityWebFilterChain causing ReactiveOAuth2ResourceServerOpaqueTokenConfiguration.WebSecurityConfiguration to back off. This change was introduced to fix #17949. This is an interesting use-case which I hadn't thought of when making that change. It's a bit tricky as we want to keep the @ConditionalOnMissingBean so that the auto-config can back off if there is a user-defined SecurityWebFilterChain. Let's see what we can do.

@mbhave mbhave added type: regression A regression from a previous release and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 4, 2019
@mbhave mbhave added this to the 2.2.x milestone Oct 4, 2019
@philsttr
Copy link
Author

philsttr commented Oct 4, 2019
edited
Loading

Thanks for taking a look at this @mbhave !
Note that I originally noticed this when our @SpringBootTest integration tests that use an OAuth2 Client to communicate to the Resource Server under test started failing with authentication errors, since both the OAuth2 Client and Resource Server configuration end up in the same spring context. This seems like a fairly common scenario for integration testing resource servers.
After I noticed that test failure, I noticed the same symptom in a service that has both the OAuth2 Client and Resource Server configured in itself as well.

@mbhave mbhave modified the milestones: 2.2.x, 2.2.0 Oct 14, 2019
@wilkinsona
Copy link
Member

As we add auto-configuration for more of Spring Security's features, I think we may have to accept that a certain amount of user configuration is required to use those pieces in combination. In this case, that would be a user-provided SecurityWebFilterChain that combines the two filter chains:

SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
	http.authorizeExchange((exchanges) -> exchanges.anyExchange().authenticated());
	http.oauth2ResourceServer(OAuth2ResourceServerSpec::opaqueToken);
	return http.build();
}
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
	http.authorizeExchange().anyExchange().authenticated();
	http.oauth2Login();
	http.oauth2Client();
	return http.build();
}

The only alternative that I've been able to think of thus far is a contribution model for creating the SecurityWebFilterChain. I have some reservations about that as, given that there are multiple packages involved, it would have to be public API. It would feel like a return to the 1.x days where ordering of security components became both crucial and difficult to get right.

I'll keep giving this some thought, but I'm leaning towards documenting the need for a user-provided SecurityWebFilterChain when combining multiple pieces of security such as OAuth2 Client and Resource Server. That is a little cumbersome but it feels like the best option that I can think of given that current state of the art in Spring Security.

@wilkinsona wilkinsona added type: documentation A documentation update and removed type: regression A regression from a previous release labels Oct 16, 2019
@wilkinsona wilkinsona changed the title OAuth2 Resource Server no longer auto-configured when OAuth2 Client is Auto Configured Document the need to provide a SecurityWebFilterChain when using multiple reactive OAuth 2 security components Oct 16, 2019
@wilkinsona
Copy link
Member

We've decided that this is best addressed with documentation. The behaviour of the reactive auto-configuration is now aligned with the equivalent servlet auto-configuration where, for example, only one of OAuth2ResourceServerOpaqueTokenConfiguration.OAuth2WebSecurityConfigurerAdapter.opaqueTokenWebSecurityConfigurerAdapter() and OAuth2WebSecurityConfiguration.OAuth2WebSecurityConfigurerAdapter will be auto-configured.

@wilkinsona wilkinsona changed the title Document the need to provide a SecurityWebFilterChain when using multiple reactive OAuth 2 security components Document the need to provide a SecurityWebFilterChain or WebSecurityConfigurerAdapter when using multiple OAuth 2 security components Oct 16, 2019
@philsttr philsttr mentioned this issue Oct 24, 2019
Closed
JYK0128 added a commit to JYK0128/backend that referenced this issue Nov 16, 2020
@JYK0128
fix logic in deleting message.
26ced5e 
get bug when use client and resource together.
- spring-projects/spring-boot#18507
JYK0128 added a commit to JYK0128/backend that referenced this issue Nov 16, 2020
@JYK0128
fix logic in deleting message.
cb77928 
get bug when use client and resource together.
- spring-projects/spring-boot#18507

set-up cors
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: documentation A documentation update
Projects
None yet
Milestone
2.2.0
Development

No branches or pull requests
4 participants
@wilkinsona @mbhave @philsttr @spring-projects-issues