Standalone Spring OAuth2 JWT Authorization Server + CORS -


so have following authorization server condensed this example dave syer

@springbootapplication public class authserverapplication {      public static void main(string[] args) {             springapplication.run(authserverapplication.class, args);     }      /* added later     @configuration     @order(ordered.highest_precedence)     protected static class mywebsecurity extends websecurityconfigureradapter {          @override         protected void configure(httpsecurity http) throws exception {             http //.csrf().disable()                  .authorizerequests()                 .antmatchers(httpmethod.options, "/oauth/token").permitall();        }     }*/      @configuration     @enableauthorizationserver     protected static class oauth2authorizationconfig extends                     authorizationserverconfigureradapter {              @autowired             private authenticationmanager authenticationmanager;              @bean             public jwtaccesstokenconverter jwtaccesstokenconverter() {                     jwtaccesstokenconverter converter = new jwtaccesstokenconverter();                     keypair keypair = new keystorekeyfactory(                                     new classpathresource("keystore.jks"), "foobar".tochararray())                                     .getkeypair("test");                     converter.setkeypair(keypair);                     return converter;             }              @override             public void configure(clientdetailsserviceconfigurer clients) throws exception {                     clients.inmemory()                                     .withclient("acme")                                     //.secret("acmesecret")                                     .authorizedgranttypes(//"authorization_code", "refresh_token",                                                     "password").scopes("openid");             }              @override             public void configure(authorizationserverendpointsconfigurer endpoints)                             throws exception {                     endpoints.authenticationmanager(authenticationmanager).accesstokenconverter(                                     jwtaccesstokenconverter());             }              @override             public void configure(authorizationserversecurityconfigurer oauthserver)                             throws exception {                     oauthserver.tokenkeyaccess("permitall()").checktokenaccess(                                     "isauthenticated()");             }     } }

when run , test curl

curl acme@localhost:8110/oauth/token -d grant_type=password -d client_id=acme -d username=user -d password=password

i jwt respons, try access authserver frontend (angular js on different port) cors error. not becauce of missing headers, because option request rejected , missing credentials.

request url:http://localhost:8110/oauth/token request method:options status code:401 unauthorized www-authenticate:bearer realm="oauth", error="unauthorized", error_description="full authentication required access resource"

i knew have add corsfilter , additionally found this post used the snippet first answer let options request access /oauth/token without credentials:

@order(-1) public class mywebsecurity extends websecurityconfigureradapter {    @override    protected void configure(httpsecurity http) throws exception {        http           .authorizerequests()           .antmatchers(httpmethod.options, "/oauth/token").permitall();    } }

after got curl following error:

{"timestamp":1433370068120,"status":403,"error":"forbidden","message":"expected csrf token not found. has session expired?","path":"/oauth/token"}

so make simple added http.csrf().disable() configure method of mywebsecurity class, solves problem option request, therefore post request isn't working anymore , there no client authentication. try adding appropriate authentication filter. (also curl).

i tried find out if have somehow connect mywebsecurity class , authserver, without luck. original example (link in beginning) injects authenticationmanager, changed nothing me.

found reason problem!

i needed end filterchain , return result immediatly if options request processed corsfilter!

simplecorsfilter.java

@component @order(ordered.highest_precedence) public class simplecorsfilter implements filter {      public simplecorsfilter() {     }      @override     public void dofilter(servletrequest req, servletresponse res, filterchain chain) throws ioexception, servletexception {         httpservletresponse response = (httpservletresponse) res;         httpservletrequest request = (httpservletrequest) req;         response.setheader("access-control-allow-origin", "*");         response.setheader("access-control-allow-methods", "post, get, options, delete");         response.setheader("access-control-max-age", "3600");         response.setheader("access-control-allow-headers", "x-requested-with, authorization");          if ("options".equalsignorecase(request.getmethod())) {             response.setstatus(httpservletresponse.sc_ok);         } else {             chain.dofilter(req, res);         }     }      @override     public void init(filterconfig filterconfig) {     }      @override     public void destroy() {     } }

after ignore options preflight request in authserver =d

so server works in snipped above , can ignore block comment mywebsecurity class in beginning.


Comments

Post a Comment

Popular posts from this blog

javascript - Bootstrap Popover: iOS Safari strange behaviour -

i looking through twitter bootstrap documentation, , i'm interested in implementing dismissible popover when button clicked. here example bootstrap's docs: http://getbootstrap.com/javascript/#dismiss-on-next-click when press "dismissible popover" button os x safari browser works fine. when access same link above ios safari, button not work. is, popover not dismissed on click. why button not working ios safari? the example linked using data-trigger="focus" attribute. try changing data-trigger="click" . <a tabindex="0" class="btn btn-lg btn-danger" role="button" data-toggle="popover" data-trigger="click" title="dismissible popover" data-content="and here's amazing content. it's engaging. right?">dismissible popover</a>
Read more

Magento/PHP - Get phones on all members in a customer group -

i working on custom magento extension. working around adminhtml part , i've created custom form there. here form code: <?php class vivasindustries_smsnotification_block_adminhtml_sms_sendmass_edit_form extends mage_adminhtml_block_widget_form { public function _preparelayout() { $extensionpath = mage::getmoduledir('js', 'vivasindustries_smsnotification'); $head = $this->getlayout()->getblock('head'); $head->addjs('jquery.js'); $head->addjs('vivas.js'); return parent::_preparelayout(); } protected function _prepareform() { $form = new varien_data_form(array( 'id' => 'edit_form', 'action' => $this->geturl('*/*/save', array('id' => $this->getrequest()->get...
Read more

session - Logging Out Using PHP -

i have seen other programs regarding can't seem make work. doing wrong? want achieve after user logged out, going previous pages become restricted. i have 3 php files: 1. sample.php - main page username , password filled in 2. successful.php - user's page after logging in 3. logout.php - destorys session hinder user access pages after logging out sample.php </html> <form action="" method="post"> <table> <tr> <td>username:</td> <td>password:</td> </tr> <tr> <td><input type="text" name="username"></td> <td><input type="password" name="password"></td> </tr> <tr> <td><input type="submit" value="submit" name="submit"></td> </tr> </table> </form> </html> <?php $servername = "localhost"; $username = ...
Read more