Spring Security OAuth2: '#oauth2.xxx' expressions not evaluted with multiple RequestMatchers mapped to the...





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







-2















In a multi modules app I've defined 5 RequestMatchers mapped to the same FilterChain, like below:



@Configuration

public class Module1SecurityFilterChain extends ResourceServerConfigurerAdapter {



   @Override

   public void configure( HttpSecurity http ) throws Exception {

      http.sessionManagement().sessionCreationPolicy( STATELESS );

      http.requestMatchers().antMatchers( "/module1/**")

            .and()

            .authorizeRequests()

            .antMatchers( "/module1/resource").authenticated()

            .antMatchers( "/module1/test" ).access( "#oauth2.isClient()")

            .anyRequest().access( "#oauth2.hasScope('webclient')" );

   }

}


And module2:



@Configuration

public class Module2SecurityFilterChain extends ResourceServerConfigurerAdapter {



   @Override

   public void configure( HttpSecurity http ) throws Exception {

      http.sessionManagement().sessionCreationPolicy( STATELESS );

      http.requestMatchers().antMatchers( "/module2/**")

            .and()

            .authorizeRequests()

            .antMatchers( "/module2/resource").authenticated()

            .antMatchers( "/module2/test" ).access( "#oauth2.isClient()")

            .anyRequest().access( "#oauth2.hasScope('webclient')" );

   }

}


And enabled method security:



@Configuration

@EnableGlobalMethodSecurity( prePostEnabled = true, securedEnabled = true )

public class MethodSecurityConfiguration extends GlobalMethodSecurityConfiguration {



    @Override

    protected MethodSecurityExpressionHandler createExpressionHandler() {

        return new OAuth2MethodSecurityExpressionHandler();

    }

}


The problem is that all #oauth2.xx expressions are evaluated only for the 1st module requestmatcher /module1/** and ignored in others. When I authenticate a user and try to access to /module1/test the access is denied as expected whereas when accessing to /module2/test access is granted (it should also be denied).



Could someone explains me why and how to solve this? I know Spring Security isn't easy at all...
Thanks again.



EDIT
@Darren Forsythe (thanks for your comment)
The filter chains created are:



INFO | o.s.s.w.DefaultSecurityFilterChain | Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/oauth/token'], Ant [pattern='/oauth/token_key'], Ant [pattern='/oauth/check_token']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@f55a810b, org.springframework.security.web.context.SecurityContextPersistenceFilter@85021903, org.springframework.security.web.header.HeaderWriterFilter@1d0744d1, org.springframework.security.web.authentication.logout.LogoutFilter@2d15146a, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@c38f3266, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@8f9bf85, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@74a71be5, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@e4eb6cc, org.springframework.security.web.session.SessionManagementFilter@22f6b39a, org.springframework.security.web.access.ExceptionTranslationFilter@960c464f, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@f7a19dc5]

INFO | o.s.s.w.DefaultSecurityFilterChain | Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/module1/**'], Ant [pattern='/module2/**'], Ant [pattern='/module3/**'], Ant [pattern='/module4/**'], Ant [pattern='/module5/**'], Ant [pattern='/module6/**']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@38ef2427, org.springframework.security.web.context.SecurityContextPersistenceFilter@a26ff7af, org.springframework.security.web.header.HeaderWriterFilter@5344e710, org.springframework.security.web.authentication.logout.LogoutFilter@da0534c8, org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter@2956c7ab, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@5682f610, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@f4cbf7a4, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@d1b1395a, org.springframework.security.web.session.SessionManagementFilter@d352f8ab, org.springframework.security.web.access.ExceptionTranslationFilter@9bb1d86, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@73c7a695]

INFO | o.s.s.w.DefaultSecurityFilterChain | Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@1cc2056f, org.springframework.security.web.context.SecurityContextPersistenceFilter@259d95db, org.springframework.security.web.header.HeaderWriterFilter@de089e0b, org.springframework.security.web.authentication.logout.LogoutFilter@8b86b4c, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@96304ca8, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1d5b7e4b, org.springframework.security.web.session.SessionManagementFilter@bd586b4d, org.springframework.security.web.access.ExceptionTranslationFilter@7cff2571]


As you can see, all module's urls are mapped to the same filter chain with this list of filters: 



Security filter chain: [

  WebAsyncManagerIntegrationFilter

  SecurityContextPersistenceFilter

  HeaderWriterFilter

  LogoutFilter

  OAuth2AuthenticationProcessingFilter

  RequestCacheAwareFilter

  SecurityContextHolderAwareRequestFilter

  AnonymousAuthenticationFilter

  SessionManagementFilter

  ExceptionTranslationFilter

  FilterSecurityInterceptor

]


What I don't understand is why for the other modules the #oauth2.xx expression is not evaluated since the FilterChain is the same?






spring spring-boot spring-security spring-security-oauth2







share|improve this question

























  • I can't remember the answer exactly but I believe it will be due to to the fact while you're specifying paths the security filter chain will be created with an Any matcher and all requests will drop into the first chain. If you check startup logs when the filter chains are created you should see two being created, both will be any matcher and contain the separate filters. There's a method you need to set first in the http security to specify what requests the filter is applicable for

    – Darren Forsythe
    Jan 4 at 11:39






  • 1





    Possible duplicate of Multiple Resource server configuration in Spring security OAuth

    – dur
    Jan 4 at 12:30











  • @akuma8 To make more clear: You override property .authorizeRequests() in your second configuration.

    – dur
    Jan 4 at 13:51











  • @akuma8 I found another question containg a solution: stackoverflow.com/questions/47894809/… You could use that question as duplicate target.

    – dur
    Jan 4 at 14:11






  • 1





    @akuma8, it's here: docs.spring.io/spring-security/site/docs/current/reference/… where it says that the matchers are processed in order of declaration. It's a bit subtle, though. I've added a ticket to Spring Security to fail fast when something like this happens: github.com/spring-projects/spring-security/issues/6359

    – jzheaux
    Jan 7 at 21:18


















-2















In a multi modules app I've defined 5 RequestMatchers mapped to the same FilterChain, like below:



@Configuration

public class Module1SecurityFilterChain extends ResourceServerConfigurerAdapter {



   @Override

   public void configure( HttpSecurity http ) throws Exception {

      http.sessionManagement().sessionCreationPolicy( STATELESS );

      http.requestMatchers().antMatchers( "/module1/**")

            .and()

            .authorizeRequests()

            .antMatchers( "/module1/resource").authenticated()

            .antMatchers( "/module1/test" ).access( "#oauth2.isClient()")

            .anyRequest().access( "#oauth2.hasScope('webclient')" );

   }

}


And module2:



@Configuration

public class Module2SecurityFilterChain extends ResourceServerConfigurerAdapter {



   @Override

   public void configure( HttpSecurity http ) throws Exception {

      http.sessionManagement().sessionCreationPolicy( STATELESS );

      http.requestMatchers().antMatchers( "/module2/**")

            .and()

            .authorizeRequests()

            .antMatchers( "/module2/resource").authenticated()

            .antMatchers( "/module2/test" ).access( "#oauth2.isClient()")

            .anyRequest().access( "#oauth2.hasScope('webclient')" );

   }

}


And enabled method security:



@Configuration

@EnableGlobalMethodSecurity( prePostEnabled = true, securedEnabled = true )

public class MethodSecurityConfiguration extends GlobalMethodSecurityConfiguration {



    @Override

    protected MethodSecurityExpressionHandler createExpressionHandler() {

        return new OAuth2MethodSecurityExpressionHandler();

    }

}


The problem is that all #oauth2.xx expressions are evaluated only for the 1st module requestmatcher /module1/** and ignored in others. When I authenticate a user and try to access to /module1/test the access is denied as expected whereas when accessing to /module2/test access is granted (it should also be denied).



Could someone explains me why and how to solve this? I know Spring Security isn't easy at all...
Thanks again.



EDIT
@Darren Forsythe (thanks for your comment)
The filter chains created are:



INFO | o.s.s.w.DefaultSecurityFilterChain | Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/oauth/token'], Ant [pattern='/oauth/token_key'], Ant [pattern='/oauth/check_token']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@f55a810b, org.springframework.security.web.context.SecurityContextPersistenceFilter@85021903, org.springframework.security.web.header.HeaderWriterFilter@1d0744d1, org.springframework.security.web.authentication.logout.LogoutFilter@2d15146a, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@c38f3266, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@8f9bf85, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@74a71be5, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@e4eb6cc, org.springframework.security.web.session.SessionManagementFilter@22f6b39a, org.springframework.security.web.access.ExceptionTranslationFilter@960c464f, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@f7a19dc5]

INFO | o.s.s.w.DefaultSecurityFilterChain | Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/module1/**'], Ant [pattern='/module2/**'], Ant [pattern='/module3/**'], Ant [pattern='/module4/**'], Ant [pattern='/module5/**'], Ant [pattern='/module6/**']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@38ef2427, org.springframework.security.web.context.SecurityContextPersistenceFilter@a26ff7af, org.springframework.security.web.header.HeaderWriterFilter@5344e710, org.springframework.security.web.authentication.logout.LogoutFilter@da0534c8, org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter@2956c7ab, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@5682f610, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@f4cbf7a4, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@d1b1395a, org.springframework.security.web.session.SessionManagementFilter@d352f8ab, org.springframework.security.web.access.ExceptionTranslationFilter@9bb1d86, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@73c7a695]

INFO | o.s.s.w.DefaultSecurityFilterChain | Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@1cc2056f, org.springframework.security.web.context.SecurityContextPersistenceFilter@259d95db, org.springframework.security.web.header.HeaderWriterFilter@de089e0b, org.springframework.security.web.authentication.logout.LogoutFilter@8b86b4c, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@96304ca8, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1d5b7e4b, org.springframework.security.web.session.SessionManagementFilter@bd586b4d, org.springframework.security.web.access.ExceptionTranslationFilter@7cff2571]


As you can see, all module's urls are mapped to the same filter chain with this list of filters: 



Security filter chain: [

  WebAsyncManagerIntegrationFilter

  SecurityContextPersistenceFilter

  HeaderWriterFilter

  LogoutFilter

  OAuth2AuthenticationProcessingFilter

  RequestCacheAwareFilter

  SecurityContextHolderAwareRequestFilter

  AnonymousAuthenticationFilter

  SessionManagementFilter

  ExceptionTranslationFilter

  FilterSecurityInterceptor

]


What I don't understand is why for the other modules the #oauth2.xx expression is not evaluated since the FilterChain is the same?






spring spring-boot spring-security spring-security-oauth2







share|improve this question

























  • I can't remember the answer exactly but I believe it will be due to to the fact while you're specifying paths the security filter chain will be created with an Any matcher and all requests will drop into the first chain. If you check startup logs when the filter chains are created you should see two being created, both will be any matcher and contain the separate filters. There's a method you need to set first in the http security to specify what requests the filter is applicable for

    – Darren Forsythe
    Jan 4 at 11:39






  • 1





    Possible duplicate of Multiple Resource server configuration in Spring security OAuth

    – dur
    Jan 4 at 12:30











  • @akuma8 To make more clear: You override property .authorizeRequests() in your second configuration.

    – dur
    Jan 4 at 13:51











  • @akuma8 I found another question containg a solution: stackoverflow.com/questions/47894809/… You could use that question as duplicate target.

    – dur
    Jan 4 at 14:11






  • 1





    @akuma8, it's here: docs.spring.io/spring-security/site/docs/current/reference/… where it says that the matchers are processed in order of declaration. It's a bit subtle, though. I've added a ticket to Spring Security to fail fast when something like this happens: github.com/spring-projects/spring-security/issues/6359

    – jzheaux
    Jan 7 at 21:18














-2












-2








-2








In a multi modules app I've defined 5 RequestMatchers mapped to the same FilterChain, like below:



@Configuration

public class Module1SecurityFilterChain extends ResourceServerConfigurerAdapter {



   @Override

   public void configure( HttpSecurity http ) throws Exception {

      http.sessionManagement().sessionCreationPolicy( STATELESS );

      http.requestMatchers().antMatchers( "/module1/**")

            .and()

            .authorizeRequests()

            .antMatchers( "/module1/resource").authenticated()

            .antMatchers( "/module1/test" ).access( "#oauth2.isClient()")

            .anyRequest().access( "#oauth2.hasScope('webclient')" );

   }

}


And module2:



@Configuration

public class Module2SecurityFilterChain extends ResourceServerConfigurerAdapter {



   @Override

   public void configure( HttpSecurity http ) throws Exception {

      http.sessionManagement().sessionCreationPolicy( STATELESS );

      http.requestMatchers().antMatchers( "/module2/**")

            .and()

            .authorizeRequests()

            .antMatchers( "/module2/resource").authenticated()

            .antMatchers( "/module2/test" ).access( "#oauth2.isClient()")

            .anyRequest().access( "#oauth2.hasScope('webclient')" );

   }

}


And enabled method security:



@Configuration

@EnableGlobalMethodSecurity( prePostEnabled = true, securedEnabled = true )

public class MethodSecurityConfiguration extends GlobalMethodSecurityConfiguration {



    @Override

    protected MethodSecurityExpressionHandler createExpressionHandler() {

        return new OAuth2MethodSecurityExpressionHandler();

    }

}


The problem is that all #oauth2.xx expressions are evaluated only for the 1st module requestmatcher /module1/** and ignored in others. When I authenticate a user and try to access to /module1/test the access is denied as expected whereas when accessing to /module2/test access is granted (it should also be denied).



Could someone explains me why and how to solve this? I know Spring Security isn't easy at all...
Thanks again.



EDIT
@Darren Forsythe (thanks for your comment)
The filter chains created are:



INFO | o.s.s.w.DefaultSecurityFilterChain | Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/oauth/token'], Ant [pattern='/oauth/token_key'], Ant [pattern='/oauth/check_token']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@f55a810b, org.springframework.security.web.context.SecurityContextPersistenceFilter@85021903, org.springframework.security.web.header.HeaderWriterFilter@1d0744d1, org.springframework.security.web.authentication.logout.LogoutFilter@2d15146a, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@c38f3266, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@8f9bf85, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@74a71be5, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@e4eb6cc, org.springframework.security.web.session.SessionManagementFilter@22f6b39a, org.springframework.security.web.access.ExceptionTranslationFilter@960c464f, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@f7a19dc5]

INFO | o.s.s.w.DefaultSecurityFilterChain | Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/module1/**'], Ant [pattern='/module2/**'], Ant [pattern='/module3/**'], Ant [pattern='/module4/**'], Ant [pattern='/module5/**'], Ant [pattern='/module6/**']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@38ef2427, org.springframework.security.web.context.SecurityContextPersistenceFilter@a26ff7af, org.springframework.security.web.header.HeaderWriterFilter@5344e710, org.springframework.security.web.authentication.logout.LogoutFilter@da0534c8, org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter@2956c7ab, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@5682f610, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@f4cbf7a4, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@d1b1395a, org.springframework.security.web.session.SessionManagementFilter@d352f8ab, org.springframework.security.web.access.ExceptionTranslationFilter@9bb1d86, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@73c7a695]

INFO | o.s.s.w.DefaultSecurityFilterChain | Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@1cc2056f, org.springframework.security.web.context.SecurityContextPersistenceFilter@259d95db, org.springframework.security.web.header.HeaderWriterFilter@de089e0b, org.springframework.security.web.authentication.logout.LogoutFilter@8b86b4c, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@96304ca8, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1d5b7e4b, org.springframework.security.web.session.SessionManagementFilter@bd586b4d, org.springframework.security.web.access.ExceptionTranslationFilter@7cff2571]


As you can see, all module's urls are mapped to the same filter chain with this list of filters: 



Security filter chain: [

  WebAsyncManagerIntegrationFilter

  SecurityContextPersistenceFilter

  HeaderWriterFilter

  LogoutFilter

  OAuth2AuthenticationProcessingFilter

  RequestCacheAwareFilter

  SecurityContextHolderAwareRequestFilter

  AnonymousAuthenticationFilter

  SessionManagementFilter

  ExceptionTranslationFilter

  FilterSecurityInterceptor

]


What I don't understand is why for the other modules the #oauth2.xx expression is not evaluated since the FilterChain is the same?






spring spring-boot spring-security spring-security-oauth2







share|improve this question
















In a multi modules app I've defined 5 RequestMatchers mapped to the same FilterChain, like below:



@Configuration

public class Module1SecurityFilterChain extends ResourceServerConfigurerAdapter {



   @Override

   public void configure( HttpSecurity http ) throws Exception {

      http.sessionManagement().sessionCreationPolicy( STATELESS );

      http.requestMatchers().antMatchers( "/module1/**")

            .and()

            .authorizeRequests()

            .antMatchers( "/module1/resource").authenticated()

            .antMatchers( "/module1/test" ).access( "#oauth2.isClient()")

            .anyRequest().access( "#oauth2.hasScope('webclient')" );

   }

}


And module2:



@Configuration

public class Module2SecurityFilterChain extends ResourceServerConfigurerAdapter {



   @Override

   public void configure( HttpSecurity http ) throws Exception {

      http.sessionManagement().sessionCreationPolicy( STATELESS );

      http.requestMatchers().antMatchers( "/module2/**")

            .and()

            .authorizeRequests()

            .antMatchers( "/module2/resource").authenticated()

            .antMatchers( "/module2/test" ).access( "#oauth2.isClient()")

            .anyRequest().access( "#oauth2.hasScope('webclient')" );

   }

}


And enabled method security:



@Configuration

@EnableGlobalMethodSecurity( prePostEnabled = true, securedEnabled = true )

public class MethodSecurityConfiguration extends GlobalMethodSecurityConfiguration {



    @Override

    protected MethodSecurityExpressionHandler createExpressionHandler() {

        return new OAuth2MethodSecurityExpressionHandler();

    }

}


The problem is that all #oauth2.xx expressions are evaluated only for the 1st module requestmatcher /module1/** and ignored in others. When I authenticate a user and try to access to /module1/test the access is denied as expected whereas when accessing to /module2/test access is granted (it should also be denied).



Could someone explains me why and how to solve this? I know Spring Security isn't easy at all...
Thanks again.



EDIT
@Darren Forsythe (thanks for your comment)
The filter chains created are:



INFO | o.s.s.w.DefaultSecurityFilterChain | Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/oauth/token'], Ant [pattern='/oauth/token_key'], Ant [pattern='/oauth/check_token']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@f55a810b, org.springframework.security.web.context.SecurityContextPersistenceFilter@85021903, org.springframework.security.web.header.HeaderWriterFilter@1d0744d1, org.springframework.security.web.authentication.logout.LogoutFilter@2d15146a, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@c38f3266, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@8f9bf85, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@74a71be5, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@e4eb6cc, org.springframework.security.web.session.SessionManagementFilter@22f6b39a, org.springframework.security.web.access.ExceptionTranslationFilter@960c464f, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@f7a19dc5]

INFO | o.s.s.w.DefaultSecurityFilterChain | Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/module1/**'], Ant [pattern='/module2/**'], Ant [pattern='/module3/**'], Ant [pattern='/module4/**'], Ant [pattern='/module5/**'], Ant [pattern='/module6/**']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@38ef2427, org.springframework.security.web.context.SecurityContextPersistenceFilter@a26ff7af, org.springframework.security.web.header.HeaderWriterFilter@5344e710, org.springframework.security.web.authentication.logout.LogoutFilter@da0534c8, org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter@2956c7ab, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@5682f610, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@f4cbf7a4, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@d1b1395a, org.springframework.security.web.session.SessionManagementFilter@d352f8ab, org.springframework.security.web.access.ExceptionTranslationFilter@9bb1d86, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@73c7a695]

INFO | o.s.s.w.DefaultSecurityFilterChain | Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@1cc2056f, org.springframework.security.web.context.SecurityContextPersistenceFilter@259d95db, org.springframework.security.web.header.HeaderWriterFilter@de089e0b, org.springframework.security.web.authentication.logout.LogoutFilter@8b86b4c, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@96304ca8, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1d5b7e4b, org.springframework.security.web.session.SessionManagementFilter@bd586b4d, org.springframework.security.web.access.ExceptionTranslationFilter@7cff2571]


As you can see, all module's urls are mapped to the same filter chain with this list of filters: 



Security filter chain: [

  WebAsyncManagerIntegrationFilter

  SecurityContextPersistenceFilter

  HeaderWriterFilter

  LogoutFilter

  OAuth2AuthenticationProcessingFilter

  RequestCacheAwareFilter

  SecurityContextHolderAwareRequestFilter

  AnonymousAuthenticationFilter

  SessionManagementFilter

  ExceptionTranslationFilter

  FilterSecurityInterceptor

]


What I don't understand is why for the other modules the #oauth2.xx expression is not evaluated since the FilterChain is the same?






spring spring-boot spring-security spring-security-oauth2




spring spring-boot spring-security spring-security-oauth2






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 4 at 12:52







akuma8

















asked Jan 3 at 22:50









akuma8akuma8

926925




926925













  • I can't remember the answer exactly but I believe it will be due to to the fact while you're specifying paths the security filter chain will be created with an Any matcher and all requests will drop into the first chain. If you check startup logs when the filter chains are created you should see two being created, both will be any matcher and contain the separate filters. There's a method you need to set first in the http security to specify what requests the filter is applicable for

    – Darren Forsythe
    Jan 4 at 11:39






  • 1





    Possible duplicate of Multiple Resource server configuration in Spring security OAuth

    – dur
    Jan 4 at 12:30











  • @akuma8 To make more clear: You override property .authorizeRequests() in your second configuration.

    – dur
    Jan 4 at 13:51











  • @akuma8 I found another question containg a solution: stackoverflow.com/questions/47894809/… You could use that question as duplicate target.

    – dur
    Jan 4 at 14:11






  • 1





    @akuma8, it's here: docs.spring.io/spring-security/site/docs/current/reference/… where it says that the matchers are processed in order of declaration. It's a bit subtle, though. I've added a ticket to Spring Security to fail fast when something like this happens: github.com/spring-projects/spring-security/issues/6359

    – jzheaux
    Jan 7 at 21:18



















  • I can't remember the answer exactly but I believe it will be due to to the fact while you're specifying paths the security filter chain will be created with an Any matcher and all requests will drop into the first chain. If you check startup logs when the filter chains are created you should see two being created, both will be any matcher and contain the separate filters. There's a method you need to set first in the http security to specify what requests the filter is applicable for

    – Darren Forsythe
    Jan 4 at 11:39






  • 1





    Possible duplicate of Multiple Resource server configuration in Spring security OAuth

    – dur
    Jan 4 at 12:30











  • @akuma8 To make more clear: You override property .authorizeRequests() in your second configuration.

    – dur
    Jan 4 at 13:51











  • @akuma8 I found another question containg a solution: stackoverflow.com/questions/47894809/… You could use that question as duplicate target.

    – dur
    Jan 4 at 14:11






  • 1





    @akuma8, it's here: docs.spring.io/spring-security/site/docs/current/reference/… where it says that the matchers are processed in order of declaration. It's a bit subtle, though. I've added a ticket to Spring Security to fail fast when something like this happens: github.com/spring-projects/spring-security/issues/6359

    – jzheaux
    Jan 7 at 21:18

















I can't remember the answer exactly but I believe it will be due to to the fact while you're specifying paths the security filter chain will be created with an Any matcher and all requests will drop into the first chain. If you check startup logs when the filter chains are created you should see two being created, both will be any matcher and contain the separate filters. There's a method you need to set first in the http security to specify what requests the filter is applicable for

– Darren Forsythe
Jan 4 at 11:39





I can't remember the answer exactly but I believe it will be due to to the fact while you're specifying paths the security filter chain will be created with an Any matcher and all requests will drop into the first chain. If you check startup logs when the filter chains are created you should see two being created, both will be any matcher and contain the separate filters. There's a method you need to set first in the http security to specify what requests the filter is applicable for

– Darren Forsythe
Jan 4 at 11:39




1




1





Possible duplicate of Multiple Resource server configuration in Spring security OAuth

– dur
Jan 4 at 12:30





Possible duplicate of Multiple Resource server configuration in Spring security OAuth

– dur
Jan 4 at 12:30













@akuma8 To make more clear: You override property .authorizeRequests() in your second configuration.

– dur
Jan 4 at 13:51





@akuma8 To make more clear: You override property .authorizeRequests() in your second configuration.

– dur
Jan 4 at 13:51













@akuma8 I found another question containg a solution: stackoverflow.com/questions/47894809/… You could use that question as duplicate target.

– dur
Jan 4 at 14:11





@akuma8 I found another question containg a solution: stackoverflow.com/questions/47894809/… You could use that question as duplicate target.

– dur
Jan 4 at 14:11




1




1





@akuma8, it's here: docs.spring.io/spring-security/site/docs/current/reference/… where it says that the matchers are processed in order of declaration. It's a bit subtle, though. I've added a ticket to Spring Security to fail fast when something like this happens: github.com/spring-projects/spring-security/issues/6359

– jzheaux
Jan 7 at 21:18





@akuma8, it's here: docs.spring.io/spring-security/site/docs/current/reference/… where it says that the matchers are processed in order of declaration. It's a bit subtle, though. I've added a ticket to Spring Security to fail fast when something like this happens: github.com/spring-projects/spring-security/issues/6359

– jzheaux
Jan 7 at 21:18












1 Answer
1






active

oldest

votes


















0














Request matchers (specified in antMatchers, anyRequest, etc.) are processed by the filter chain in the order they are specified. Because multiple ResourceServiceConfiguredAdapter instances simply configure off of the same instance of HttpSecurity, the matchers are processed something like this for each one of your requests:



if (uri == "/module1/resource") {

    // ...

} else if (uri == "/module1/test") { 

    // ...

} else if (true) { // anyRequest

    // ...

} else if (uri = "/module2/resource") {

    // ...

} else if (uri = "/module2/test") {

    // ...

}


As you can see, the last two if conditions would never get hit.



Here are two things you can consider:



Replace anyRequest()



anyRequest is usually very handy; however, in this case, you don't actually mean "any request" since you are trying to narrow the scope to certain module paths. You might instead do:



http

    .requestMatchers()

        .antMatchers("/module2/**")

        .and()

    .authorizeRequests()

        .antMatchers("/module2/resource").authenticated()

        .antMatchers("/module2/test").access( "#oauth2.isClient()")

        .antMatchers("/module2/**").access( "#oauth2.hasScope('webclient')" );


That way, the module doesn't overreach and try and specify behavior that maybe it doesn't know about.



Truthfully, it is typically harmless to call anyRequest since you are already narrowing the scope of the filter chain already with requestMatchers. But, because you are composing a single HttpSecurity with multiple adapters, there is this hidden complexity.




oauth2ResourceServer() - Spring Security 5.1+



If you are on Spring Security 5.1, then there is actually support built into WebSecurityConfigurerAdapter natively, so you don't need to use ResourceServerConfigurerAdapter anymore, at least for JWT-encoded tokens at this point. This is also nice because two WebSecurityConfigurerAdapters are treated as separate filter chains.



Depending on the OAuth 2.0 features you need, you may be able to do that instead:



@EnableWebSecurity

public class Module1Config extends WebSecurityConfigurerAdapter {

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        http

            .requestMatchers()

                .antMatchers("/module1/**")

                .and()

            .authorizeRequests()

                .antMatchers("/module1/resource").authenticated()

                .anyRequest.hasRole("SCOPE_webclient")

            .oauth2ResourceServer()

                .jwt();

    }

}


This is an active area of development for Spring Security right now - porting features over into WebSecurityConfigurerAdapter; so definitely reach out with your specific use case to make sure that it gets prioritized if it isn't already in place.






share|improve this answer
























  • Thanks for these details, I use Spring Security 5.1.2 and 2.3.4 for OAuth2. You right to merge the OAuth2's configuration part in the Spring Security Core because it's too cumbersome to have 2 configurations. I often don't know which takes precedence between ResourceServerConfigurerAdapter vs WebSecurityConfigurerAdapter . I absolutely didn't know the oauth2ResourceServer() method. In all cases Spring Security will remain my worst nightmare ^^, I hope fully understanding how it works. Thanks again

    – akuma8
    Jan 8 at 20:54






  • 1





    @akuma8 Depending on which OAuth 2.0 features you need, you do not need to include OAuth2 2.3.4 (the dependency that includes ResourceServerConfigurerAdapter), see github.com/spring-projects/spring-security/wiki/…. Spring Security 5.1 includes OAuth2 natively and is introducing new OAuth 2.0 features with each release (5.2 is around the corner). Regarding your frustration, how would you like to see Spring Security change? I'd invite you to open tickets with your suggestions: github.com/spring-projects/spring-security/issues/new

    – jzheaux
    Jan 9 at 13:14












Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54030887%2fspring-security-oauth2-oauth2-xxx-expressions-not-evaluted-with-multiple-req%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Request matchers (specified in antMatchers, anyRequest, etc.) are processed by the filter chain in the order they are specified. Because multiple ResourceServiceConfiguredAdapter instances simply configure off of the same instance of HttpSecurity, the matchers are processed something like this for each one of your requests:



if (uri == "/module1/resource") {

    // ...

} else if (uri == "/module1/test") { 

    // ...

} else if (true) { // anyRequest

    // ...

} else if (uri = "/module2/resource") {

    // ...

} else if (uri = "/module2/test") {

    // ...

}


As you can see, the last two if conditions would never get hit.



Here are two things you can consider:



Replace anyRequest()



anyRequest is usually very handy; however, in this case, you don't actually mean "any request" since you are trying to narrow the scope to certain module paths. You might instead do:



http

    .requestMatchers()

        .antMatchers("/module2/**")

        .and()

    .authorizeRequests()

        .antMatchers("/module2/resource").authenticated()

        .antMatchers("/module2/test").access( "#oauth2.isClient()")

        .antMatchers("/module2/**").access( "#oauth2.hasScope('webclient')" );


That way, the module doesn't overreach and try and specify behavior that maybe it doesn't know about.



Truthfully, it is typically harmless to call anyRequest since you are already narrowing the scope of the filter chain already with requestMatchers. But, because you are composing a single HttpSecurity with multiple adapters, there is this hidden complexity.




oauth2ResourceServer() - Spring Security 5.1+



If you are on Spring Security 5.1, then there is actually support built into WebSecurityConfigurerAdapter natively, so you don't need to use ResourceServerConfigurerAdapter anymore, at least for JWT-encoded tokens at this point. This is also nice because two WebSecurityConfigurerAdapters are treated as separate filter chains.



Depending on the OAuth 2.0 features you need, you may be able to do that instead:



@EnableWebSecurity

public class Module1Config extends WebSecurityConfigurerAdapter {

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        http

            .requestMatchers()

                .antMatchers("/module1/**")

                .and()

            .authorizeRequests()

                .antMatchers("/module1/resource").authenticated()

                .anyRequest.hasRole("SCOPE_webclient")

            .oauth2ResourceServer()

                .jwt();

    }

}


This is an active area of development for Spring Security right now - porting features over into WebSecurityConfigurerAdapter; so definitely reach out with your specific use case to make sure that it gets prioritized if it isn't already in place.






share|improve this answer
























  • Thanks for these details, I use Spring Security 5.1.2 and 2.3.4 for OAuth2. You right to merge the OAuth2's configuration part in the Spring Security Core because it's too cumbersome to have 2 configurations. I often don't know which takes precedence between ResourceServerConfigurerAdapter vs WebSecurityConfigurerAdapter . I absolutely didn't know the oauth2ResourceServer() method. In all cases Spring Security will remain my worst nightmare ^^, I hope fully understanding how it works. Thanks again

    – akuma8
    Jan 8 at 20:54






  • 1





    @akuma8 Depending on which OAuth 2.0 features you need, you do not need to include OAuth2 2.3.4 (the dependency that includes ResourceServerConfigurerAdapter), see github.com/spring-projects/spring-security/wiki/…. Spring Security 5.1 includes OAuth2 natively and is introducing new OAuth 2.0 features with each release (5.2 is around the corner). Regarding your frustration, how would you like to see Spring Security change? I'd invite you to open tickets with your suggestions: github.com/spring-projects/spring-security/issues/new

    – jzheaux
    Jan 9 at 13:14
















0














Request matchers (specified in antMatchers, anyRequest, etc.) are processed by the filter chain in the order they are specified. Because multiple ResourceServiceConfiguredAdapter instances simply configure off of the same instance of HttpSecurity, the matchers are processed something like this for each one of your requests:



if (uri == "/module1/resource") {

    // ...

} else if (uri == "/module1/test") { 

    // ...

} else if (true) { // anyRequest

    // ...

} else if (uri = "/module2/resource") {

    // ...

} else if (uri = "/module2/test") {

    // ...

}


As you can see, the last two if conditions would never get hit.



Here are two things you can consider:



Replace anyRequest()



anyRequest is usually very handy; however, in this case, you don't actually mean "any request" since you are trying to narrow the scope to certain module paths. You might instead do:



http

    .requestMatchers()

        .antMatchers("/module2/**")

        .and()

    .authorizeRequests()

        .antMatchers("/module2/resource").authenticated()

        .antMatchers("/module2/test").access( "#oauth2.isClient()")

        .antMatchers("/module2/**").access( "#oauth2.hasScope('webclient')" );


That way, the module doesn't overreach and try and specify behavior that maybe it doesn't know about.



Truthfully, it is typically harmless to call anyRequest since you are already narrowing the scope of the filter chain already with requestMatchers. But, because you are composing a single HttpSecurity with multiple adapters, there is this hidden complexity.




oauth2ResourceServer() - Spring Security 5.1+



If you are on Spring Security 5.1, then there is actually support built into WebSecurityConfigurerAdapter natively, so you don't need to use ResourceServerConfigurerAdapter anymore, at least for JWT-encoded tokens at this point. This is also nice because two WebSecurityConfigurerAdapters are treated as separate filter chains.



Depending on the OAuth 2.0 features you need, you may be able to do that instead:



@EnableWebSecurity

public class Module1Config extends WebSecurityConfigurerAdapter {

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        http

            .requestMatchers()

                .antMatchers("/module1/**")

                .and()

            .authorizeRequests()

                .antMatchers("/module1/resource").authenticated()

                .anyRequest.hasRole("SCOPE_webclient")

            .oauth2ResourceServer()

                .jwt();

    }

}


This is an active area of development for Spring Security right now - porting features over into WebSecurityConfigurerAdapter; so definitely reach out with your specific use case to make sure that it gets prioritized if it isn't already in place.






share|improve this answer
























  • Thanks for these details, I use Spring Security 5.1.2 and 2.3.4 for OAuth2. You right to merge the OAuth2's configuration part in the Spring Security Core because it's too cumbersome to have 2 configurations. I often don't know which takes precedence between ResourceServerConfigurerAdapter vs WebSecurityConfigurerAdapter . I absolutely didn't know the oauth2ResourceServer() method. In all cases Spring Security will remain my worst nightmare ^^, I hope fully understanding how it works. Thanks again

    – akuma8
    Jan 8 at 20:54






  • 1





    @akuma8 Depending on which OAuth 2.0 features you need, you do not need to include OAuth2 2.3.4 (the dependency that includes ResourceServerConfigurerAdapter), see github.com/spring-projects/spring-security/wiki/…. Spring Security 5.1 includes OAuth2 natively and is introducing new OAuth 2.0 features with each release (5.2 is around the corner). Regarding your frustration, how would you like to see Spring Security change? I'd invite you to open tickets with your suggestions: github.com/spring-projects/spring-security/issues/new

    – jzheaux
    Jan 9 at 13:14














0












0








0







Request matchers (specified in antMatchers, anyRequest, etc.) are processed by the filter chain in the order they are specified. Because multiple ResourceServiceConfiguredAdapter instances simply configure off of the same instance of HttpSecurity, the matchers are processed something like this for each one of your requests:



if (uri == "/module1/resource") {

    // ...

} else if (uri == "/module1/test") { 

    // ...

} else if (true) { // anyRequest

    // ...

} else if (uri = "/module2/resource") {

    // ...

} else if (uri = "/module2/test") {

    // ...

}


As you can see, the last two if conditions would never get hit.



Here are two things you can consider:



Replace anyRequest()



anyRequest is usually very handy; however, in this case, you don't actually mean "any request" since you are trying to narrow the scope to certain module paths. You might instead do:



http

    .requestMatchers()

        .antMatchers("/module2/**")

        .and()

    .authorizeRequests()

        .antMatchers("/module2/resource").authenticated()

        .antMatchers("/module2/test").access( "#oauth2.isClient()")

        .antMatchers("/module2/**").access( "#oauth2.hasScope('webclient')" );


That way, the module doesn't overreach and try and specify behavior that maybe it doesn't know about.



Truthfully, it is typically harmless to call anyRequest since you are already narrowing the scope of the filter chain already with requestMatchers. But, because you are composing a single HttpSecurity with multiple adapters, there is this hidden complexity.




oauth2ResourceServer() - Spring Security 5.1+



If you are on Spring Security 5.1, then there is actually support built into WebSecurityConfigurerAdapter natively, so you don't need to use ResourceServerConfigurerAdapter anymore, at least for JWT-encoded tokens at this point. This is also nice because two WebSecurityConfigurerAdapters are treated as separate filter chains.



Depending on the OAuth 2.0 features you need, you may be able to do that instead:



@EnableWebSecurity

public class Module1Config extends WebSecurityConfigurerAdapter {

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        http

            .requestMatchers()

                .antMatchers("/module1/**")

                .and()

            .authorizeRequests()

                .antMatchers("/module1/resource").authenticated()

                .anyRequest.hasRole("SCOPE_webclient")

            .oauth2ResourceServer()

                .jwt();

    }

}


This is an active area of development for Spring Security right now - porting features over into WebSecurityConfigurerAdapter; so definitely reach out with your specific use case to make sure that it gets prioritized if it isn't already in place.






share|improve this answer













Request matchers (specified in antMatchers, anyRequest, etc.) are processed by the filter chain in the order they are specified. Because multiple ResourceServiceConfiguredAdapter instances simply configure off of the same instance of HttpSecurity, the matchers are processed something like this for each one of your requests:



if (uri == "/module1/resource") {

    // ...

} else if (uri == "/module1/test") { 

    // ...

} else if (true) { // anyRequest

    // ...

} else if (uri = "/module2/resource") {

    // ...

} else if (uri = "/module2/test") {

    // ...

}


As you can see, the last two if conditions would never get hit.



Here are two things you can consider:



Replace anyRequest()



anyRequest is usually very handy; however, in this case, you don't actually mean "any request" since you are trying to narrow the scope to certain module paths. You might instead do:



http

    .requestMatchers()

        .antMatchers("/module2/**")

        .and()

    .authorizeRequests()

        .antMatchers("/module2/resource").authenticated()

        .antMatchers("/module2/test").access( "#oauth2.isClient()")

        .antMatchers("/module2/**").access( "#oauth2.hasScope('webclient')" );


That way, the module doesn't overreach and try and specify behavior that maybe it doesn't know about.



Truthfully, it is typically harmless to call anyRequest since you are already narrowing the scope of the filter chain already with requestMatchers. But, because you are composing a single HttpSecurity with multiple adapters, there is this hidden complexity.




oauth2ResourceServer() - Spring Security 5.1+



If you are on Spring Security 5.1, then there is actually support built into WebSecurityConfigurerAdapter natively, so you don't need to use ResourceServerConfigurerAdapter anymore, at least for JWT-encoded tokens at this point. This is also nice because two WebSecurityConfigurerAdapters are treated as separate filter chains.



Depending on the OAuth 2.0 features you need, you may be able to do that instead:



@EnableWebSecurity

public class Module1Config extends WebSecurityConfigurerAdapter {

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        http

            .requestMatchers()

                .antMatchers("/module1/**")

                .and()

            .authorizeRequests()

                .antMatchers("/module1/resource").authenticated()

                .anyRequest.hasRole("SCOPE_webclient")

            .oauth2ResourceServer()

                .jwt();

    }

}


This is an active area of development for Spring Security right now - porting features over into WebSecurityConfigurerAdapter; so definitely reach out with your specific use case to make sure that it gets prioritized if it isn't already in place.







share|improve this answer












share|improve this answer



share|improve this answer










answered Jan 8 at 17:36









jzheauxjzheaux

2,74431022




2,74431022













  • Thanks for these details, I use Spring Security 5.1.2 and 2.3.4 for OAuth2. You right to merge the OAuth2's configuration part in the Spring Security Core because it's too cumbersome to have 2 configurations. I often don't know which takes precedence between ResourceServerConfigurerAdapter vs WebSecurityConfigurerAdapter . I absolutely didn't know the oauth2ResourceServer() method. In all cases Spring Security will remain my worst nightmare ^^, I hope fully understanding how it works. Thanks again

    – akuma8
    Jan 8 at 20:54






  • 1





    @akuma8 Depending on which OAuth 2.0 features you need, you do not need to include OAuth2 2.3.4 (the dependency that includes ResourceServerConfigurerAdapter), see github.com/spring-projects/spring-security/wiki/…. Spring Security 5.1 includes OAuth2 natively and is introducing new OAuth 2.0 features with each release (5.2 is around the corner). Regarding your frustration, how would you like to see Spring Security change? I'd invite you to open tickets with your suggestions: github.com/spring-projects/spring-security/issues/new

    – jzheaux
    Jan 9 at 13:14



















  • Thanks for these details, I use Spring Security 5.1.2 and 2.3.4 for OAuth2. You right to merge the OAuth2's configuration part in the Spring Security Core because it's too cumbersome to have 2 configurations. I often don't know which takes precedence between ResourceServerConfigurerAdapter vs WebSecurityConfigurerAdapter . I absolutely didn't know the oauth2ResourceServer() method. In all cases Spring Security will remain my worst nightmare ^^, I hope fully understanding how it works. Thanks again

    – akuma8
    Jan 8 at 20:54






  • 1





    @akuma8 Depending on which OAuth 2.0 features you need, you do not need to include OAuth2 2.3.4 (the dependency that includes ResourceServerConfigurerAdapter), see github.com/spring-projects/spring-security/wiki/…. Spring Security 5.1 includes OAuth2 natively and is introducing new OAuth 2.0 features with each release (5.2 is around the corner). Regarding your frustration, how would you like to see Spring Security change? I'd invite you to open tickets with your suggestions: github.com/spring-projects/spring-security/issues/new

    – jzheaux
    Jan 9 at 13:14

















Thanks for these details, I use Spring Security 5.1.2 and 2.3.4 for OAuth2. You right to merge the OAuth2's configuration part in the Spring Security Core because it's too cumbersome to have 2 configurations. I often don't know which takes precedence between ResourceServerConfigurerAdapter vs WebSecurityConfigurerAdapter . I absolutely didn't know the oauth2ResourceServer() method. In all cases Spring Security will remain my worst nightmare ^^, I hope fully understanding how it works. Thanks again

– akuma8
Jan 8 at 20:54





Thanks for these details, I use Spring Security 5.1.2 and 2.3.4 for OAuth2. You right to merge the OAuth2's configuration part in the Spring Security Core because it's too cumbersome to have 2 configurations. I often don't know which takes precedence between ResourceServerConfigurerAdapter vs WebSecurityConfigurerAdapter . I absolutely didn't know the oauth2ResourceServer() method. In all cases Spring Security will remain my worst nightmare ^^, I hope fully understanding how it works. Thanks again

– akuma8
Jan 8 at 20:54




1




1





@akuma8 Depending on which OAuth 2.0 features you need, you do not need to include OAuth2 2.3.4 (the dependency that includes ResourceServerConfigurerAdapter), see github.com/spring-projects/spring-security/wiki/…. Spring Security 5.1 includes OAuth2 natively and is introducing new OAuth 2.0 features with each release (5.2 is around the corner). Regarding your frustration, how would you like to see Spring Security change? I'd invite you to open tickets with your suggestions: github.com/spring-projects/spring-security/issues/new

– jzheaux
Jan 9 at 13:14





@akuma8 Depending on which OAuth 2.0 features you need, you do not need to include OAuth2 2.3.4 (the dependency that includes ResourceServerConfigurerAdapter), see github.com/spring-projects/spring-security/wiki/…. Spring Security 5.1 includes OAuth2 natively and is introducing new OAuth 2.0 features with each release (5.2 is around the corner). Regarding your frustration, how would you like to see Spring Security change? I'd invite you to open tickets with your suggestions: github.com/spring-projects/spring-security/issues/new

– jzheaux
Jan 9 at 13:14




















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54030887%2fspring-security-oauth2-oauth2-xxx-expressions-not-evaluted-with-multiple-req%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Monofisismo

Image
Monofisismo (do grego: monos - "único, singular" e physis - "natureza") é o ponto de vista cristológico que defende que, depois da união do divino e do humano na encarnação histórica, Jesus Cristo, como encarnação do Filho ou Verbo ( Logos ) de Deus, teria apenas uma única "natureza", a divina, e não uma síntese de ambas. O monofisismo é contraposto pelo diofisismo (ou "diafisismo"), que defende que Jesus preservou em si as duas naturezas. Historicamente, o monofisismo se refere primordialmente à posição dos que (especialmente no Egito e, em menor grau, na Síria) rejeitaram as decisões do Concílio de Calcedônia em 451 (o quarto concílio ecumênico). Os membros mais moderados entre eles, porém, defendem a teologia "miafisita", que se tornou a oficial para as Igrejas Ortodoxas Orientais. Muitos ortodoxos orientais, porém, rejeitam essa classificação, mesmo como um termo genérico, mas ele é amplamente utilizado na literatura históri...
Read more

Angular Downloading a file using contenturl with Basic Authentication

Image
0 I have a contentUrl when user clicks on that,file should be downloaded. If I try to browse the contentUrl in the browser it asks for Userid and password.I believe this is Basic Authentication.I dont want user to enter UserId and Password so I am passing it Authorization(Please see below code). Url looks some thing like this: http://XXX.XXX.XX.XXX:8080/flowable-rest/service/runtime/tasks/90875/attachments/90555/content let username : string = 'admin'; let pwd : string = 'test'; let headers = new Headers(); headers.set('Accept', 'text/json'); headers.append('Content-Type', 'application/json'); headers.set('Access-Control-Allow-Origin', '*'); headers.set('Access-Control-Allow-Methods','POST, GET, OPTIONS, PUT, DELETE'); head...
Read more

Olmecas

Image
Monumento 1, uma das quatro cabeças colossais encontradas em La Venta, com altura aproximada de 3 metros Olmecas é a designação do povo e da civilização que estiveram na origem da antiga cultura pré-colombiana da Mesoamérica e que se desenvolveram nas regiões tropicais do centro-sul do atual México durante o pré-clássico, próximo de onde hoje estão localizados os estados mexicanos de Veracruz e Tabasco, no Istmo de Tehuantepec, numa zona designada área nuclear olmeca. A cultura olmeca floresceu nesta região aproximadamente entre 1500 e 400 a.C., [ 1 ] e crê-se que tenha sido a civilização-mãe de todas as civilizações mesoamericanas que se desenvolveram posteriormente. [ 2 ] No entanto, desconhece-se a sua exacta filiação étnica, ainda que existam numerosas hipóteses colocadas para tentar resolver esta questão. O etnónimo olmeca foi cunhado pelos arqueólogos do século XX, e não devem confundir-se com os muito posteriores olmecas-xicalancas que ocuparam vários locais do México...
Read more