I am using Spring Security Oauth 2.0 password flow to get a bearer token. using "oauth/token" Endpoint. Subsequent request made to the server sends back SET-COOKIE for the JSESSION ID. When the UI sends back the JSESSIONID the server returns anonymous user instead of the signed in user.
For some reason the JSESSIONID is not associated with the AUTH token. The association of JSESSIONID and auth token was working with Spring boot 1.5 AND OAUTH:2.0.0.RELEASE but not after upgrading to spring boot 2.0.8 and oauth2:2.3.4RELEASE
REQUEST1
http://localhost:9090/oauth/token
{
"access_token": "a06f4924-0bf0-4726-8932-eeb0afb3758f",
"token_type": "bearer",
"expires_in": 43199,
"scope": "read write"
}
REQUEST 2
http://localhost:9090/ signin/check
HEADERS
authorization Bearer a06f4924-0bf0-4726-8932-eeb0afb3758f
RESPONSE
HEADERS
Set-Cookie →JSESSIONID=42477E242D38FA91A6DA61F92DCF4234; Path=/artulous-dev-v2; HttpOnly
BODY
{
"id": 37,
"firstName": null,
"lastName": null,
"email": null,
"displayName": "demo User",
"userPic": "img/user.jpg",
"userThumb": null,
"sessionId": null,
"orgId": 28,
"orgDisplayName": "INTERNET",
"roles": [
{
"name": "ROLE_USER",
"id": 2
}
],
"activities": [
"ROLE_USER",
"ROLE_USER",
"upload_images"
],
"signedIn": true,
"admin": false
}
REQUEST 3
http://localhost:9090/artulous-dev-v2/signin/check
SENDS THE JSESSION ID COOKIE but not auth token.
BODY
{
"id": null,
"firstName": null,
"lastName": null,
"email": null,
"displayName": null,
"userPic": null,
"userThumb": null,
"sessionId": "42477E242D38FA91A6DA61F92DCF4234",
"orgId": null,
"orgDisplayName": null,
"roles": [],
"activities": [],
"signedIn": false,
"admin": false
}
ACTUAL RESULT anonymous user. But expected signed in user.
Dependencies
Spring boot version 2.0.8.RELEASE
compile ("org.springframework.boot:spring-boot-starter-log4j2")
compile("org.springframework.boot:spring-boot-starter-data-jpa")
compile("org.springframework.boot:spring-boot-starter-data-rest")
compile("org.springframework.security.oauth:spring-security-oauth2:2.3.4.RELEASE")
AuthorizationServerConfig.java
@Configuration
@EnableAuthorizationServer
@Order(Ordered.LOWEST_PRECEDENCE - 100)
public class AuthorizationServerConfigurer extends
AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
UserDetailsService userDetailsService;
@Autowired
PasswordEncoder passwordEncoder;
private ClientAndUserDetailsService combinedService_;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients)
throws Exception {
String encodedClientSecret = passwordEncoder.encode("mobilesecret"); // assume encoded value is $%*@DJ#
ClientDetailsService csvc = new InMemoryClientDetailsServiceBuilder()
.withClient("mobile")
.secret(encodedClientSecret)
.authorizedGrantTypes("password")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write")
// .resourceIds(RESOURCE_ID)
.and()
.withClient("mobileReader")
.secret("mobileReaderSecret")
.authorizedGrantTypes("password")
.authorities("ROLE_CLIENT").scopes("read")
// .resourceIds(RESOURCE_ID)
.accessTokenValiditySeconds(3600)
.and().build();
combinedService_ = new ClientAndUserDetailsService(csvc, userDetailsService);
clients.withClientDetails(combinedService_);
}
}
REsourceServerConfig.java
@Configuration
@EnableResourceServer
public class ResourceSecurityConfigurer extends
ResourceServerConfigurerAdapter {
@Autowired
SignOutHandler signOutHandler;
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
// resources.resourceId(AuthorizationServerConfigurer.RESOURCE_ID);
}
@Value("${spring.application.name}")
private String appName;
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http
// session management
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.sessionFixation().changeSessionId();
http.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/img/**").permitAll()
.antMatchers("/fonts/**").permitAll()
.antMatchers("/api-docs/**").permitAll()
.antMatchers("/v2/api-docs/**").permitAll()
.antMatchers("/swagger/**").permitAll()
.antMatchers("/springfox/**").permitAll()
.antMatchers("/swagger-ui.html").permitAll()
.antMatchers("/api/**").permitAll()
.antMatchers("/api-repo/**").permitAll()
.antMatchers("/service/**").permitAll()
.antMatchers("/bower_components/**").permitAll()
.antMatchers("/stylesheets/**").permitAll()
.antMatchers("/album/**").permitAll()
.antMatchers("/appbase/**").permitAll()
.antMatchers("/studio/**").permitAll()
.antMatchers("/" + appName + "/**").permitAll()
.antMatchers("/playground/**").permitAll()
.antMatchers("/partials/**").permitAll()
// .antMatchers(HttpMethod.OPTIONS, "/oauth/token").permitAll()
// .antMatchers(HttpMethod.POST, "/oauth/token").permitAll()
.antMatchers("/3pl/**").permitAll()
.antMatchers("/robots.txt").permitAll()
.antMatchers("/sitemap.xml").permitAll()
.antMatchers("/index.html").permitAll()
.antMatchers("/signup/**").permitAll()
.antMatchers("/signup.html").permitAll()
.antMatchers("/register.html").permitAll()
.antMatchers("/signin/**").permitAll()
.antMatchers("/login/**").permitAll()
.antMatchers("/auth/**").permitAll()
.antMatchers("/disconnect/facebook").permitAll()
.antMatchers("/login/facebook").permitAll()
.antMatchers("/connect/facebook").permitAll()
.antMatchers("/**").denyAll()
.and()
.anonymous()
.and()
.logout().permitAll()
.logoutUrl("/signout")
.addLogoutHandler(signOutHandler)
.deleteCookies("remember-me")
.and()
.authorizeRequests()
.and()
.rememberMe()
.and().apply(new SpringSocialConfigurer());
}
