Login per Access Token and normal form login does not workWhy Does OAuth v2 Have Both Access and Refresh Tokens?Security configuration with Spring-bootSpring Security OAuth2 Redirect LoopSpring Security OAuth2 SSO with Custom provider + logoutSpring Security Thymleaf static resources don't loadSpring boot security consider case insensitive username check for loginCustomize Spring Security for trusted spaceSpring-Security 5 always 302Spring boot security cannot log in after invalid credentialsDynamic url for antMancher in ResouraseServerConfiger
Sending a photo of my bank account card to the future employer
Create Array from list of indices/values
How could a medieval fortress manage large groups of migrants and travelers?
Why did Steve Rogers choose this character in Endgame?
A scene of Jimmy diversity
Is the Münchhausen trilemma really a trilemma?
Intel 8080-based home computers
Time signature inconsistent
How would you say "Sorry, that was a mistake on my part"?
How can a drink contain 1.8 kcal energy while 0 g fat/carbs/protein?
Question on Deriving the Product Rule
Pi 3 B+ no audio device found
Was Jacobi the first to notice the ambiguity in the partial derivatives notation? And did anyone object to his fix?
Kepler space telescope undetected planets
Generating a PIN from cryptographic bytes
Which GPUs to get for Mathematical Optimization (if any)?
At which point can a system be compromised when downloading archived data from an untrusted source?
How many bits in the resultant hash will change, if the x bits are changed in its the original input?
How can I obtain a complete list of the kinds of atomic expressions in the Wolfram Language using only the language itself?
How to find location on Cambridge-Mildenhall railway that still has tracks/rails?
Why are there no polls of Tom Steyer yet?
A Table Representing the altar
Why does "git status" show I'm on the master branch and "git branch" does not in a newly created repository?
Why do so many pure math PhD students drop out or leave academia, compared to applied mathematics PhDs?
Login per Access Token and normal form login does not work
Why Does OAuth v2 Have Both Access and Refresh Tokens?Security configuration with Spring-bootSpring Security OAuth2 Redirect LoopSpring Security OAuth2 SSO with Custom provider + logoutSpring Security Thymleaf static resources don't loadSpring boot security consider case insensitive username check for loginCustomize Spring Security for trusted spaceSpring-Security 5 always 302Spring boot security cannot log in after invalid credentialsDynamic url for antMancher in ResouraseServerConfiger
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
0
I try to secure my application in different ways.
1st: the api-part (/api/**) should be secured by oauth-token
2nd: the other parts should be secured by normal form login with username and password.
With my WebSecurityConfig, I can secure the api part. But for the normal Route /user the form-login is shown but nothing happens after submit the login-credentials.
I hope, you can give me a hint, what am I doing wrong?
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
public class WebSecurityConfig
@Configuration
@Order(1)
@EnableResourceServer
public static class ApiWebSecurityConfig extends ResourceServerConfigurerAdapter
@Value("$security.signing-key")
private String signingKey;
@Value("$security.encoding-strength")
private Integer encodingStrength;
@Value("$security.security-realm")
private String securityRealm;
@Value("$security.jwt.resource-ids")
private String resourceIds;
@Autowired
private ResourceServerTokenServices tokenServices;
@Override
public void configure(HttpSecurity http) throws Exception
http.antMatcher("/api/**").authorizeRequests()
.antMatchers("/oauth/token").permitAll();
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception
resources.resourceId(resourceIds).tokenServices(tokenServices);
@Bean
public JwtAccessTokenConverter accessTokenConverter()
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(signingKey);
return converter;
@Bean
public TokenStore tokenStore()
return new JwtTokenStore(accessTokenConverter());
@Bean
@Primary
public DefaultTokenServices tokenServices()
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
defaultTokenServices.setSupportRefreshToken(true);
return defaultTokenServices;
@Configuration
@Order(2)
public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter
private static final String LOGIN_PROCESSING_URL = "/login";
private static final String LOGIN_FAILURE_URL = "/login?error";
private static final String LOGIN_URL = "/login";
private static final String LOGOUT_SUCCESS_URL = "/logout";
private static final String LOGIN_SUCCESS_URL = "/user";
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception
http .antMatcher("/user").requestCache().requestCache(new
CustomRequestCache())
// Restrict access to our application.
.and().authorizeRequests()
// Allow all flow internal requests.
.requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
// Allow all requests by logged in users.
.anyRequest().hasAnyAuthority(Role.getAllRoles())
// Configure the login page.
.and().formLogin().loginPage(LOGIN_URL).permitAll().loginProcessingUrl(
LOGIN_PROCESSING_URL) .failureUrl(LOGIN_FAILURE_URL)
// Register the success handler that redirects users to the page they last
//tried // to access
.successHandler(new
SavedRequestAwareAuthenticationSuccessHandler())
.defaultSuccessUrl(LOGIN_SUCCESS_URL,true)
// Configure logout
.and().logout().logoutSuccessUrl(LOGOUT_SUCCESS_URL);
@Override
public void configure(WebSecurity web) throws Exception
web.ignoring().antMatchers(
//icons and images...
@Bean
public PasswordEncoder passwordEncoder()
return new BCryptPasswordEncoder();
@Bean
@Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
public User currentUser(UserRepository userRepository)
return userRepository.findByEmailIgnoreCase(SecurityUtils.getUsername());
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
super.configure(auth);
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
// auth.userDetailsService(userDetailsService);
@Bean()
@Override
public AuthenticationManager authenticationManagerBean() throws Exception
return super.authenticationManagerBean();
spring-security login access-token spring-security-oauth2
asked Mar 26 at 9:05
einueeinue
176 bronze badges
add a comment |
0
I try to secure my application in different ways.
1st: the api-part (/api/**) should be secured by oauth-token
2nd: the other parts should be secured by normal form login with username and password.
With my WebSecurityConfig, I can secure the api part. But for the normal Route /user the form-login is shown but nothing happens after submit the login-credentials.
I hope, you can give me a hint, what am I doing wrong?
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
public class WebSecurityConfig
@Configuration
@Order(1)
@EnableResourceServer
public static class ApiWebSecurityConfig extends ResourceServerConfigurerAdapter
@Value("$security.signing-key")
private String signingKey;
@Value("$security.encoding-strength")
private Integer encodingStrength;
@Value("$security.security-realm")
private String securityRealm;
@Value("$security.jwt.resource-ids")
private String resourceIds;
@Autowired
private ResourceServerTokenServices tokenServices;
@Override
public void configure(HttpSecurity http) throws Exception
http.antMatcher("/api/**").authorizeRequests()
.antMatchers("/oauth/token").permitAll();
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception
resources.resourceId(resourceIds).tokenServices(tokenServices);
@Bean
public JwtAccessTokenConverter accessTokenConverter()
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(signingKey);
return converter;
@Bean
public TokenStore tokenStore()
return new JwtTokenStore(accessTokenConverter());
@Bean
@Primary
public DefaultTokenServices tokenServices()
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
defaultTokenServices.setSupportRefreshToken(true);
return defaultTokenServices;
@Configuration
@Order(2)
public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter
private static final String LOGIN_PROCESSING_URL = "/login";
private static final String LOGIN_FAILURE_URL = "/login?error";
private static final String LOGIN_URL = "/login";
private static final String LOGOUT_SUCCESS_URL = "/logout";
private static final String LOGIN_SUCCESS_URL = "/user";
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception
http .antMatcher("/user").requestCache().requestCache(new
CustomRequestCache())
// Restrict access to our application.
.and().authorizeRequests()
// Allow all flow internal requests.
.requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
// Allow all requests by logged in users.
.anyRequest().hasAnyAuthority(Role.getAllRoles())
// Configure the login page.
.and().formLogin().loginPage(LOGIN_URL).permitAll().loginProcessingUrl(
LOGIN_PROCESSING_URL) .failureUrl(LOGIN_FAILURE_URL)
// Register the success handler that redirects users to the page they last
//tried // to access
.successHandler(new
SavedRequestAwareAuthenticationSuccessHandler())
.defaultSuccessUrl(LOGIN_SUCCESS_URL,true)
// Configure logout
.and().logout().logoutSuccessUrl(LOGOUT_SUCCESS_URL);
@Override
public void configure(WebSecurity web) throws Exception
web.ignoring().antMatchers(
//icons and images...
@Bean
public PasswordEncoder passwordEncoder()
return new BCryptPasswordEncoder();
@Bean
@Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
public User currentUser(UserRepository userRepository)
return userRepository.findByEmailIgnoreCase(SecurityUtils.getUsername());
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
super.configure(auth);
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
// auth.userDetailsService(userDetailsService);
@Bean()
@Override
public AuthenticationManager authenticationManagerBean() throws Exception
return super.authenticationManagerBean();
spring-security login access-token spring-security-oauth2
asked Mar 26 at 9:05
einueeinue
176 bronze badges
I fixed the problem by removing the @Order(2) in FormWebSecurityConfig. But I don't understand really why...
– einue
Mar 28 at 9:08
add a comment |
0
0
0
I try to secure my application in different ways.
1st: the api-part (/api/**) should be secured by oauth-token
2nd: the other parts should be secured by normal form login with username and password.
With my WebSecurityConfig, I can secure the api part. But for the normal Route /user the form-login is shown but nothing happens after submit the login-credentials.
I hope, you can give me a hint, what am I doing wrong?
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
public class WebSecurityConfig
@Configuration
@Order(1)
@EnableResourceServer
public static class ApiWebSecurityConfig extends ResourceServerConfigurerAdapter
@Value("$security.signing-key")
private String signingKey;
@Value("$security.encoding-strength")
private Integer encodingStrength;
@Value("$security.security-realm")
private String securityRealm;
@Value("$security.jwt.resource-ids")
private String resourceIds;
@Autowired
private ResourceServerTokenServices tokenServices;
@Override
public void configure(HttpSecurity http) throws Exception
http.antMatcher("/api/**").authorizeRequests()
.antMatchers("/oauth/token").permitAll();
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception
resources.resourceId(resourceIds).tokenServices(tokenServices);
@Bean
public JwtAccessTokenConverter accessTokenConverter()
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(signingKey);
return converter;
@Bean
public TokenStore tokenStore()
return new JwtTokenStore(accessTokenConverter());
@Bean
@Primary
public DefaultTokenServices tokenServices()
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
defaultTokenServices.setSupportRefreshToken(true);
return defaultTokenServices;
@Configuration
@Order(2)
public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter
private static final String LOGIN_PROCESSING_URL = "/login";
private static final String LOGIN_FAILURE_URL = "/login?error";
private static final String LOGIN_URL = "/login";
private static final String LOGOUT_SUCCESS_URL = "/logout";
private static final String LOGIN_SUCCESS_URL = "/user";
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception
http .antMatcher("/user").requestCache().requestCache(new
CustomRequestCache())
// Restrict access to our application.
.and().authorizeRequests()
// Allow all flow internal requests.
.requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
// Allow all requests by logged in users.
.anyRequest().hasAnyAuthority(Role.getAllRoles())
// Configure the login page.
.and().formLogin().loginPage(LOGIN_URL).permitAll().loginProcessingUrl(
LOGIN_PROCESSING_URL) .failureUrl(LOGIN_FAILURE_URL)
// Register the success handler that redirects users to the page they last
//tried // to access
.successHandler(new
SavedRequestAwareAuthenticationSuccessHandler())
.defaultSuccessUrl(LOGIN_SUCCESS_URL,true)
// Configure logout
.and().logout().logoutSuccessUrl(LOGOUT_SUCCESS_URL);
@Override
public void configure(WebSecurity web) throws Exception
web.ignoring().antMatchers(
//icons and images...
@Bean
public PasswordEncoder passwordEncoder()
return new BCryptPasswordEncoder();
@Bean
@Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
public User currentUser(UserRepository userRepository)
return userRepository.findByEmailIgnoreCase(SecurityUtils.getUsername());
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
super.configure(auth);
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
// auth.userDetailsService(userDetailsService);
@Bean()
@Override
public AuthenticationManager authenticationManagerBean() throws Exception
return super.authenticationManagerBean();
spring-security login access-token spring-security-oauth2
asked Mar 26 at 9:05
einueeinue
176 bronze badges
I try to secure my application in different ways.
1st: the api-part (/api/**) should be secured by oauth-token
2nd: the other parts should be secured by normal form login with username and password.
With my WebSecurityConfig, I can secure the api part. But for the normal Route /user the form-login is shown but nothing happens after submit the login-credentials.
I hope, you can give me a hint, what am I doing wrong?
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
public class WebSecurityConfig
@Configuration
@Order(1)
@EnableResourceServer
public static class ApiWebSecurityConfig extends ResourceServerConfigurerAdapter
@Value("$security.signing-key")
private String signingKey;
@Value("$security.encoding-strength")
private Integer encodingStrength;
@Value("$security.security-realm")
private String securityRealm;
@Value("$security.jwt.resource-ids")
private String resourceIds;
@Autowired
private ResourceServerTokenServices tokenServices;
@Override
public void configure(HttpSecurity http) throws Exception
http.antMatcher("/api/**").authorizeRequests()
.antMatchers("/oauth/token").permitAll();
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception
resources.resourceId(resourceIds).tokenServices(tokenServices);
@Bean
public JwtAccessTokenConverter accessTokenConverter()
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(signingKey);
return converter;
@Bean
public TokenStore tokenStore()
return new JwtTokenStore(accessTokenConverter());
@Bean
@Primary
public DefaultTokenServices tokenServices()
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
defaultTokenServices.setSupportRefreshToken(true);
return defaultTokenServices;
@Configuration
@Order(2)
public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter
private static final String LOGIN_PROCESSING_URL = "/login";
private static final String LOGIN_FAILURE_URL = "/login?error";
private static final String LOGIN_URL = "/login";
private static final String LOGOUT_SUCCESS_URL = "/logout";
private static final String LOGIN_SUCCESS_URL = "/user";
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception
http .antMatcher("/user").requestCache().requestCache(new
CustomRequestCache())
// Restrict access to our application.
.and().authorizeRequests()
// Allow all flow internal requests.
.requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
// Allow all requests by logged in users.
.anyRequest().hasAnyAuthority(Role.getAllRoles())
// Configure the login page.
.and().formLogin().loginPage(LOGIN_URL).permitAll().loginProcessingUrl(
LOGIN_PROCESSING_URL) .failureUrl(LOGIN_FAILURE_URL)
// Register the success handler that redirects users to the page they last
//tried // to access
.successHandler(new
SavedRequestAwareAuthenticationSuccessHandler())
.defaultSuccessUrl(LOGIN_SUCCESS_URL,true)
// Configure logout
.and().logout().logoutSuccessUrl(LOGOUT_SUCCESS_URL);
@Override
public void configure(WebSecurity web) throws Exception
web.ignoring().antMatchers(
//icons and images...
@Bean
public PasswordEncoder passwordEncoder()
return new BCryptPasswordEncoder();
@Bean
@Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
public User currentUser(UserRepository userRepository)
return userRepository.findByEmailIgnoreCase(SecurityUtils.getUsername());
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
super.configure(auth);
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
// auth.userDetailsService(userDetailsService);
@Bean()
@Override
public AuthenticationManager authenticationManagerBean() throws Exception
return super.authenticationManagerBean();
spring-security login access-token spring-security-oauth2
spring-security login access-token spring-security-oauth2
asked Mar 26 at 9:05
einueeinue
176 bronze badges
asked Mar 26 at 9:05
einueeinue
176 bronze badges
asked Mar 26 at 9:05
einueeinue
176 bronze badges
asked Mar 26 at 9:05
einueeinue
176 bronze badges
asked Mar 26 at 9:05
einueeinue
176 bronze badges
176 bronze badges
I fixed the problem by removing the @Order(2) in FormWebSecurityConfig. But I don't understand really why...
– einue
Mar 28 at 9:08
add a comment |
I fixed the problem by removing the @Order(2) in FormWebSecurityConfig. But I don't understand really why...
– einue
Mar 28 at 9:08
I fixed the problem by removing the @Order(2) in FormWebSecurityConfig. But I don't understand really why...
– einue
Mar 28 at 9:08
I fixed the problem by removing the @Order(2) in FormWebSecurityConfig. But I don't understand really why...
– einue
Mar 28 at 9:08
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55353294%2flogin-per-access-token-and-normal-form-login-does-not-work%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Is this question similar to what you get asked at work? Learn more about asking and sharing private information with your coworkers using Stack Overflow for Teams.
Is this question similar to what you get asked at work? Learn more about asking and sharing private information with your coworkers using Stack Overflow for Teams.
draft saved
draft discarded
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55353294%2flogin-per-access-token-and-normal-form-login-does-not-work%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I fixed the problem by removing the @Order(2) in FormWebSecurityConfig. But I don't understand really why...
– einue
Mar 28 at 9:08