Spring security Oauth 2 with ajax login and form login

» java » Spring security Oauth 2 with ajax login and form login

By : Scott Yarbrough

Date : December 01 2020, 05:00 PM

it should still fix some issue The way spring security manages form based authentication is totaly different what you are trying to achive through oauth2.0. When you are using ajax (oauth2.0) way of authenticating (which is actualy authorization process of client application by user with username and password) user, only your client application (application through which you are firing ajax request) will get authenticated through spring security filter and SecurityContextHolder will have authentication object of authenticated client application not the user. If you will see your security configuration you are allowing all the request to pass without authentication in case of non ajax login. To enable form based login you need to configure your security to protect all other url except login url... something as given below

code :

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
                .antMatchers("/**")
                .authenticated().and().formLogin();
    }

Share :

Spring Security OAuth2 - Is it possible to using client form login instead of the authorization server's form login?

By : user3348529

Date : March 29 2020, 07:55 AM

Hope that helps Anything is possible, but since the main reason for OAuth2 to have the auth code flow is to avoid that scenario, it defeats the object somewhat. What do you need OAuth2 for (maybe you should just authenticate everything locally in your app)?

Spring Security OAuth 2 with form login

By : Dylan R

Date : March 29 2020, 07:55 AM

I think the issue was by ths following , With SSO the whole point is that the user authenticates with the auth server (localhost:8081 in your case). If you want a form login, that's where you need to implement it, not in the client app.

How to configure Spring Boot and Spring Security to support both form login and Google OAuth2 login

By : laxpro2001

Date : March 29 2020, 07:55 AM

seems to work fine I am strugging to configure a Spring Boot application with Spring Security to support two login mechanisms: form login and Google OAuth2 login. , This is how I solved it using two WebSecurityConfigurerAdapters:

code :

@EnableWebSecurity
class SecurityConfig extends WebSecurityConfigurerAdapter{

    @Configuration
    @Order(1)
    static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/secure-home")
                .authorizeRequests()
                    .anyRequest().authenticated()
                    .and()
                .formLogin()
                    .loginPage("/login")
                    .permitAll()
        }
    }

    @Configuration
    @Order(2)
    static class OAuth2SecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        private final String LOGIN_URL = "/googleLogin";

        @Autowired
        OAuth2ClientContextFilter oAuth2ClientContextFilter

        @Bean
        AuthenticationEntryPoint authenticationEntryPoint() {
            new LoginUrlAuthenticationEntryPoint(LOGIN_URL)
        }

        @Bean
        OpenIDConnectAuthenticationFilter openIdConnectAuthenticationFilter() {
            new OpenIDConnectAuthenticationFilter(LOGIN_URL)
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .addFilterAfter(oAuth2ClientContextFilter, AbstractPreAuthenticatedProcessingFilter.class)
                .addFilterAfter(openIdConnectAuthenticationFilter(), OAuth2ClientContextFilter.class)
            .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
            .and()
                .authorizeRequests()
                    .antMatchers(GET, "/googleOAuth2").authenticated()
        }
    }
}

Spring security configure 2 kind of login behaviors - ajax response JSON & form login redirect new page

By : Kareem Yousry

Date : March 29 2020, 07:55 AM

around this issue Just think of simply hack by submitting additional parameter in the login form or Ajax

code :

<input type="hidden" name="responseJson" value="true"/>

String responseJson = request.getParameter("responseJson"); 
if (responseJson != null && responseJson.equals("true")){
    response.setContentType("text/json");
    PrintWriter out = response.getWriter();
    out.print(jsonObjectAboutFailLogin.toString());
    out.flush();
}

Spring with two security configurations - failed API login redirects to form login page. How to change?

By : user3427607

Date : March 29 2020, 07:55 AM

should help you out I added an @Override of unsuccessfulAuthentication() to my Authentication filter
The grandparent class (AbstractAuthenticationProcessingFilter) has a method for unsuccessful authentications (i.e. AuthenticationException) which delegates to an authentication failure handler class. I could have created my own custom authentication failure handler, but instead decided to simply override the unsuccessfulAuthentication method with some code that sends back a response with a 401 status and a JSON error message:

code :

@Override
protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
    // TODO: enrich/improve error messages
    response.setStatus(response.SC_UNAUTHORIZED);
    response.setContentType(MediaType.APPLICATION_JSON_VALUE);
    response.setCharacterEncoding(StandardCharsets.UTF_8.toString());
    response.getWriter().write("{\"error\": \"authentication error?\"}");
}

public class RESTAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
        // TODO: enrich/improve error messages
        response.setStatus(response.SC_UNAUTHORIZED);
        response.setContentType(MediaType.APPLICATION_JSON_VALUE);
        response.setCharacterEncoding(StandardCharsets.UTF_8.toString());
        response.getWriter().write("{\"error\": \"unauthorized?\"}");
    }
}

@Configuration
@Order(1)
public static class APISecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        JWTAuthenticationFilter jwtAuthenticationFilter = new JWTAuthenticationFilter(authenticationManager());
        jwtAuthenticationFilter.setFilterProcessesUrl("/api/login");

        http.antMatcher("/api/**")
                .sessionManagement()
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                    .and()
                .csrf().disable()
                .authorizeRequests()
                    .anyRequest().authenticated()
                    .and()
                .exceptionHandling()
                    .authenticationEntryPoint(new RESTAuthenticationEntryPoint())
                    .and()
                .addFilter(jwtAuthenticationFilter)
                .addFilter(new JWTAuthorizationFilter(authenticationManager()));
    }
}