I have an OAuth2 implementation that is working fine for the grant type = password. Now I need to add a logic of restricting the same user/password combination to be allowed to login again if the user is logged in earlier. For that, I researched and figured that I to create a new class (MyDefaultTokenService) that extends the DefaultTokenServices class and then add my logic in the overriden createAccessToken method. But for some reason when I debug and test, I dont hit the breakpoints placed in MyDefaultTokenService class. It always hits the Springboot’s DefaultTokenServices class. I dont know where I am going wrong, could somebody please.
AuthorizationConfiguration.java
package com.company.config; import java.util.Arrays; import javax.sql.DataSource; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.boot.bind.RelaxedPropertyResolver; import org.springframework.context.EnvironmentAware; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Primary; import org.springframework.core.env.Environment; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.core.AuthenticationException; import org.springframework.security.oauth2.common.OAuth2AccessToken; import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer; import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer; import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer; import org.springframework.security.oauth2.provider.OAuth2Authentication; import org.springframework.security.oauth2.provider.TokenRequest; import org.springframework.security.oauth2.provider.token.DefaultTokenServices; import org.springframework.security.oauth2.provider.token.TokenEnhancer; import org.springframework.security.oauth2.provider.token.TokenEnhancerChain; import org.springframework.security.oauth2.provider.token.TokenStore; import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore; import com.alcord.enums.Authorities; import com.alcord.model.Account; @Configuration @EnableAuthorizationServer public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter implements EnvironmentAware { private static final String ENV_OAUTH = "authentication.oauth."; private static final String PROP_CLIENTID = "clientid"; private static final String PROP_SECRET = "secret"; private static final String PROP_TOKEN_VALIDITY_SECONDS = "tokenValidityInSeconds"; private RelaxedPropertyResolver propertyResolver; @Autowired private DataSource dataSource; @Bean public TokenStore tokenStore() { return new JdbcTokenStore(dataSource); } @Autowired @Qualifier("authenticationManagerBean") private AuthenticationManager authenticationManager; @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain(); tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer())); endpoints.tokenStore(tokenStore()).tokenEnhancer(tokenEnhancerChain) .authenticationManager(authenticationManager); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory().withClient(propertyResolver.getProperty(PROP_CLIENTID)).scopes("read", "write") .authorities(Authorities.ROLE_ADMIN.name(), Authorities.ROLE_DRIVER.name(), Authorities.ROLE_PASSENGER.name()) .authorizedGrantTypes("password", "refresh_token", "authorization_code", "implicit") .secret(propertyResolver.getProperty(PROP_SECRET)).accessTokenValiditySeconds( propertyResolver.getProperty(PROP_TOKEN_VALIDITY_SECONDS, Integer.class, 1800)); } @Override public void setEnvironment(Environment environment) { this.propertyResolver = new RelaxedPropertyResolver(environment, ENV_OAUTH); } @Bean public TokenEnhancer tokenEnhancer() { return new CustomTokenEnhancer(); } @Bean @Primary public DefaultTokenServices tokenServices() { MyTokenService tokenService = new MyTokenService(); tokenService.setTokenStore(tokenStore()); tokenService.setSupportRefreshToken(true); tokenService.setTokenEnhancer(tokenEnhancer()); return tokenService; } class MyTokenService extends DefaultTokenServices { public MyTokenService() { } @Override public OAuth2AccessToken readAccessToken(String accessToken) { return super.readAccessToken(accessToken); } @Override public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication) throws AuthenticationException { OAuth2AccessToken token = super.createAccessToken(authentication); Account account = (Account) authentication.getPrincipal(); // This is where I will add my logic when it hits the breakpoint. return token; } @Override public OAuth2AccessToken refreshAccessToken(String refreshTokenValue, TokenRequest tokenRequest) throws AuthenticationException { OAuth2AccessToken token = super.refreshAccessToken(refreshTokenValue, tokenRequest); return token; } } }
Resource Server Configuration
package com.company.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer; import org.springframework.security.oauth2.provider.token.DefaultTokenServices; import org.springframework.security.oauth2.provider.token.TokenStore; import com.alcord.security.CustomAuthenticationEntryPoint; import com.alcord.security.CustomLogoutSuccessHandler; @Configuration @EnableResourceServer @EnableGlobalMethodSecurity(prePostEnabled = true) public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter { // The DefaultTokenServices bean provided at the AuthorizationConfig @Autowired private DefaultTokenServices tokenServices; // The TokenStore bean provided at the AuthorizationConfig @Autowired private TokenStore tokenStore; @Autowired private CustomAuthenticationEntryPoint customAuthenticationEntryPoint; @Autowired private CustomLogoutSuccessHandler customLogoutSuccessHandler; @Override public void configure(HttpSecurity http) throws Exception { http.exceptionHandling().authenticationEntryPoint(customAuthenticationEntryPoint).and().logout() .logoutUrl("/oauth/logout").logoutSuccessHandler(customLogoutSuccessHandler).and().csrf().disable() .headers().frameOptions().disable().exceptionHandling().and().sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests() .antMatchers(HttpMethod.OPTIONS, "/**").permitAll().antMatchers("/api/v1/login/**").permitAll() .antMatchers("/api/v1/admin/**").permitAll().antMatchers("/api/v1/test/**").permitAll() .antMatchers("/oauth/token").permitAll().antMatchers("/api/**").authenticated(); } @Override public void configure(ResourceServerSecurityConfigurer resources) { resources.tokenServices(tokenServices).tokenStore(tokenStore).resourceId("oauth2_id"); } }
Advertisement
Answer
The answer to this: needed a call to AuthorizationServerEndpointsConfigurer.tokenServices
in the configure
method.
@Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain(); tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer())); endpoints .tokenStore(tokenStore()) .tokenServices(tokenServices()) // missed this! .tokenEnhancer(tokenEnhancerChain) .authenticationManager(authenticationManager); }