Skip to content

Resource Server should identify unauthorized REST requests like HTTP Basic does #9100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jzheaux opened this issue Oct 6, 2020 · 0 comments
Closed

Resource Server should identify unauthorized REST requests like HTTP Basic does #9100

jzheaux opened this issue Oct 6, 2020 · 0 comments
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.5.0-M2

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Oct 6, 2020

When a web application is configured for a browser-based authentication mechanism in addition to Resource Server, empty unauthenticated requests default to the browser-based mechanism.

For example, if an application does

http
    .authorizeRequests((authz) -> authz
        .anyRequest.authenticated()
    )
    .oauth2Login(withDefaults())
    .oauth2ResourceServer(withDefaults())

And then a REST request is made like so:

curl localhost:8080

Then the response will be a 302 instead of a 401.

The reason is because OAuth2ResourceServerConfigurer registers its AuthenticationEntryPoint only with the condition that the request contains an Authorization header. Because the above request has no Authorization header, Resource Server's entry point isn't activated.

HttpBasicConfigurer registers its AuthenticationEntryPoint with a condition that the request not appear to be a browser-based request. Thus, it's activated when there's a bad Authorization header, but also when it appears to be a REST request.

OAuth2ResourceServerConfigurer should adopt the strategy employed by HttpBasicConfigurer so that requests like:

curl localhost:8080

result in a 401 instead of a 302.
@jzheaux jzheaux added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Oct 6, 2020
@jzheaux jzheaux self-assigned this Oct 6, 2020
@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 6, 2020
@jzheaux jzheaux added this to the 5.5.0-M1 milestone Oct 6, 2020
jzheaux added a commit to jzheaux/spring-security that referenced this issue Oct 6, 2020
@jzheaux
Use HttpBasicConfigurer's Conneg Strategy
dadc3b6 
Closes spring-projectsgh-9100
@jgrandja jgrandja modified the milestones: 5.5.0-M1, 5.5.0-M2 Nov 3, 2020
@jzheaux jzheaux changed the title Resource Server should identify unauthorized REST requests like HTTP Basic Resource Server should identify unauthorized REST requests like HTTP Basic does Nov 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.5.0-M2
Development

No branches or pull requests
2 participants
@jzheaux @jgrandja