0

By default spring security operates by adding the JSESSIONID cookie to your session. And I have used and seen many header based forms of accomplishing the same result(often making use of a filter or two). But I feel this is something I should be able to set in the configuration. In the form of something like this:

config.setTokenLocation(TokenLocationEnum.HEADER)
config.setTokenName("Bearer")

or

config.setTokenLocation(TokenLocationEnum.COOKIE)
config.setTokenName("JSESSIONID")

I would like to try implementing this myself but I'd first like to see if anyone has any objections to the idea and why it is not already implemented.

Thanks

Improve this question

1 Answer 1

Reset to default
1

You can configure Spring Security as you want. Session management via JSESSIONID is just working out of box. For example, if you want to use Bearer OAuth 2.0 tokens you need to configure AuthServer. This is example of configuration from one of my projects:

@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter
{
    private final AuthenticationManager authenticationManager;

    private final InGridSecurityProperties inGridSecurityProperties;

    @Autowired
    public AuthorizationServerConfig(AuthenticationManager authenticationManager, InGridSecurityProperties inGridSecurityProperties, GoogleConnectionFactory connectionFactory) {
        this.authenticationManager = authenticationManager;
        this.inGridSecurityProperties = inGridSecurityProperties;
        this.connectionFactory = connectionFactory;
    }

    @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception
    {
        clients.inMemory()
                        .withClient( inGridSecurityProperties.getClientId() )
                        .secret( inGridSecurityProperties.getClientSecret() )
                        .authorities( "ROLE_TRUSTED_CLIENT" )
                        .authorizedGrantTypes( inGridSecurityProperties.getGrantTypes() )
                        .scopes( inGridSecurityProperties.getClientScope() )
                        .accessTokenValiditySeconds(
                                        inGridSecurityProperties.getAccessTokenValiditySeconds() )
                        .refreshTokenValiditySeconds(
                                        inGridSecurityProperties.getRefreshTokenValiditySeconds() );
    }

    @Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception
    {
        security.tokenKeyAccess( "isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')" )
                        .checkTokenAccess( "hasAuthority('ROLE_TRUSTED_CLIENT')" );
    }

    @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints)
                    throws Exception
    {
        endpoints
                        .authenticationManager( authenticationManager )
                        .tokenStore( jwtTokenStore() )
                        .tokenEnhancer( jwtAccessTokenConverter() );
    }


    @Bean
    public JwtAccessTokenConverter jwtAccessTokenConverter()
    {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        KeyPair keyPair = new KeyStoreKeyFactory(
                        new ClassPathResource( inGridSecurityProperties.getJwtKeyStore() ),
                        inGridSecurityProperties.getJwtKeyStorePassword().toCharArray() )
                        .getKeyPair( inGridSecurityProperties.getJwtKeyPairAlias(),
                                        inGridSecurityProperties.getJwtKeyPairPassword().toCharArray() );
        converter.setKeyPair( keyPair );
        return converter;
    }


}

More information you can find in Spring Security Documentation: http://docs.spring.io/spring-security/site/docs/current/reference/

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for the great response Evgeniy I admit I need to brush up on my knowlage of the AuthorizationServerConfigurerAdapter which I'm doing now. But my main concern was convenience, as I mentioned I was able to get it working with filters which also made me very unhappy along with the occasional SecurityContextHolder.getContext().setAuthentication(auth) as it felt a bit hacky. I am very eager to learn more about the Authorisation server. Is this the only class you needed to add to get the token based authenticatio working or is there anything else I should look into thanks

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.