pom dependency:
spring boot starter security
spring boot starter oauth2 client
application.properties:
spring.security.oauth2.client.registration.qwerty=qwerty
spring.security.oauth2.client.registration.qwerty.client-id=qwe
spring.security.oauth2.client.registration.qwerty.redirect-uri=http://qwe.com:9090/welcome/callback
spring.security.oauth2.client.registration.qwerty.scope=openid
spring.security.oauth2.client.registration.qwerty.authorization-grant-type=authorization_code
spring.security.oauth2.client.provider.qwerty.issuer-uri=https://qwerty.com
spring.security.oauth2.client.provider.qwerty.authorization-uri=https://qwerty.com/as/authorization.oauth2
spring.security.oauth2.client.provider.qwerty.token-uri=https://qwerty.com/as/token.oauth2
WebSecurityConfig.java
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HTTPSecurity http) throws Exception{
http.csrf().disable()
.authorizaHttpRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.redirectionEndpoint()
.baseUri("/callback");
return http.build();
}
}
this is the security configuration in my spring boot MVC application
suppose now
endpoint: http://qwe:9090/welcome/name
if I open this above endpoint in the browser it returns the name
but if I try to hit this endpoint in Postman it says 401 not authorized
how to hit the above endpoint in Postman if I have the above security configuration in my application?
authorization server is using Kerberos for authentication.
1
Request to a Spring OAuth2 client with oauth2Login are authorized with a session cookie, not with Bearer tokens.
Postman OAuth2 features are made to fetch a token from an authorization server and then query resource servers (most frequently, REST APIs behind a gateway).
Postman has a Chrome plug-in to pick the session cookie (login with Chrome and then attach Chrome’s session cookie to Postman requests). This is adapted to send requests to clients with oauth2Login (frequently a gateway with the TokenRelay filter).
You can find video tutorials to ease the usage of a browser session cookie with a Postman request. Something easier (like the plugin mentioned above) than copying the cookie value from the browser debugging tools and pasting it in Postman.
P.S.
As it is authorized with sessions, OAuth2 clients with oauth2Login are vulnerable to CSRF attacks. Never disable protection against CSRF in a Security(Web)FilterChain with oauth2Login.
2