Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simplify configuring authorization server using HttpSecurity.with() #1725

Merged
merged 1 commit into from
Oct 3, 2024
Merged

Simplify configuring authorization server using HttpSecurity.with() #1725

merged 1 commit into from
Oct 3, 2024

Conversation

jgrandja
Copy link
Collaborator

@jgrandja jgrandja commented Sep 19, 2024
edited
Loading

This PR attempts to simplify the default configuration for an authorization server using HttpSecurity.with().

We would greatly appreciate if our community users can provide their upvote if you are in favour of:

Issue gh-1707

@jgrandja jgrandja self-assigned this Sep 19, 2024
@jgrandja jgrandja added the type: enhancement A general enhancement label Sep 19, 2024
@jgrandja jgrandja mentioned this pull request Sep 19, 2024
Closed
rwinch
rwinch requested changes Sep 20, 2024
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes look great to me! Thank you 😄

I think the only thing additional item I'd be looking for is to update the documentation.

  • How to use the updated configuration including:
    • A minimal configuration on a single SecurityFilterChain
    • A minimal Multiple FilterChains example
  • Is it still recommended to use a multiple SecurityFilterChain's? If so, why (so users can know the tradeoffs of having a single or multiple)? The demonstration of the minimal configuration that is preferred (single/multiple) should be the first config users see in Getting Started.

@jgrandja
Copy link
Collaborator Author

The following sample configuration is the new proposed way of configuring a dedicated authorization server SecurityFilterChain:

@Bean
@Order(1)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http)
		throws Exception {

	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer = authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.oidc(Customizer.withDefaults())	// Enable OpenID Connect 1.0
		)
		.authorizeHttpRequests((authorize) ->
			authorize.anyRequest().authenticated()
		)
		// Redirect to the login page when not authenticated from the
		// authorization endpoint
		.exceptionHandling((exceptions) -> exceptions
			.defaultAuthenticationEntryPointFor(
				new LoginUrlAuthenticationEntryPoint("/login"),
				new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
			)
		);

	return http.build();
}

@jgrandja
Copy link
Collaborator Author

jgrandja commented Sep 23, 2024
edited
Loading

The following sample configuration is the current way of configuring a dedicated authorization server SecurityFilterChain (as documented in the Getting Started):

@Bean
@Order(1)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http)
		throws Exception {

	OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
	http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
		.oidc(Customizer.withDefaults());	// Enable OpenID Connect 1.0

	http
		// Redirect to the login page when not authenticated from the
		// authorization endpoint
		.exceptionHandling((exceptions) -> exceptions
			.defaultAuthenticationEntryPointFor(
				new LoginUrlAuthenticationEntryPoint("/login"),
				new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
			)
		)
		// Accept access tokens for User Info and/or Client Registration
		.oauth2ResourceServer((resourceServer) -> resourceServer
			.jwt(Customizer.withDefaults()));

	return http.build();
}

@rwinch
Copy link
Member

rwinch commented Sep 23, 2024

@jgrandja I'm confused why you added these comments. In particular, I'd like to make sure that this was not intended to address my feedback since the feedback was requesting the documentation get updated & comments on the this pull request do not resolve that.

@jgrandja
Copy link
Collaborator Author

@rwinch The reason for updating the comment in the main issue and providing a side-by-side comparison of the new vs. existing sample configuration is to ensure we are truly simplifying the configuration based on feedback from our community users.

The content updates here was triggered from this comment. And then it made me realize that we should validate this proposed enhancement from the community first before we merge this.

Regardless on whether we merge this PR or not, the one thing that is missing in the reference doc is:

Is it still recommended to use a multiple SecurityFilterChain's? If so, why (so users can know the tradeoffs of having a single or multiple)? The demonstration of the minimal configuration that is preferred (single/multiple) should be the first config users see in Getting Started.

I will be adding this content in the reference doc this week.

@jgrandja jgrandja added this to the 1.4.0-RC1 milestone Oct 3, 2024
@jgrandja jgrandja marked this pull request as ready for review October 3, 2024 19:26
@jgrandja jgrandja merged commit 2c79754 into spring-projects:main Oct 3, 2024
2 checks passed
@jgrandja jgrandja deleted the auth-server-config branch October 3, 2024 19:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rwinch rwinch rwinch requested changes

Assignees

@jgrandja jgrandja

Labels
type: enhancement A general enhancement
Projects
Spring Security Team
Status: Done
Milestone
1.4.0-RC1
Development

Successfully merging this pull request may close these issues.
2 participants
@jgrandja @rwinch