SyntaxFix

[java] Spring-Security-Oauth2: Full authentication is required to access this resource

I am trying to use spring-security-oauth2.0 with Java based configuration. My configuration is done, but when i deploy application on tomcat and hit the /oauth/token url for access token, Oauth generate the follwoing error: 

<oauth>
<error_description>Full authentication is required to access this resource</error_description>
<error>unauthorized</error>
</oauth>

My configuration is on Git hub, please click on link

The code is large, so refer to git. I am using chrome postman client for send request. follwing is my request. 

POST /dummy-project-web/oauth/token HTTP/1.1
Host: localhost:8081
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_id=abc%40gmail.com&client_secret=12345678

The error is just like, the URL is secure by Oauth, but in configuration, i give the all permission for access this URL. What actual this problem is?

This question is related to java oauth-2.0 unauthorized spring-security-oauth2

The answer is

setting management.security.enabled=false in application.properties resolved the issue for me.

With Spring OAuth 2.0.7-RELEASE the following command works for me

curl -v -u [email protected]:12345678 -d "grant_type=client_credentials" http://localhost:9999/uaa/oauth/token

It works with Chrome POSTMAN too, just make sure you client and secret in "Basic Auth" tab, set method to "POST" and add grant type in "form data" tab.

The reason is that by default the /oauth/token endpoint is protected through Basic Access Authentication.

All you need to do is add the Authorization header to your request.

You can easily test it with a tool like curl by issuing the following command:

curl.exe --user [email protected]:12345678 http://localhost:8081/dummy-project-web/oauth/token?grant_type=client_credentials

You should pre authenticate the token apis "/oauth/token"

extend ResourceServerConfigurerAdapter and override configure function to do this.

eg:

http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests().antMatchers("/oauth/token").permitAll().
anyRequest().authenticated();

This is incredible but real.

csrf filter is enabled by default and it actually blocks any POST, PUT or DELETE requests which do not include de csrf token.

Try using a GET instead of POST to confirm that this is it.

If this is so then allow any HTTP method:

@Throws(Exception::class)
override fun configure(http: HttpSecurity) {

    /**
     * Allow POST, PUT or DELETE request
     *
     * NOTE: csrf filter is enabled by default and it actually blocks any POST, PUT or DELETE requests
     * which do not include de csrf token.
     */
    http.csrf().disable()

}

If you are obtaining a 401 the most intuitive thing is to think that in the request you have No Auth or you are missing something in the headers regarding authorization.

But apparently there is an internal function that is filtering the HTTP methods that use POST and returns a 401. After fixing it I thought it was a cache issue with the status code but apparently not.

GL

I had the same problem, but I solve this with the following class:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
public class OAuthSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Bean
    @Override
    public AuthenticationManager authenticationManager() throws Exception {
        return super.authenticationManager();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return NoOpPasswordEncoder.getInstance();
    }
}

The client_id and client_secret, by default, should go in the Authorization header, not the form-urlencoded body.

  1. Concatenate your client_id and client_secret, with a colon between them: [email protected]:12345678.
  2. Base 64 encode the result: YWJjQGdtYWlsLmNvbToxMjM0NTY3OA==
  3. Set the Authorization header: Authorization: Basic YWJjQGdtYWlsLmNvbToxMjM0NTY3OA==

By default Spring OAuth requires basic HTTP authentication. If you want to switch it off with Java based configuration, you have to allow form authentication for clients like this:

@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
  @Override
  public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
    oauthServer.allowFormAuthenticationForClients();
  }
}

Source: Stackoverflow.com

Examples related to java

Under what circumstances can I call findViewById with an Options Menu / Action Bar item? How much should a function trust another function How to implement a simple scenario the OO way Two constructors How do I get some variable from another class in Java? this in equals method How to split a string in two and store it in a field How to do perspective fixing? String index out of range: 4 My eclipse won't open, i download the bundle pack it keeps saying error log

Examples related to oauth-2.0

Using Axios GET with Authorization Header in React-Native App What are the main differences between JWT and OAuth authentication? How do I get an OAuth 2.0 authentication token in C# Using Postman to access OAuth 2.0 Google APIs Correct way to set Bearer token with CURL Using an authorization header with Fetch in React Native Getting "error": "unsupported_grant_type" when trying to get a JWT by calling an OWIN OAuth secured Web Api via Postman JWT (Json Web Token) Audience "aud" versus Client_Id - What's the difference? JWT refresh token flow Spring-Security-Oauth2: Full authentication is required to access this resource

Examples related to unauthorized

Android ADB devices unauthorized Spring-Security-Oauth2: Full authentication is required to access this resource ADB Android Device Unauthorized

Examples related to spring-security-oauth2

Unsupported Media Type in postman Spring-Security-Oauth2: Full authentication is required to access this resource

Tags

Jotform Modelmetadata Context-switching Data-linking Css-hack Vbx Paragraphs Twitter4j Oledbparameter Sql-job Circular-list Fs Language-lawyer Android-monkey Get-childitem Apache-chainsaw Implicits Acts-as-commentable Boost-variant Proof Client-server Ultraedit Flash-builder Zodb Redeploy Pytest Screen-scraping Webkit.net Altivec Lpt Graffiticms Hilbert-curve Include Datapager Performance Microformats .net-1.1 Social Subquery Windev Clang-static-analyzer Code-snippets Datagridview Appfabric Make-shared Sigfpe Spanned Take Unlink Expression-blend-3 Nstimezone Filezilla Jooq Vertical-scroll Sparse-array Smartcard-reader Ad-hoc-distribution Clistbox Runner Buffer-overflow Access-keys Irc Django-piston Vmt Hsb Service-discovery Mongokit Plack Wxpython In-memory Strace Orgchart Htmlfill Plexus Authentication Iphone-sdk-4.0.1 Columnheader Certificate-store Line-segment Libc Gac Safari-extension Clipboard-pictures Dto Twitter Internal-class Containable Nsmenuitem Communication-diagram Nhibernate-criteria Rapidminer Dgml Directory.delete Joomla1.5 Jsyntaxpane Continuous-testing Contract-first Cracking Attr-accessible Bapi