Skip to content

Resource Server should identify unauthorized REST requests like HTTP Basic does #9100

New issue
New issue
Closed
Closed
Resource Server should identify unauthorized REST requests like HTTP Basic does#9100
Assignees
jzheaux
Labels
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)type: enhancementA general enhancement
Milestone
 
5.5.0-M2
@jzheaux

Description

@jzheaux
jzheaux
opened on Oct 6, 2020

When a web application is configured for a browser-based authentication mechanism in addition to Resource Server, empty unauthenticated requests default to the browser-based mechanism.

For example, if an application does

http
    .authorizeRequests((authz) -> authz
        .anyRequest.authenticated()
    )
    .oauth2Login(withDefaults())
    .oauth2ResourceServer(withDefaults())

And then a REST request is made like so:

curl localhost:8080

Then the response will be a 302 instead of a 401.

The reason is because OAuth2ResourceServerConfigurer registers its AuthenticationEntryPoint only with the condition that the request contains an Authorization header. Because the above request has no Authorization header, Resource Server's entry point isn't activated.

HttpBasicConfigurer registers its AuthenticationEntryPoint with a condition that the request not appear to be a browser-based request. Thus, it's activated when there's a bad Authorization header, but also when it appears to be a REST request.

OAuth2ResourceServerConfigurer should adopt the strategy employed by HttpBasicConfigurer so that requests like:

curl localhost:8080

result in a 401 instead of a 302.

Metadata

Metadata

Assignees

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)type: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions