I am trying to build a complete sample code for Gateway, UI , Resource . Every thing worked perfect except when i tried to do post .
I noticed first that i have double csrf one from gateway and one from the UI . So my decision which i am not sure is the correct was to disable csrf on UI and keep it on the gateway (Zuul Proxy) but i was not able to do that .
I could not tell what adapter i should extent WebSecurityConfigurerAdapter
or ResourceServerConfigurerAdapter
As soon i declare WebSecurityConfigurerAdapter
the whole OAuth2Sso stop working and i got access denied and ResourceServerConfigurerAdapter
does not seem to do any thing.
At first i would like to disable csrf on @EnableZuulProxy
and
@EnableOAuth2Sso
Based on this answer I found out that @EnableOAuth2Sso
should be on the same WebSecurityConfigurerAdapter
if one exist or we will end up with having 2 Adapter , doing so fixed every thing
@Configuration
@EnableOAuth2Sso
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
//.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
//.and()
.authorizeRequests()
.anyRequest().authenticated();
}
}
On spring boot 1.5.8 I also add to set security.oauth2.resource.filter-order=3
. See https://github.com/spring-projects/spring-security-oauth/issues/1016