How to get Spring Boot and OAuth2 example to use password grant credentials other than the default

Question

I'm following the basic Spring Boot OAuth2 example from Dave Syer: https://github.com/dsyer/sparklr-boot/blob/master/src/main/java/demo/Application.java

@Configuration
@ComponentScan
@EnableAutoConfiguration
@RestController
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }

    @RequestMapping("/")
    public String home() {
        return "Hello World";
    }

    @Configuration
    @EnableResourceServer
    protected static class ResourceServer extends ResourceServerConfigurerAdapter {

        @Override
        public void configure(HttpSecurity http) throws Exception {
            // @formatter:off
            http
                // Just for laughs, apply OAuth protection to only 2 resources
                .requestMatchers().antMatchers("/","/admin/beans").and()
                .authorizeRequests()
                .anyRequest().access("#oauth2.hasScope('read')");
            // @formatter:on
        }

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
            resources.resourceId("sparklr");
        }

    }

    @Configuration
    @EnableAuthorizationServer
    protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

        @Autowired
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            endpoints.authenticationManager(authenticationManager);
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            // @formatter:off
            clients.inMemory()
                .withClient("my-trusted-client")
                    .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
                    .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
                    .scopes("read", "write", "trust")
                    .resourceIds("sparklr")
                    .accessTokenValiditySeconds(60)
            .and()
                .withClient("my-client-with-registered-redirect")
                    .authorizedGrantTypes("authorization_code")
                    .authorities("ROLE_CLIENT")
                    .scopes("read", "trust")
                    .resourceIds("sparklr")
                    .redirectUris("http://anywhere?key=value")
            .and()
                .withClient("my-client-with-secret")
                    .authorizedGrantTypes("client_credentials", "password")
                    .authorities("ROLE_CLIENT")
                    .scopes("read")
                    .resourceIds("sparklr")
                    .secret("secret");
        // @formatter:on
        }

    }
}

The example works very well for both types of grants, but the password grant uses the Spring Boot default security user (the one that echo's out "Using default security password: 927ca0a0-634a-4671-bd1c-1323a866618a" during startup).

My question is how do you override the default user account and actually rely on a WebSecurityConfig? I've added a section like this:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
protected static class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(AuthenticationManagerBuilder authManagerBuilder)
            throws Exception {
        authManagerBuilder.inMemoryAuthentication().withUser("user")
                .password("password").roles("USER");
    }
}

But it does not seem to override the default Spring user/password even though the documentation suggests that it should.

What am I missing to get this working?

No it shouldn't unless you add @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) to it. You can set the default username/password in the application.properties file by setting the properties security.user.name and security.user.password. For more properties see the reference guide. — M. Deinum
There's a better sample (more up to date) here: github.com/spring-projects/spring-security-oauth/blob/master/…. That authenticationManager method is a new override in 2.0.4 snapshots (look at the implementation if you want to use it with 2.0.3). — Dave Syer
@DaveSyer the sample didn't run for me, "Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration'" — Scott White
Works for me and all tests are green (and your error fragment is too small to diagnose a problem). How are you building and running this application? — Dave Syer

Shawn Sherwood Shawn Sherwood · Accepted Answer · 2014-11-02T16:29:46

As I'm still on 2.0.3, I tried a few more things and this appears to be working:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
protected static class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder authManagerBuilder) throws Exception {
        authManagerBuilder
            .inMemoryAuthentication()
                .withUser("user1").password("password1").roles("USER").and()
                .withUser("admin1").password("password1").roles("ADMIN");
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManager() throws Exception {
        return super.authenticationManager();
    }
}

By explicitly defining the authenticationManager bean, the built-in user authentication went away and it started relying on my own inMemoryAuthentication. When 2.0.4 is released, I'll re-evaluate the solution that Dave posted above as it looks like it will be more elegant.

How to get Spring Boot and OAuth2 example to use password grant credentials other than the default

2 Answers