I have created an authorization server with spring boot and I want to use roles of resource owners from it in resource server. I have a class SecurityConfig extending WebSecurityConfigurerAdapter, where I have checked credentials of resource owners from mongodb for authentication. For that I have a class MongoAuthProvider which implements AuthenticationProvider from which I am returning an instance of UsernamePasswordAuthenticationToken with username, password and ROLES e.g."ROLE_ADMIN" , "ROLE_APPUSER".
@SpringBootApplication
@RestController
@EnableResourceServer
public class AuthserverApplication extends WebMvcConfigurerAdapter {
public static void main(String[] args) {
SpringApplication.run(AuthserverApplication.class, args);
}
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends
AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients)
throws Exception {
clients.inMemory()
.withClient("acme")
.secret("acmesecret")
.authorizedGrantTypes("authorization_code","implicit",
"refresh_token", "password").scopes("openid");
}
}
@Configuration
protected static class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private MongoAuthProvider mongoAuthProvider;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(mongoAuthProvider);
}
@Bean
public MongoAuthProvider getMongoAuthProvider(){
return new MongoAuthProvider();
}
}
@RequestMapping("/user")
public Principal user(OAuth2Authentication user) {
return user;
}
}
class MongoAuthProvider implements AuthenticationProvider {
@Autowired
UserRepo userrepo;
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
String userName = authentication.getName().trim();
String password = authentication.getCredentials().toString().trim();
User user = userrepo.findByUserNameAndPassword(userName, password);
if(user != null){
return new UsernamePasswordAuthenticationToken(userName, password,
AuthorityUtils.createAuthorityList("ROLE_ADMIN" , "ROLE_APPUSER"));
} else {
return null;
}
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
In auth server I also have a user info rest endpoint :
@RequestMapping("/user")
public Principal user(OAuth2Authentication user) {
return user;
}
I want to use the roles of the resource owner from authorization server database in a resource server. For that I have a class ResourceServer extending ResourceServerConfigurerAdapter inside which I am trying to check user roles from auth server. The resource server is working fine. The problem is it is not able to check roles from auth server.
@SpringBootApplication
@EnableResourceServer
@EnableOAuth2Sso
public class AuthserverClientApplication extends WebMvcConfigurerAdapter {
public static void main(String[] args) {
SpringApplication.run(AuthserverClientApplication.class, args);
}
@Configuration
protected static class ResourceServer extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("**")
//.hasAuthority("ROLE_ADMIN")
.hasRole("ADMIN")
.anyRequest().authenticated();
}
}
}
}
Please help how I can use roles from authorization server in resource server for role based access.
