Configuring Spring OAuth2 expression handler methods for authorization server endpoints using java config

Question

In our app we would like to lock down the check_token endpoint so that only clients authenticated using client credentials can check the validity of tokens.

The documentation states that an expression handler is enabled by default when @EnableResourceServer is used, and has some instructions on how to set expression handling up using xml. What do I need to do do have spring the evaluate the expression below using java config?

@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

    ...

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.checkTokenAccess("#oauth2.isClient()");
    }

    ...
}

score 2 · Answer 1 · answered Jun 23 '16 at 02:07

The following isn't pretty, but it appears to work.

@EnableGlobalAuthentication
@Configuration
//@EnableAuthorizationServer
@Import({OAuth2AuthorizationServerConfiguration.SecurityConfiguration.class, AuthorizationServerEndpointsConfiguration.class})
public class OAuth2AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {


    @Configuration
    public static class SecurityConfiguration extends AuthorizationServerSecurityConfiguration {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests().expressionHandler(new OAuth2WebSecurityExpressionHandler());
            super.configure(http);
        }
    }

AuthorizationServerSecurityConfiguration provides access to the HttpSecurity object, which is where the expression handler needs to be inserted.

steps:

subclass AuthorizationServerSecurityConfiguration and set the expression handler
drop the @EnableAuthorizationServer annotation (because it also imports AuthorizationServerSecurityConfiguration)
import the new subclass of AuthorizationServerSecurityConfiguration
import AuthorizationServerEndpointsConfiguration (it was initially imported by @EnableAuthorizationServer

Configuring Spring OAuth2 expression handler methods for authorization server endpoints using java config

1 Answers1