0

I'm trying to setup a pure resource server using spring oAuth2 which will validate access token from a authorization server.

I'm not able to protect my resources. I'm directly able to hit the api. example:

  • GET localhost:8080/accounts?access_token=63884b81-a3d3-4eab-a92c-7eb1e2022dfd (incorrect access token)
    • GET localhost:8080/accounts

Above both link are able to access my resource but these link should return unauthorized error.

resource server config.

<bean id="authenticationEntryPoint"
    class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="myRealm" />
</bean>

<bean id="oauthAccessDeniedHandler"
    class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
            <bean class="org.springframework.security.access.vote.RoleVoter" />
            <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
        </list>
    </constructor-arg>
</bean>

<!-- This is not actually used, but it's required by Spring Security -->
<security:authentication-manager alias="authenticationManager" />

<oauth2:expression-handler id="oauthExpressionHandler" />

<oauth2:web-expression-handler id="oauthWebExpressionHandler" />

<security:global-method-security
    pre-post-annotations="enabled" proxy-target-class="true">
    <security:expression-handler ref="oauthExpressionHandler" />
</security:global-method-security>

<oauth2:resource-server id="myResource"
    resource-id="myResourceId" token-services-ref="tokenServices" />

<security:http pattern="/**" create-session="never"
    entry-point-ref="authenticationEntryPoint"
    access-decision-manager-ref="accessDecisionManager">
    <security:anonymous enabled="false" />
    <security:intercept-url pattern="/**"
        access="IS_AUTHENTICATED_FULLY" method="GET" />
    <security:intercept-url pattern="/**" access="SCOPE_READ"
        method="HEAD" />
    <security:intercept-url pattern="/**" access="SCOPE_READ"
        method="OPTIONS" />
    <security:intercept-url pattern="/**" access="SCOPE_WRITE"
        method="PUT" />
    <security:intercept-url pattern="/**" access="SCOPE_WRITE"
        method="POST" />
    <security:intercept-url pattern="/**" access="SCOPE_WRITE"
        method="DELETE" />
    <security:custom-filter ref="myResource"
        before="PRE_AUTH_FILTER" />
    <security:access-denied-handler ref="oauthAccessDeniedHandler" />
    <security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>

Aanand Kumar
  • 76
  • 6

1 Answers1

0

You have to configure your RemoteTokenServices bean to check the token in the authorization server: 

 @Bean
       public RemoteTokenServices LocalTokenService() {
            final RemoteTokenServices tokenService = new RemoteTokenServices();
            tokenService.setCheckTokenEndpointUrl("http://yourauthozationserver/oauth/check_token");
            tokenService.setClientId("my-client-with-secret");
            tokenService.setClientSecret("secret");
            return tokenService;
        }

or from xml:

 <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.RemoteTokenServices"
          p:checkTokenEndpointUrl="${oaas.endpoint.check_token}"
          p:clientId="${oaas.client_id}"
          p:clientSecret="${oaas.client_secret}" />

Note that the authorization server check endpoint should also be configured to allow token check from anonymous requests.

zakaria amine
  • 3,412
  • 2
  • 20
  • 35