0

I think I have some odd requirements here because no matter where I look, I can't a specific example for what I was asked to do. I created a dummy project called contacts to test this. I am suppose to secure my api with Oauth2, but the authorization server is not on the same box.

It is my understanding that the client will need to call the authorization to get a token and then the request with the token will be sent to my api.

In my server the scope will determine if the user has access. I am not doing any authentication on my server.

I can't seem to get this to work though.

Controller

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.Pageable;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping(value = "/contacts")
@PreAuthorize("#oauth2.hasScope('ec.edm.mdm')")
public class ContactsController {

    @Autowired
    ContactRepository customerRepo;

    @RequestMapping(method = RequestMethod.GET, produces = { "application/json" })
    public Page<Contact> findAllContacts(Pageable pagable) {
        return customerRepo.findAll(pagable);
    }
}

Application

import java.io.BufferedReader;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Profile;
import org.springframework.core.env.Environment;
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.provider.expression.OAuth2MethodSecurityExpressionHandler;



@EnableResourceServer
@SpringBootApplication
public class App {

    private static final Logger LOG = LoggerFactory.getLogger(App.class);
    @Autowired
    private Environment environment;



    public static void main(String[] args) throws Exception {
        SpringApplication.run(App.class, args);
    }

       /**
     * Allows for @PreAuthorize annotation processing.
     */
    @EnableGlobalMethodSecurity(prePostEnabled = true)
    protected static class GlobalSecurityConfiguration extends GlobalMethodSecurityConfiguration {
        @Override
        protected MethodSecurityExpressionHandler createExpressionHandler() {
            return new OAuth2MethodSecurityExpressionHandler();
        }
    }

}
pitchblack408
  • 2,913
  • 4
  • 36
  • 54
  • Have you followed the official tutorial on how to implement oauth in spring-boot? https://spring.io/guides/tutorials/spring-boot-oauth2/ – Rentius2407 Dec 07 '18 at 10:34
  • I read the tutorial and it's use case is different. The use case is SSO by facebook or github. Then they really quickly wrote about changing the app to a authorization server and resource server. My use case is different, I don't need SSO, I need to setup a stand alone resource server that doesn't authenticate with user/password, but accepts requests based on role. – pitchblack408 Dec 07 '18 at 17:55
  • My apologies, have a look at this question https://stackoverflow.com/questions/34336004/spring-boot-oauth2-role-based-authorization – Rentius2407 Dec 10 '18 at 05:43

0 Answers0