1

I have implemented an authorization server using spring-boot-starter-oauth2-authorization-server. Everything seems to work perfectly. However, I need to expose some endpoints for creating users, getting user permissions etc., so I need to configure the auth server to also act as a resource server.

I need "POST /users" to be public with no authorization, and "GET /users/{userId}/permissions" to require a valid JWT token to be present in the header.

I have tried creating a SecurityFilterChain bean like this, which allows access to the /users endpoint, but it breaks the authorization server:

@Bean
  public SecurityFilterChain configureSecurityFilterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests(authorizeRequests -> authorizeRequests
        .requestMatchers(HttpMethod.POST, "/users").permitAll()
        .anyRequest().authenticated());
    http.csrf(AbstractHttpConfigurer::disable);
    return http.build();
  }

I'm sure it's possible to create authorization customizations for specific endpoints, but how?

bsgrd
  • 633
  • 1
  • 9
  • 26

1 Answers1

1

Once you've gone beyond the Getting Started experience, the same docs page covers how to define the same components that Spring Boot provides so you can begin customizing the configuration. Because of Spring Boot each component is optional. In particular, notice that it defines two SecurityFilterChain @Beans with the @Order annotation, and also note that the first one includes:

OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);

Without that line (or copying the code contained within into your own code), the authorization server's protocol endpoints won't be set up, which is why you observed

but it breaks the authorization server

Steve Riesenberg
  • 4,271
  • 1
  • 4
  • 26
  • Thanks. The issue was that I didn't have the default securityFilterChain defined. Didn't know that it would be overridden. – bsgrd Jul 06 '23 at 18:39