Project

General

Profile

task #6118

Updated by Andreas Kohlbecker over 7 years ago

Spring-Cloud-Security (http://cloud.spring.io/spring-cloud-security/ brings OAuth2 for spring applications. 

 * spring-cloud-security provides the client side authentication feature: 
   * http://cloud.spring.io/spring-cloud-security/spring-cloud-security.html 
   * https://github.com/spring-cloud/spring-cloud-security 
 * The oauth2-authorization-server feature is provided by spring-boot: http://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#boot-features-security-oauth2-authorization-server: 
   * For full details, see the [Spring Security OAuth 2 Developers Guide](http://projects.spring.io/spring-security-oauth/docs/oauth2.html) 
 * OAuth2 in general is provided by [spring-security-oauth](http://projects.spring.io/spring-security-oauth/docs/oauth2.html) 

 ## spring-security-oauth 

 The following endpoints are required in the Spring Security filter chain in order to implement OAuth 2.0 Authorization Server: 

 *     `AuthorizationEndpoint` is used to service requests for authorization. Default URL: `/oauth/authorize`. This enpoint should be protected using Spring Security so that it is only accessible to authenticated users. For instance using a standard Spring Security WebSecurityConfigurer: 

 ~~~~ 
     @Override 
     protected void configure(HttpSecurity http) throws Exception { 
         http 
             .authorizeRequests().antMatchers("/login").permitAll().and() 
         // default protection for all resources (including /oauth/authorize) 
             .authorizeRequests() 
                 .anyRequest().hasRole("USER") 
         // ... more configuration, e.g. for form login 
     } 
 ~~~~ 
    **Note:** if your Authorization Server is also a Resource Server then there is another [security security filter chain](http://docs.spring.io/spring-security/site/docs/4.1.3.RELEASE/reference/htmlsingle/#security-filter-chain) chain with lower priority controlling the API resources. Fo those requests to be protected by access tokens you need their paths not to be matched by the ones in the main user-facing filter chain, so be sure to include a request matcher that picks out only non-API resources in the WebSecurityConfigurer above. (see [configuring-the-endpoint-urls](http://projects.spring.io/spring-security-oauth/docs/oauth2.html#configuring-the-endpoint-urls)) 

 *     `TokenEndpoint` is used to service requests for access tokens. Default URL: `/oauth/token`. 

 The following filter is required to implement an OAuth 2.0 Resource Server: 

 *      The `OAuth2AuthenticationProcessingFilter` is used to load the Authentication for the request given an authenticated access token. 

Back