task #6118
Updated by Andreas Kohlbecker over 7 years ago
[Spring-Cloud-Security](http://cloud.spring.io/spring-cloud-security/) & spring-security-oauth bring OAuth2 for spring applications.
* spring-cloud-security provides the client side authentication feature:
* http://cloud.spring.io/spring-cloud-security/spring-cloud-security.html
* https://github.com/spring-cloud/spring-cloud-security
* The oauth2-authorization-server feature is provided by spring-boot: http://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#boot-features-security-oauth2-authorization-server:
* For full details, see the [Spring Security OAuth 2 Developers Guide](http://projects.spring.io/spring-security-oauth/docs/oauth2.html)
* OAuth2 in general is provided by [spring-security-oauth](http://projects.spring.io/spring-security-oauth/docs/oauth2.html)
## OAuth2
* [**rfc6749**](https://tools.ietf.org/html/rfc6749)
* https://entwickler.de/online/agile/so-funktioniert-oauth2-134316.html
### Example implementations
* http://blog.e-zest.net/rest-authentication-using-oauth-2-0-resource-owner-password-flow-protocol/
## spring-security-oauth
The following endpoints are required in the Spring Security filter chain in order to implement OAuth 2.0 Authorization Server:
* `AuthorizationEndpoint` is used to service requests for authorization. Default URL: `/oauth/authorize`. This enpoint should be protected using Spring Security so that it is only accessible to authenticated users. For instance using a standard Spring Security WebSecurityConfigurer:
~~~~
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().antMatchers("/login").permitAll().and()
// default protection for all resources (including /oauth/authorize)
.authorizeRequests()
.anyRequest().hasRole("USER")
// ... more configuration, e.g. for form login
}
~~~~
**Note:** if your Authorization Server is also a Resource Server then there is another [security filter chain](http://docs.spring.io/spring-security/site/docs/4.1.3.RELEASE/reference/htmlsingle/#security-filter-chain) with lower priority controlling the API resources. Fo those requests to be protected by access tokens you need their paths not to be matched by the ones in the main user-facing filter chain, so be sure to include a request matcher that picks out only non-API resources in the WebSecurityConfigurer above. (see [configuring-the-endpoint-urls](http://projects.spring.io/spring-security-oauth/docs/oauth2.html#configuring-the-endpoint-urls))
* `TokenEndpoint` is used to service requests for access tokens. Default URL: `/oauth/token`.
The following filter is required to implement an OAuth 2.0 Resource Server:
* The `OAuth2AuthenticationProcessingFilter` is used to load the Authentication for the request given an authenticated access token.
### Anonymous Authentication
Is useful in cases when you don't want to skip authentication for pages which should behave differently for authenticated and not authenticated users (see [spring-security 4.1.3.RELEASE #anonymous](http://docs.spring.io/spring-security/site/docs/4.1.3.RELEASE/reference/htmlsingle/#anonymous)
Is configured automatically when using the WebSecurityConfigurerAdapter. By default anonymous users will be represented with token containing the role "ROLE_ANONYMOUS".
### multiple httpsecurity
Potentially we need separate http security configurations for the HTTP-Invoker and the rest of the services. Therefore I put this link as a reference in here:
http://docs.spring.io/spring-security/site/docs/4.1.3.RELEASE/reference/htmlsingle/#multiple-httpsecurity