To use the access token you need a Resource Server (which can be the same as the
Authorization Server). Creating a Resource Server is easy, just add
@EnableResourceServer and provide some configuration to allow the server to decode
access tokens. If your application is also an Authorization Server it already knows how
to decode tokens, so there is nothing else to do. If your app is a standalone service then
you need to give it some more configuration, one of the following options:
-
security.oauth2.resource.user-info-urito use the/meresource (e.g.https://uaa.run.pivotal.io/userinfoon Pivotal Web Services (PWS)) -
security.oauth2.resource.token-info-urito use the token decoding endpoint (e.g.https://uaa.run.pivotal.io/check_tokenon PWS).
If you specify both the user-info-uri and the token-info-uri then you can set a flag
to say that one is preferred over the other (prefer-token-info=true is the default).
Alternatively (instead of user-info-uri or token-info-uri) if the tokens are JWTs you
can configure a security.oauth2.resource.jwt.key-value to decode them locally (where the
key is a verification key). The verification key value is either a symmetric secret or
PEM-encoded RSA public key. If you don’t have the key and it’s public you can provide a
URI where it can be downloaded (as a JSON object with a “value” field) with
security.oauth2.resource.jwt.key-uri. E.g. on PWS:
$ curl https://uaa.run.pivotal.io/token_key
{"alg":"SHA256withRSA","value":"-----BEGIN PUBLIC KEY-----\nMIIBI...\n-----END PUBLIC KEY-----\n"}
Additionally, if your authorization server has an endpoint that returns a set of JSON Web
Keys(JWKs), you can configure security.oauth2.resource.jwk.key-set-uri. E.g. on PWS:
$ curl https://uaa.run.pivotal.io/token_keys
{"keys":[{"kid":"key-1","alg":"RS256","value":"-----BEGIN PUBLIC KEY-----\nMIIBI...\n-----END PUBLIC KEY-----\n"]}
![[Note]](images/note.png) | Note |
|---|---|
|
Configuring both JWT and JWK properties will cause an error. Only one of
|
![[Warning]](images/warning.png) | Warning |
|---|---|
|
If you use the |
OAuth2 resources are protected by a filter chain with order
security.oauth2.resource.filter-order.
By default the filters in AuthorizationServerConfigurerAdapter come first, followed by those in ResourceServerConfigurerAdapter, followed by those in WebSecurityConfigurerAdapter.
This means that all application endpoints will require bearer token authentication unless one of two things happens:
- The filter chain order is changed or
-
The
ResourceServerConfigurerAdapterset of authorized requests is narrowed
The first, changing the filter chain order, can be done by moving WebSecurityConfigurerAdapter in front of ResourceServerConfigurerAdapter like so:
@Order(2) @EnableWebSecurity public WebSecurityConfig extends WebSecurityConfigurerAdapter { // ... }
| Note |
|---|---|
|
Resource Server’s default |
While this may work, it’s a little odd since we may simply trade one problem:
ResourceServerConfigurerAdapteris handling requests it shouldn’t
For another:
WebSecurityConfigurerAdapteris handling requests it shouldn’t
The more robust solution, then, is to indicate to ResourceServerConfigurerAdapter which endpoints should be secured by bearer token authentication.
For example, the following configures Resource Server to secure the web application endpoints that begin with /rest:
@EnableResourceServer public ResourceServerConfig extends ResourceServerConfigurerAdapter { @Override protected void configure(HttpSecurity http) { http .requestMatchers() .antMatchers("/rest/**") .authorizeRequests() .anyRequest().authenticated(); } }