What's the right way to separate the Resource Server and the Authorization Server?

后端 未结 2 902
心在旅途
心在旅途 2021-02-04 14:19

Using spring-security-oauth2 to secure my resources against a SSO endpoint that can act as an authorization server. I\'m a bit confused when the documentation states:

相关标签:
2条回答
  • 2021-02-04 14:27

    for someone that might be interested there is as well another example for separating the authentication server and resources server found here: https://github.com/sharmaritesh/spring-angularjs-oauth2-sample

    0 讨论(0)
  • 2021-02-04 14:34

    You can separate open resources and protected resources in the spring-security.xml

    Pattern /api/** will be protected and other resources will be open.

    <!-- Protected resources -->
        <http pattern="/api/**" create-session="never" use-expressions="true"
            entry-point-ref="oauthAuthenticationEntryPoint"
            access-decision-manager-ref="accessDecisionManager"
            xmlns="http://www.springframework.org/schema/security">
            <anonymous enabled="false" />
            <intercept-url pattern="/api/**"
                access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
            <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
            <!-- <access-denied-handler ref="oauthAccessDeniedHandler"/> -->
            <access-denied-handler ref="oauthAccessDeniedHandler" />
        </http>
    
    0 讨论(0)
提交回复
热议问题