What's the right way to separate the Resource Server and the Authorization Server?

后端未结

关注

 2  897

Using spring-security-oauth2 to secure my resources against a SSO endpoint that can act as an authorization server. I\'m a bit confused when the documentation states:

相关标签:

2条回答

说谎

2021-02-04 14:27

for someone that might be interested there is as well another example for separating the authentication server and resources server found here: https://github.com/sharmaritesh/spring-angularjs-oauth2-sample

0 讨论(0)
发布评论:

提交评论
- 加载中...

甜味超标

2021-02-04 14:34

You can separate open resources and protected resources in the spring-security.xml

Pattern /api/** will be protected and other resources will be open.

<!-- Protected resources -->
    <http pattern="/api/**" create-session="never" use-expressions="true"
        entry-point-ref="oauthAuthenticationEntryPoint"
        access-decision-manager-ref="accessDecisionManager"
        xmlns="http://www.springframework.org/schema/security">
        <anonymous enabled="false" />
        <intercept-url pattern="/api/**"
            access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
        <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
        <!-- <access-denied-handler ref="oauthAccessDeniedHandler"/> -->
        <access-denied-handler ref="oauthAccessDeniedHandler" />
    </http>

0 讨论(0)