How to use RemoteTokenService?
I have a separate ResourceServer built using Spring-Security-oauth2. Here is the code RemoteTokenService.
@Bean
public ResourceServerTokenServices tokenService()
-
At Resource server I have a secured url e.g. "data/users" which is accessed only if "client" applicaiton has role "ROLE_CLIENT". Here I am using RemoteTokenService and I have a client configured at oauth server with role "ROLE_CLIENT" with client_credential grant.How can my client access this url ???
All requests should include authorisation with type 'Bearer' and token:
> curl "https://localhost:8080/users/me" -H "Pragma: no-cache" -H "Origin: > http://localhost:8080" -H "Accept-Encoding: gzip,deflate" -H > "Accept-Language: en-US,en;q=0.8,es;q=0.6" -H "Authorization: Bearer > f07abd25-af1f-44e2-XXXX-ba5071168XXX" -H "Accept: */*" -H > "Cache-Control: no-cache" -H "User-Agent: Mozilla/5.0 (Windows NT 6.1; > WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 > Safari/537.36" -H "Connection: keep-alive" -H "Referer: > http://localhost:8080/test.html" --compressed
as I am using RemoteTokenService my token will be verified via "/oauth/check_token" (CheckTokenEndpoint). which dont give any information about client Role. So how can I compare Role of clients.
Spring security has all required information. All you need to do is secure your endpoint. In my case:
@PreAuthorize("hasAnyAuthority('USER_READ')")In this case only user with role 'USER_READ' can get access to my endpoint.
Feel free to ask any additional questions.
讨论(0) -
I have the following configuration:
@Configuration @EnableWebSecurity @EnableAuthorizationServer public class OAuthSecurityConfig extends AuthorizationServerConfigurerAdapter { // ... @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { // (!) oauthServer.allowFormAuthenticationForClients(); } // ...I added the following line:
oauthServer.checkTokenAccess("permitAll()");into the line with "(!)" to fix the same problem.
讨论(0)
加载中...
- 热议问题