How to secure a Spring oauth2 client?
up vote
0
down vote
favorite
I have a oauth2 spring boot application running and it works great. Now I have a second application ("microservice") which is running on a completely different machine and port.
I have tried nearly everything and nothing seems to work. I can not get the security to work so I am trying to understand what on earth is going on.
The 2nd application will only receive bearer tokens ("JWT tokens") and I want the application to contact the oauth server and "download" the user info that is associated with the Bearer token so that I can do authentication checks like hasRole() and isAuthenticated().
Is my 2nd application a oauth2 client or must it be a resource server? Must I use @EnableOAuth2Sso or @EnableResourceService?
This is my code right now:
@Configuration
@EnableOAuth2Sso
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/api/user/allowAllUrl").permitAll().anyRequest().authenticated();
}
}
Are the annotations correct and WebSecurityConfigurerAdapter class?
Thanks
spring authentication oauth-2.0
add a comment |
up vote
0
down vote
favorite
I have a oauth2 spring boot application running and it works great. Now I have a second application ("microservice") which is running on a completely different machine and port.
I have tried nearly everything and nothing seems to work. I can not get the security to work so I am trying to understand what on earth is going on.
The 2nd application will only receive bearer tokens ("JWT tokens") and I want the application to contact the oauth server and "download" the user info that is associated with the Bearer token so that I can do authentication checks like hasRole() and isAuthenticated().
Is my 2nd application a oauth2 client or must it be a resource server? Must I use @EnableOAuth2Sso or @EnableResourceService?
This is my code right now:
@Configuration
@EnableOAuth2Sso
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/api/user/allowAllUrl").permitAll().anyRequest().authenticated();
}
}
Are the annotations correct and WebSecurityConfigurerAdapter class?
Thanks
spring authentication oauth-2.0
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have a oauth2 spring boot application running and it works great. Now I have a second application ("microservice") which is running on a completely different machine and port.
I have tried nearly everything and nothing seems to work. I can not get the security to work so I am trying to understand what on earth is going on.
The 2nd application will only receive bearer tokens ("JWT tokens") and I want the application to contact the oauth server and "download" the user info that is associated with the Bearer token so that I can do authentication checks like hasRole() and isAuthenticated().
Is my 2nd application a oauth2 client or must it be a resource server? Must I use @EnableOAuth2Sso or @EnableResourceService?
This is my code right now:
@Configuration
@EnableOAuth2Sso
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/api/user/allowAllUrl").permitAll().anyRequest().authenticated();
}
}
Are the annotations correct and WebSecurityConfigurerAdapter class?
Thanks
spring authentication oauth-2.0
I have a oauth2 spring boot application running and it works great. Now I have a second application ("microservice") which is running on a completely different machine and port.
I have tried nearly everything and nothing seems to work. I can not get the security to work so I am trying to understand what on earth is going on.
The 2nd application will only receive bearer tokens ("JWT tokens") and I want the application to contact the oauth server and "download" the user info that is associated with the Bearer token so that I can do authentication checks like hasRole() and isAuthenticated().
Is my 2nd application a oauth2 client or must it be a resource server? Must I use @EnableOAuth2Sso or @EnableResourceService?
This is my code right now:
@Configuration
@EnableOAuth2Sso
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/api/user/allowAllUrl").permitAll().anyRequest().authenticated();
}
}
Are the annotations correct and WebSecurityConfigurerAdapter class?
Thanks
spring authentication oauth-2.0
spring authentication oauth-2.0
asked Nov 7 at 10:14
Martijn Hiemstra
101111
101111
add a comment |
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53187389%2fhow-to-secure-a-spring-oauth2-client%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown