1. Overview

This article contains Spring Security OAuth 2.0 Resource Server Example, In our previous article we have configure authentication server , In this article, we will talk about Resource Server Configuration using spring security. Resource Server contains actual resources like RestAPI, Images etc. To access those requires resource server ask for access token which is given by the authentication server.

Complete flow of communicating between Authentication and Resource Server:

1. The user will login in Authentication server using user/password
2. If username/password is valid, Authentication server will return access token and refresh token
3. Using Access token go to Resource Server to access resources.
3.1. Now Resource Server will communicate with an Authentication server to check Access token is valid or not (Internally)
3.2. Authentication server give Acknowledgement, Token is valid or not (Internally)
4. If the token is valid then resource server will give you an actual resource that you requested in Step 3.
5. If the token is invalid then resource server will not allow accessing the resources.

 2. Example

Technology Stack

We have used following frameworks used to build Spring Security OAuth 2.0 Resource Server Example using spring boot

  • Spring boot
  • Spring security
  • Spring auth2.0
  • Maven
  • Tomcat 8.5
Spring Security OAuth 2.0 Resource Server Example

Spring Security OAuth 2.0 Resource Server Example

2.1 pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

    <description>Spring Security Auth 2.0 Resource Server Example</description>
    <!-- Inherit defaults from Spring Boot -->
            <groupId>org.springframework.boot</groupId>  <!--starter require for spring boot spring security-->

    <!-- Package as an executable jar -->

2.2 application.properties

application.properties  must contain details of authentication server URL which is useful when any request comes to access the resource it will check access token is valid or not an authentication server.

security.oauth2.resource.token-info-uri indicate URL of access token check URL

security.oauth2.client.client-id indicate client id

security.oauth2.client.client-secretindicates client secret


2.3 SecurityResourceServerConfig

ResourceServerConfigurerAdapter has been extended which has configure method that contains configuration about which access token is required to access which URL. For example, here we have configured that to access /demo must have read access scope.

RequestDumperFilter is only used to check request log when access token authenticates with the authentication server.

package com.javadeveloperzone;

import org.apache.catalina.filters.RequestDumperFilter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;

 * Created by JavaDeveloperZone on 09-12-2017.

public class SecurityResourceServerConfig extends ResourceServerConfigurerAdapter {

    public void configure(HttpSecurity http) throws Exception {
                .access("#oauth2.hasScope('read')");      // require 'read' scope to access /demo URL
    RequestDumperFilter requestDumperFilter() {
        return new RequestDumperFilter();

2.4 SpringBootApplication

Its like other spring boot configuration but must be required@EnableResourceServer which indicate that spring boot application considers as Resource Server.

package com.javadeveloperzone;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;

 * Created by JavaDeveloperZone on 19-07-2017.

@EnableResourceServer           // To enable resource server
// Using a root package also allows the @ComponentScan annotation to be used without needing to specify a basePackage attribute
public class SpringBootResourceApplicationConfig {
    public static void main(String[] args) throws Exception {
        SpringApplication.run(SpringBootResourceApplicationConfig.class, args);            // it wil start application

2.5 SpringBootResourceController

package com.javadeveloperzone.controller;

import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

 * Created by JavaDeveloperZone on 19-07-2017.
public class SpringBootResourceController {

    public String demo(Principal principal) {
        return "Hello "+principal.getName()+", Auth 2.0 Resource Server, Access Granted by authentication server..";

2.6 Output:

  1. Access resource with authentication : http://localhost:7777/demo
Spring Security OAuth 2.0 Resource Server Example - Access resource

Spring Security OAuth 2.0 Resource Server Example – Access resource

2.  Access resource for authentication : http://localhost:7777/demo

Spring Security OAuth 2.0 Resource Server Example - Token Expired

Spring Security OAuth 2.0 Resource Server Example – Token Expired

4. References

Spring boot auth2.0 documentation

Was this post helpful?
Let us know, if you liked the post. Only in this way, we can improve us.