This article contains Spring Security OAuth 2.0 Resource Server Example, In our previous article we have configure authentication server , In this article we will talk about Resource Server Configuration using spring security. Resource Server contains actual resources like RestAPI, Images ect. To access those requires resource server ask for access token which is give by authentication server.

Technology stack

We have use following frameworks used to build Spring Security OAuth 2.0 Resource Server Example using spring boot

  • Spring boot
  • Spring security
  • Spring auth2.0
  • Maven
  • Tomcat 8.5
Spring Security OAuth 2.0 Resource Server Example

Spring Security OAuth 2.0 Resource Server Example

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>spring-boot-example</groupId>
    <artifactId>spring-security-auth-2.0-resource-server-example</artifactId>
    <version>1.0-SNAPSHOT</version>
    <description>Spring Security Auth 2.0 Resource Server Example</description>
    <!-- Inherit defaults from Spring Boot -->
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>1.5.4.RELEASE</version>
    </parent>
    <properties>
        <maven.compiler.source>1.8</maven.compiler.source>
        <maven.compiler.target>1.8</maven.compiler.target>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>  <!--starter require for spring boot spring security-->
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security.oauth</groupId>
            <artifactId>spring-security-oauth2</artifactId>
        </dependency>
    </dependencies>

    <!-- Package as an executable jar -->
    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
</project>

application.properties

application.properties  must contains details of authentication server URL which is useful when any request comes to access resource it will check access token is valid or not in authentication server.

security.oauth2.resource.token-info-uri indicate URL of access token check URL

security.oauth2.client.client-id indicate client id

security.oauth2.client.client-secret indicate client secret

server.port=7777
security.oauth2.resource.token-info-uri=${auth-server:http://localhost:8080}/oauth/check_token
security.oauth2.client.client-id=javadeveloperzone
security.oauth2.client.client-secret=secret

SecurityResourceServerConfig

ResourceServerConfigurerAdapter has been extends which has configure method that contains configuration about which access token is requires to access which URL. For example here we have configure that to access /demo must have read access scope.

RequestDumperFilter is only used to check request log when access token authenticate with authentication server.

package com.javadeveloperzone;

import org.apache.catalina.filters.RequestDumperFilter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;

/**
 * Created by JavaDeveloperZone on 09-12-2017.
 */

@Configuration
public class SecurityResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers("/demo")
                .access("#oauth2.hasScope('read')");      // require 'read' scope to access /demo URL
    }
    @Bean
    RequestDumperFilter requestDumperFilter() {
        return new RequestDumperFilter();
    }
}

SpringBootApplication

Its like other spring boot configuration but must be requires @EnableResourceServer which indicate that spring boot application consider as Resource Server.

package com.javadeveloperzone;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;

/**
 * Created by JavaDeveloperZone on 19-07-2017.
 */

@SpringBootApplication
@ComponentScan({"com.javadeveloperzone"})
@EnableResourceServer           // To enable resource server
// Using a root package also allows the @ComponentScan annotation to be used without needing to specify a basePackage attribute
public class SpringBootResourceApplicationConfig {
    public static void main(String[] args) throws Exception {
        SpringApplication.run(SpringBootResourceApplicationConfig.class, args);            // it wil start application
    }
}

SpringBootResourceController

package com.javadeveloperzone.controller;

import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

/**
 * Created by JavaDeveloperZone on 19-07-2017.
 */
@RestController
public class SpringBootResourceController {

    @RequestMapping("/demo")
    public String demo(Principal principal) {
        return "Hello "+principal.getName()+", Auth 2.0 Resource Server, Access Granted by authentication server..";
    }
}

Output:

  1. Access resource with authentication : http://localhost:7777/demo
Spring Security OAuth 2.0 Resource Server Example - Access resource

Spring Security OAuth 2.0 Resource Server Example – Access resource

2.  Access resource with authentication : http://localhost:7777/demo

Spring Security OAuth 2.0 Resource Server Example - Token Expired

Spring Security OAuth 2.0 Resource Server Example – Token Expired

Leave a Reply

Your email address will not be published. Required fields are marked *