1

I'm trying to create a server with OAuth 2 but I have a problem. I configured OAuth, the user can authorize and get a token but the REST methods are always accesible, for example a user can use method POST when they didn't authorize.

How to configure OAuth so the REST methods run only when a user did authorize?

This is how some of my code looks like (I used this example code):

OAuthConfiguration class

@Configuration
public class OAuth2ServerConfiguration {

    private static final String RESOURCE_ID = "restservice";

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends
            ResourceServerConfigurerAdapter {

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) {
            // @formatter:off
            resources
                .resourceId(RESOURCE_ID);
            // @formatter:on
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            // @formatter:off
            http
                .authorizeRequests()
                    .antMatchers("/users").hasRole("ADMIN")
                    .antMatchers("/greeting").authenticated();
            // @formatter:on
        }

}

AuthorizationServerConfiguration class:

@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

    private TokenStore tokenStore = new InMemoryTokenStore();

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Autowired
    private CustomUserDetailsService userDetailsService;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {
        // @formatter:off
        endpoints
            .tokenStore(this.tokenStore)
            .authenticationManager(this.authenticationManager)
            .userDetailsService(userDetailsService);
        // @formatter:on
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        // @formatter:off
        clients
            .inMemory()
                .withClient("clientapp")
                    .authorizedGrantTypes("password", "refresh_token")
                    .authorities("USER")
                    .scopes("read", "write")
                    .resourceIds(RESOURCE_ID)
                    .secret("123456");
        // @formatter:on
    }

    @Bean
    @Primary
    public DefaultTokenServices tokenServices() {
        DefaultTokenServices tokenServices = new DefaultTokenServices();
        tokenServices.setSupportRefreshToken(true);
        tokenServices.setTokenStore(this.tokenStore);
        return tokenServices;
    }

}

Rest controller:

@RestController
@RequestMapping("/ABC")
final class Controller {

    @Autowired
    Repository repository;


    @RequestMapping(method = RequestMethod.POST)
    @ResponseStatus(HttpStatus.CREATED)
    int create(@RequestBody @Valid Data myData) {
        repository.create(myData);
        return 1;

    }

    @RequestMapping(value = "{number}", method = RequestMethod.GET)
    Data findByNumber(@PathVariable("number") String number) {
        Data data = repository.findByNumber(number);
        return data;
    }

    @RequestMapping(value = "{number}", method = RequestMethod.PUT)
    int update(@RequestBody @Valid Data myData) {
        int rows = repository.update(myData);
        return 1;
    }

    @RequestMapping(value = "{number}", method = RequestMethod.DELETE)
    int delete(@PathVariable("number") String number) {
        repository.delete(serialNumber);
        return 1;
    }
}
Improve this question

1 Answer 1

Reset to default
1

You'll want to add .antMatchers("/ABC/**").authenticated()

See jhipster sample oauth2 example

https://github.com/jhipster/jhipster-sample-app-oauth2/blob/master/src/main/java/com/mycompany/myapp/config/OAuth2ServerConfiguration.java

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you, it worked! A little off topic, but do you maybe know if the password the user entered to authorize is accessible from the server?
I'm not sure about the answer to your new question. Depends if you consider your resourceServer and authorizationServer the same server. The resource server shouldn't need to know about the credentials. Please accept the answer above if consider it correct. Thanks

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.