com.bcknds.demo.oauth2.security.ResourceServer.java Source code

Java tutorial

  1. HOME
  2. Java
  3. com.bcknds.demo.oauth2.security.ResourceServer.java

Introduction

Here is the source code for com.bcknds.demo.oauth2.security.ResourceServer.java

Source

/**
 * Copyright 2014 Michael Brush
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 * http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.bcknds.demo.oauth2.security;

import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;

/**
 * This class is where the configuration of the security of the endpoints will occur.
 * 
 * @author Michael Brush
 */
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class ResourceServer extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {

        // oauth/token enpoint should be insecure since it is the security entry point
        http.authorizeRequests().antMatchers("/oauth/token").anonymous();

        // GET requests for secure need the read scope
        http.authorizeRequests().antMatchers(HttpMethod.GET, "/secure**").access("#oauth2.hasScope('read')");

        // All requests except GET require the write scope. These are not specified since
        //   the permissions fall down and GET is above this one.
        http.authorizeRequests().antMatchers("/secure**").access("#oauth2.hasScope('write')");
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.resourceId("security");
    }
}