Java tutorial
/** * Copyright 2014 Michael Brush * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.bcknds.demo.oauth2.security; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer; /** * This class is where the configuration of the security of the endpoints will occur. * * @author Michael Brush */ @Configuration @EnableResourceServer @EnableGlobalMethodSecurity(prePostEnabled = true) public class ResourceServer extends ResourceServerConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { // oauth/token enpoint should be insecure since it is the security entry point http.authorizeRequests().antMatchers("/oauth/token").anonymous(); // GET requests for secure need the read scope http.authorizeRequests().antMatchers(HttpMethod.GET, "/secure**").access("#oauth2.hasScope('read')"); // All requests except GET require the write scope. These are not specified since // the permissions fall down and GET is above this one. http.authorizeRequests().antMatchers("/secure**").access("#oauth2.hasScope('write')"); } @Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { resources.resourceId("security"); } }