I created an authorization server with spring boot, and I want to use the roles of resource owners on the resource server on it. I have a SecurityConfig class extending WebSecurityConfigurerAdapter , where I checked the credentials of resource owners from mongodb for authentication. For this, I have a MongoAuthProvider class that implements AuthenticationProvider , from which I return a UsernamePasswordAuthenticationToken instance with username, password and ROLES for example, "ROLE_ADMIN", "ROLE_APPUSER".
@SpringBootApplication
@RestController
@EnableResourceServer
public class AuthserverApplication extends WebMvcConfigurerAdapter {
public static void main(String[] args) {
SpringApplication.run(AuthserverApplication.class, args);
}
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends
AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients)
throws Exception {
clients.inMemory()
.withClient("acme")
.secret("acmesecret")
.authorizedGrantTypes("authorization_code","implicit",
"refresh_token", "password").scopes("openid");
}
}
@Configuration
protected static class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private MongoAuthProvider mongoAuthProvider;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(mongoAuthProvider);
}
@Bean
public MongoAuthProvider getMongoAuthProvider(){
return new MongoAuthProvider();
}
}
@RequestMapping("/user")
public Principal user(OAuth2Authentication user) {
return user;
}
}
class MongoAuthProvider implements AuthenticationProvider {
@Autowired
UserRepo userrepo;
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
String userName = authentication.getName().trim();
String password = authentication.getCredentials().toString().trim();
User user = userrepo.findByUserNameAndPassword(userName, password);
if(user != null){
return new UsernamePasswordAuthenticationToken(userName, password,
AuthorityUtils.createAuthorityList("ROLE_ADMIN" , "ROLE_APPUSER"));
} else {
return null;
}
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
auth :
@RequestMapping("/user")
public Principal user(OAuth2Authentication user) {
return user;
}
. ResourceServer, ResourceServerConfigurerAdapter, auth. . , auth.
@SpringBootApplication
@EnableResourceServer
@EnableOAuth2Sso
public class AuthserverClientApplication extends WebMvcConfigurerAdapter {
public static void main(String[] args) {
SpringApplication.run(AuthserverClientApplication.class, args);
}
@Configuration
protected static class ResourceServer extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("**")
.hasRole("ADMIN")
.anyRequest().authenticated();
}
}
}
}
, , .