Spring Boot 2 + Oauth2-保护微服务中的其余调用

Question

Im working on a spring boot 2 micro services . now im planning to secure to my rest calls using the OAUTH2 .

I found lot of articles reg that Spring 2 + OAUTH2 integration but does not match with my requirement , all of them use tables and secure calls using the roles ,

My application login works on Single Sign on using the SAML (SSO) , my requirement is to only authorize the each request . what are the best way to do that .

1. do i really need table to store the token for the user , since login is already happened using SSO ?
2. only thing here is to authorize request irrespective of the roles of the user .

Any suggestions or github link to match the simple requirement will be appreciated .

Answer 1

@premKumarR

For your comments on which is better in-memory v/s JDBC. For Spring Docs,

Here's a description with some discussion of each of them

The default InMemoryTokenStore is perfectly fine for a single server (ie low traffic and no hot swap to a backup server in the case of failure). Most projects can start here, and maybe operate this way in development mode, to make it easy to start a server with no dependencies.

The JdbcTokenStore is the JDBC version of the same thing, which stores token data in a relational database. Use the JDBC version if you can share a database between servers, either scaled up instances of the same server if there is only one, or the Authorization and Resources Servers if there are multiple components. To use the JdbcTokenStore you need "spring-jdbc" on the classpath.

Docs Link: https://projects.spring.io/spring-security-oauth/docs/oauth2.html

Answer 2

OAuth2 has different implementations of creating Tokens for authentication. By default it creates tokens via random value and handles everything except for the persistence of the tokens which it delegates to a TokenStore . The default store is an in-memory implementation, but there are some other implementations available.

The JdbcTokenStore is the JDBC version of the same thing, which stores token data in a relational database.

The JSON Web Token (JWT) version of the store but does not persist data.

So to answer your questions

• do i really need table to store the token for the user , since login is already happened using SSO ?

  Not necessary. As i understand you only intend to authenticate not to generate the tokens.

• only thing here is to authorize request irrespective of the roles of the user .

  You can use WebSecurityConfigurerAdapter to vaildate incoming request. eg as below

  public class Configuration extends WebSecurityConfigurerAdapter {

   @Override public void configure(HttpSecurity http) throws Exception { http.csrf().disable() .authorizeRequests() .antMatchers("/authorization-server-1/**", "/login").permitAll() .anyRequest().authenticated(); } }