We want use the Spring OAuth2 JWT Token support. Our architecture is as follows: Spring just provides a REST-interface and the frontend is built with AngularJS which queries the Spring-REST-Interface. For authorization purpose our frontend-team wants to use JWT. So I have taken a look on the Spring OAuth2 JWT support and still do not really know how to talk with the frontend about JWT-Tokens. After reading a little tutorial I have implemented this:
@Autowired
@Qualifier("defaultAuthorizationServerTokenServices")
private DefaultTokenServices tokenServices;
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
//TODO comments
}
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
//@Autowired
private AuthenticationManager authManager;
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
return new JwtAccessTokenConverter();
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')")
.checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authManager).accessTokenConverter(accessTokenConverter());
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("my-trusted_client")
.authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write", "trust")
.accessTokenValiditySeconds(60)
.and()
.withClient("my-client-with-registered-redirect")
.authorizedGrantTypes("authorization_code")
.authorities("ROLE_CLIENT")
.scopes("read", "trust")
.redirectUris("http://anywhere?key=value")
.and()
.withClient("my-client-with-secret")
.authorizedGrantTypes("client_credentials", "password")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write")
.secret("secret");
}
}
I'm not sure how the workflow is. What I guess: The frontend access the /oauth/authorization endpoint to authorize its token and then the Spring backend has to check every time a resource is requested the JWT-Token if it's authorized to access the resource? Right? So how can I tell Spring to check the token when a REST-endpoint is requested? I have tried it with
@RequestMapping("/projects")
@PreAuthorize("oauthClientHasRole('ROLE_CLIENT')")
public String getProjects() {
return "";
}
But it seems not to work.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.