alexanoid
Reputation: 25812
REST API, oAuth2, spring security and roles
In my application I have implemented oauth2 AuthorizationServer and ResourceServer. Each user in my system has a set of his Roles(Permissions).
I'd like to protect my Spring MVC REST endpoints with oauth2 and security based on User roles.
Is it possible to use oAuth2 authentication/authorization with different Roles(Permissions) that was defined in UserDetails.getAuthorities() method?
My configs:
private final static class DBUserDetails extends User implements UserDetails {
private static final long serialVersionUID = 1L;
private DBUserDetails(User user) {
super(user);
}
public Collection<? extends GrantedAuthority> getAuthorities() {
return AuthorityUtils.createAuthorityList("ROLE_USER");
}
public String getUsername() {
return getName();
}
public boolean isAccountNonExpired() {
return true;
}
public boolean isAccountNonLocked() {
return true;
}
public boolean isCredentialsNonExpired() {
return true;
}
public boolean isEnabled() {
return true;
}
}
and
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources
.resourceId(RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/profile/*").hasRole("PERMISSION_ADMIN")
.and().csrf()
.disable().sessionManagement().sessionCreationPolicy(STATELESS);
}
}
@RestController
@RequestMapping("/api/v1.0/profile")
public class ProfileController {
@PreAuthorize("hasRole('PERMISSION_ADMIN')")
@RequestMapping("/currentUser")
public User currentUser(@AuthenticationPrincipal User user) {
return user;
}
}
I'd like to secure /profile/* path with user who has PERMISSION_ADMIN. But right now anyone with accessToken can get access to this endpoint. Where I'm wrong ?
Upvotes: 2
Views: 3632
Answers (1)
Sergey Yamshchikov
Reputation: 1019
I suppose you can use OAuth2SecurityExpressionMethods in your ResourceServerConfiguration For me it works like this:
http
.requestMatchers().antMatchers("/oauth/api")
.and()
.authorizeRequests()
.antMatchers("/oauth/api").access("#oauth2.hasRole('ADMIN')")...
Upvotes: 1
Related Questions
- Spring Security: mapping OAuth2 claims with roles to secure Resource Server endpoints
- Role-based authentication for OAuth2
- Spring security 5: providing roles for OAuth2 authenticated users
- Spring. Implementation Oauth.2.0 for REST API
- Spring Security and Oauth2 misunderstanding
- Role hierarchy and OAuth2 Security using Spring Boot
- Authorization Server
- Java Spring (Maven) REST API using OAuth2
- oauth2 spring security over RESTEasy API's
- spring boot OAuth2 role based authorization