CODEWITHSUNDEEP
javaspringspring-bootspring-security
Teuddy R
Teuddy R

Reputation: 193

Difference between AuthorizationServerConfigurerAdapter vs WebSecurityConfigurerAdapter

Whats are the difference between these classes? I know that WebSecurityConfigurerAdapter is used to customize "security" on our apps.

Whats I've done:

public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
CustomUserDetailsService customUserDetailsService;

@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;

But i don't understand the meaning of AuthorizationServerConfigurerAdapter.

I read a couple of articles but I don't get it.

Upvotes: 14

Views: 8488

Answers (2)

Ömer
Ömer

Reputation: 84

if you want to use a third party authenticater, this means at the same time OAuth, then you must use AuthorizationServerConfigurerAdapter with WebSecurityConfigurerAdapter at OAuth serverside. If not so, WebSecurityConfigurerAdapter is enough for ordinary authentication

Upvotes: 0

Matt Ke
Matt Ke

Reputation: 3739

One thing first. OAuth 2 is an authorization framework. It allows an application (client) to obtain limited access to a HTTP service on behalf of a resource owner (user). OAuth 2 is not an authentication protocol.

AuthorizationServerConfigurerAdapter is used to configure how the OAuth authorization server works.

Here are some aspects which can be configured:

  • supported grant types (e.g. authorization code grant)
  • authorization code service, to store authorization codes
  • token store, to store access and refresh tokens (e.g. JwtTokenStore)
  • client details service, which holds the client configurations
  • ...

WebSecurityConfigurerAdapter is used to configure how the OAuth authorization server is secured.

Or in other words, how the user has to authenticate to grant a client access to his resources.

This can be:

  • form authentication
  • authentication via an identity provider (Facebook Login)
  • ...

(I have intentionally omitted some details to keep the answer as simple as possible.)

Example authorization server configuration with an in-memory token store:

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore());
    }

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    ...

}

Example security configuration with form login:

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/login").permitAll()
                .antMatchers("/oauth/authorize").authenticated()
                .and()
            .formLogin();
    }

    ...

}

Upvotes: 33

Related Questions