Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
768 views
in Technique[技术] by (71.8m points)

java - Do I need resource server with Spring Security OAuth2?

I am trying implement OAuth2 authentication with JWT tokens. If I understand, I need send credentials to authorization server, this verify my credentials, and return back signed JWT token. Next I tried implement WebSecurityConfig which extends WebSecurityConfigurerAdapter, and there I have to set which endpoints are secured and which aren't.

But my question is: do I need resource server? It do same job as my potential WebSecurityConfig, or not?

My goal is create simple JWT authentication for my website.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Yes, you will want to configure the resources protected by your JWT's by extending ResourceServerConfigurerAdapter. A basic implementation might look like this

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

}

This means you should have no need to extend WebSecurityConfigurerAdapter because the above configuration configures the same HttpSecurity object that you would be configuring in WebSecurityConfigurerAdapter. The public void configure(HttpSecurity http) works on the same thing in both classes.

The reason we want to choose ResourceServerConfigurerAdapter over WebSecurityConfigurerAdapter is because it's part of the spring-security-oauth2 module that you are using, and will be used behind the scenes by the framework.

You will of course need to make sure that you are using the same signing key for both your authorization and resource servers. If you are defining your security config beans in the same application the resource server will automatically use the same beans, if not then you will need to duplicate whatever JWT related config you have on your authorization server.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...