Last active
February 7, 2024 02:39
-
-
Save rponte/36e9e7b0d169d8bdb21757432af3b76b to your computer and use it in GitHub Desktop.
Spring Security: example of OAuth2 Resource Server configuration (Spring Boot v2.6.7)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## | |
# Spring Security - OAuth2 Resource Server | |
## | |
spring: | |
security: | |
oauth2: | |
resourceserver: | |
jwt: | |
issuer-uri: http://localhost:18080/auth/realms/minhas-figurinhas | |
jwk-set-uri: http://localhost:18080/auth/realms/minhas-figurinhas/protocol/openid-connect/certs # optional |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package br.com.zup.edu.minhasfigurinhas; | |
import org.springframework.context.annotation.Configuration; | |
import org.springframework.security.config.annotation.web.builders.HttpSecurity; | |
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; | |
import static org.springframework.http.HttpMethod.GET; | |
import static org.springframework.http.HttpMethod.POST; | |
import static org.springframework.security.config.http.SessionCreationPolicy.STATELESS; | |
@Configuration | |
public class ResourceServerConfig extends WebSecurityConfigurerAdapter { | |
@Override | |
protected void configure(HttpSecurity http) throws Exception { | |
// @formatter:off | |
http.cors() | |
.and() | |
.csrf().disable() | |
.httpBasic().disable() | |
.rememberMe().disable() | |
.formLogin().disable() | |
.logout().disable() | |
.requestCache().disable() | |
.headers().frameOptions().deny() | |
.and() | |
.sessionManagement() | |
.sessionCreationPolicy(STATELESS) | |
.and() | |
.authorizeRequests() | |
.antMatchers(GET, "/api/albuns/**").hasAuthority("SCOPE_albuns:read") | |
.antMatchers(POST, "/api/albuns").hasAuthority("SCOPE_albuns:write") | |
.antMatchers(POST, "/api/albuns/*/figurinhas").hasAuthority("SCOPE_albuns:write") | |
.anyRequest() | |
.authenticated() | |
.and() | |
.oauth2ResourceServer() | |
.jwt(); // this is needed because we're overriding the conf in the application.properties | |
; | |
// @formatter:on | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Rafael.
Glad to share a few opinions here.
First, I think this setup you worked on is pretty much complete for a RESTful API using OAuth2. Some configurations might not be actually necessary with the current Spring Security behavior (e.g. I don't think the Basic or Form authentication mechanisms are configured when you indicate you're setting up a Resource Server), but anyway it's good to be explicit here, so I'll keep it as it is.
Of course, I don't have visibility of the actual implementation of your services and infrastructure to be able to analyze this thoroughly, I could suggest evaluating setting up an API Gateway service that could help you take care and centralize some security configurations (like the CORS setup), this is a common pattern, but of course, that's something that should be analyzed for your particular case.
Also, I would suggest analyzing the Security headers that are considered relevant by the Spring Cloud Gateway framework too:
https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#the-secureheaders-gatewayfilter-factory
As this framework is more focused on (potentially RESTful) APIs and the headers that it sets up out of the box are probably more aligned with your service's needs. Of course, you can compare it with the headers that are retrieved by Spring Security by default:
https://docs.spring.io/spring-security/reference/features/exploits/headers.html#headers-default
I generally can't go into the codebase of a student, and can typically only help with questions specifically focused on the course itself, as you may imagine.
Hope this helped Rafael, and that you find the courses useful.
Cheers,
Eugen