<< 7Configuration
(Quick Reference)

8 Standalone Resource Server or Authorization Server - Reference Documentation

Authors: Brian Saville, Bobby Vandiver, Roy Willemse

Version: 3.0.0-RC2

Table of Contents

8.1Authorization Server
8.2Resource Server

8 Standalone Resource Server or Authorization Server

By default, the plugin is configured to assume the role of both the Authorization Server and the Resource Server as defined by RFC 6749. However, it is possible to configure an application to fulfill only one role.

The plugin registers an instance of the Spring OAuth provided OAuth2AuthenticationProcessingFilter under the bean name oauth2ProviderFilter. This filter is responsible for extracting the Bearer token from the Authorization header and confirming its authenticity.

8.1 Authorization Server

To create an application that is only an Authorization Server, it is as simple as configuring the authorization and token endpoints as shown in the Getting Started and Filter Chain Configuration sections and excluding the oauth2ProviderFilter.

So instead of the following filter chain:

grails.plugin.springsecurity.filterChain.chainMap = [
            [pattern: '/oauth/token',               filters: 'JOINED_FILTERS,-oauth2ProviderFilter,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-exceptionTranslationFilter'],
            [pattern: '/securedOAuth2Resources/**', filters: 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-oauth2BasicAuthenticationFilter,-exceptionTranslationFilter'],
            [pattern: '/**',                        filters: 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter,-oauth2BasicAuthenticationFilter,-oauth2ExceptionTranslationFilter']
    ]

You would have something like this:

grails.plugin.springsecurity.filterChain.chainMap = [
           [pattern: '/oauth/token',               filters: 'JOINED_FILTERS,-oauth2ProviderFilter,-securityContextPersistenceFilter,-logoutFilter,-rememberMeAuthenticationFilter,-authenticationProcessingFilter,-exceptionTranslationFilter'],
           [pattern: '/**',                        filters: 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter,-basicAuthenticationFilter,-oauth2ExceptionTranslationFilter']
   ]

Where /** is any Authorization Server specific functionality.

8.2 Resource Server

To create an application that is only a Resource Server is slightly more involved. The plugin uses an implementation of the Spring provided ResourceServerTokenServices interface that uses the currently configured TokenStore to authenticate the presented Bearer token. If the Authorization Server and Resource Server are distinct applications, it is very likely that the Resource Server will need some means to validate the provided Bearer token that depends on your use case. To do this, simply implement the aforementioned ResourceServerTokenServices interface and override the resourceServerTokenServices bean in your resources.groovy.

Next you will need to disable access to the authorization and token endpoints. This can be accomplished by changing access to the appropriate URL. For example, when using static rules to secure your endpoints, you might have the following when the Authorization and Resource Servers are the same application:

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
        [pattern: '/oauth/authorize',           access: "isFullyAuthenticated() and (request.getMethod().equals('GET') or request.getMethod().equals('POST'))"],
        [pattern: '/oauth/token',               access: "isFullyAuthenticated() and request.getMethod().equals('POST')"],
        [pattern: '/',                          access: 'permitAll'],
        [pattern: '/index',                     access: 'permitAll'],
        [pattern: '/index.gsp',                 access: 'permitAll'],
        [pattern: '/**/js/**',                  access: 'permitAll'],
        [pattern: '/**/css/**',                 access: 'permitAll'],
        [pattern: '/**/images/**',              access: 'permitAll'],
        [pattern: '/**/favicon.ico',            access: 'permitAll'],
        [pattern: '/assets/**',                 access: 'permitAll']
]

Splitting out the authorization parts will result in something like this:

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
        [pattern: '/',                          access: 'permitAll'],
        [pattern: '/index',                     access: 'permitAll'],
        [pattern: '/index.gsp',                 access: 'permitAll'],
        [pattern: '/**/js/**',                  access: 'permitAll'],
        [pattern: '/**/css/**',                 access: 'permitAll'],
        [pattern: '/**/images/**',              access: 'permitAll'],
        [pattern: '/**/favicon.ico',            access: 'permitAll'],
        [pattern: '/assets/**',                 access: 'permitAll']
]

Any requests to the authorization or token endpoints will be greeted with a 403 response. You should also remove any filter chain configurations in place for these endpoints as well. Our earlier filter chain would become something like the following:

grails.plugin.springsecurity.filterChain.chainMap = [
           [pattern: '/securedOAuth2Resources/**', filters: 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-rememberMeAuthenticationFilter,-authenticationProcessingFilter,-basicAuthenticationFilter,-exceptionTranslationFilter'],
           [pattern: '/**',                        filters: 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter,-basicAuthenticationFilter,-oauth2ExceptionTranslationFilter']
   ]

Where /** is any Resource Server specific functionality.

<< 7Configuration
Quick Reference (hide)

Scripts

s2-init-oauth2-approval
s2-init-oauth2-provider