8 Standalone Resource Server or Authorization Server - Reference Documentation
Authors:
Version: 2.0-SNAPSHOT
8 Standalone Resource Server or Authorization Server
By default, the plugin is configured to assume the role of both the Authorization Server and the Resource Server as defined by RFC 6749. However, it is possible to configure an application to fulfill only one role.The plugin registers an instance of the Spring OAuth providedOAuth2AuthenticationProcessingFilter
under the bean name oauth2ProviderFilter
. This filter is responsible for extracting the Bearer
token from the Authorization
header and confirming its authenticity.
8.1 Authorization Server
To create an application that is only an Authorization Server, it is as simple as configuring the authorization and token endpoints as shown in the Getting Started and Filter Chain Configuration sections and excluding theoauth2ProviderFilter
.So instead of the following filter chain:grails.plugin.springsecurity.filterChain.chainMap = [ '/oauth/token': 'JOINED_FILTERS,-oauth2ProviderFilter,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-exceptionTranslationFilter', '/securedOAuth2Resources/**': 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-oauth2BasicAuthenticationFilter,-exceptionTranslationFilter', '/**': 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter,-oauth2BasicAuthenticationFilter,-oauth2ExceptionTranslationFilter' ]
grails.plugin.springsecurity.filterChain.chainMap = [ '/oauth/token': 'JOINED_FILTERS,-oauth2ProviderFilter,-securityContextPersistenceFilter,-logoutFilter,-rememberMeAuthenticationFilter,-authenticationProcessingFilter,-exceptionTranslationFilter', '/**': 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter,-basicAuthenticationFilter,-oauth2ExceptionTranslationFilter' ]
/**
is any Authorization Server specific functionality.
8.2 Resource Server
To create an application that is only a Resource Server is slightly more involved. The plugin uses an implementation of the Spring providedResourceServerTokenServices
interface that uses the currently configured TokenStore
to authenticate the presented Bearer
token. If the Authorization Server and Resource Server are distinct applications, it is very likely that the Resource Server will need some means to validate the provided Bearer
token that depends on your use case. To do this, simply implement the aforementioned ResourceServerTokenServices
interface and override the resourceServerTokenServices
bean in your resources.groovy
.Next you will need to disable access to the authorization and token endpoints. This can be accomplished by changing access to the appropriate URL. For example, when using static rules to secure your endpoints, you might have the following when the Authorization and Resource Servers are the same application:grails.plugin.springsecurity.controllerAnnotations.staticRules = [ '/oauth/authorize.dispatch': ["isFullyAuthenticated() and (request.getMethod().equals('GET') or request.getMethod().equals('POST'))"], '/oauth/token.dispatch': ["isFullyAuthenticated() and request.getMethod().equals('POST')"], '/': ['permitAll'], '/index': ['permitAll'], '/index.gsp': ['permitAll'], '/**/js/**': ['permitAll'], '/**/css/**': ['permitAll'], '/**/images/**': ['permitAll'], '/**/favicon.ico': ['permitAll'] ]
grails.plugin.springsecurity.controllerAnnotations.staticRules = [ '/': ['permitAll'], '/index': ['permitAll'], '/index.gsp': ['permitAll'], '/**/js/**': ['permitAll'], '/**/css/**': ['permitAll'], '/**/images/**': ['permitAll'], '/**/favicon.ico': ['permitAll'] ]
grails.plugin.springsecurity.filterChain.chainMap = [ '/securedOAuth2Resources/**': 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-rememberMeAuthenticationFilter,-authenticationProcessingFilter,-basicAuthenticationFilter,-exceptionTranslationFilter', '/**': 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter,-basicAuthenticationFilter,-oauth2ExceptionTranslationFilter' ]
/**
is any Resource Server specific functionality.