@EnableOAuth2Resource and securing sub-set of resources

[ryanjbaxter]

I have a pretty straightforward Spring Boot app with an API resource I would like to protect with OAuth2.

In my POM I have added the spring-cloud-starter-security dependency. I have a class annotated with @RestController and @EnableOAuth2Resource. In my application.properties I have added

oauth2.resource.userInfoUri=https://api.github.com/user
oauth2.resource.preferTokenInfo=false

When I start the app and hit the API endpoints they do not appear to be protected, I am getting back 200s without supplying an access token in the request.

Am I missing another part of the configuration?

[ryanjbaxter]

I moved to the M3 release and now am seeing a different behavior.

Just including the spring-cloud-starter-security dependency seems to secure all endpoints. Not what I expected, I expected to have to enable security on give API endpoints by adding @EnableOAuth2Resource. In fact this a problem for me since the level of security I need is very granular, I want to secure based on HTTP methods made to a given endpoint. For example a GET request to an endpoint can be accessed anonymously while POST, PUT, and DELETE to the same endpoint would require you to authenticate. I was expecting to have to separate the GET endpoint out to its own class annotated with @RestController but not having @EnableOauth2Resource. However this won't work because as I said above adding spring-cloud-starter-security seems to enable security on all endpoints.

Should I extend OAuth2SsoConfigurerAdapter or does that not work with OAuth2 resources?

[dsyer]

@EnableOAuth2Resource is meta-annotated with @EnableResourceServer so it follows all the same rules. I added an example to the docs: https://github.com/spring-cloud/spring-cloud-security/blob/master/src/main/asciidoc/spring-cloud-security.adoc#resource-server.

[ryanjbaxter]

Thanks Dave I figured it was something like that, I will give it a shot.

[ryanjbaxter]

Thanks Dave, this worked. I also had to extend WebSecurityConfigurerAdapter to make sure anonymous requests did not require basic authentication.

I now feel like I am duplicating the RequestMatchers from my Zuul proxy though. I guess I can share code between the two projects and as long as they are using the same paths than they should work for both the Resource and the proxy.

In general though the security configuration seems hard to do and pretty complicated for someone not too familiar with Spring Security like me.

[dsyer]

Thanks for the feedback. So you think @EnableZuulProxy and @EnableOAuth2Resource together should trigger some autoconfig of the security routes?

[ryanjbaxter]

Yes that would be ideal. I think if the Zuul proxy somehow knew about the security routes from the resource it is proxying from that would be ideal. That way the configuration stays with the resource and if the resource is accessed without using the proxy the security routes are still in place.

[dsyer]

Maybe you could open a new issue?

[ryanjbaxter]

Done #15