java - Do I need resource server with Spring Security OAuth2?

Question

I am trying implement OAuth2 authentication with JWT tokens. If I understand, I need send credentials to authorization server, this verify my credentials, and return back signed JWT token. Next I tried implement WebSecurityConfig which extends WebSecurityConfigurerAdapter, and there I have to set which endpoints are secured and which aren't.

But my question is: do I need resource server? It do same job as my potential WebSecurityConfig, or not?

My goal is create simple JWT authentication for my website.

Answer 1

Yes, you will want to configure the resources protected by your JWT's by extending ResourceServerConfigurerAdapter. A basic implementation might look like this

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

}

This means you should have no need to extend WebSecurityConfigurerAdapter because the above configuration configures the same HttpSecurity object that you would be configuring in WebSecurityConfigurerAdapter. The public void configure(HttpSecurity http) works on the same thing in both classes.

The reason we want to choose ResourceServerConfigurerAdapter over WebSecurityConfigurerAdapter is because it's part of the spring-security-oauth2 module that you are using, and will be used behind the scenes by the framework.

You will of course need to make sure that you are using the same signing key for both your authorization and resource servers. If you are defining your security config beans in the same application the resource server will automatically use the same beans, if not then you will need to duplicate whatever JWT related config you have on your authorization server.