관심있는것들

@Service public class ProductService { /** * @PreAuthorize -> the authorization rules are validated before calling the protected method * @PostAuthorize -> the method is called, and only then the aspect validates the authorization rules. * * @PreFilter -> the method needs to have the parameter of type Collection or array * -> the aspects intercepts the method call and validated the values inside..

401 -> authentication issue 403 -> forbidden , authorization issue @Configuration public class ResourceServerConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.oauth2ResourceServer( c -> c.jwt( j -> j.decoder(decoder()) .jwtAuthenticationConverter(converter()) ) ); http.authorizeRequests() .mvcMatchers("/demo/**").hasAuthor..

authorities and roles are logical terms. authority = actions role = badges both of them are based on GrantedAuthority interface var u1 = User.withUsername("john") .password("12345") .authorities("ROLE_ADMIN") // -> a role ADMIN .build(); var u2 = User.withUsername("bill") .password("12345") .roles("MANAGER") // -> authority ROLE_MANAGER .build(); if we use roles() method it automatically add ROL..

@Configuration public class ProjectConfig extends WebSecurityConfigurerAdapter { @Bean public UserDetailsService userDetailsService() { var uds = new InMemoryUserDetailsManager(); var u1 = User.withUsername("bill") .password("12345") .authorities("ROLE_manager") // GrantedAuthority .build(); var u2 = User.withUsername("john") .password("12345") .authorities("ROLE_admin") .build(); uds.createUser..

notice implicit type is off by default direct access grants means == password grant type after setting up user and client we can token with keycloak's token endpoint uri we have key id , because Authentication server may have mutiple client with mutiple key pair we added aud : example user_name : john authorities : user i am getting the following error when i try to access to resoruce server wit..

created public key accessible from resource server by giving endpoint url with client's credenital set up in Authorization no access token get access token by using user's credential and client's credential now we can access resource server with access token (JWT) security.oauth2.resource.jwt.key-uri=http://localhost:8080/oauth/token_key security.oauth2.client.client-id=rs security.oauth2.client..

in the authorization server since it is authroization_code grant type we need to specify redirect url in ClientDetails public class SecurityClient implements ClientDetails { private final Client client; public SecurityClient(Client client) { this.client = client; } @Override public String getClientId() { return client.getClientId(); } @Override public boolean isSecretRequired() { return true; } ..

just like userDetailService exist for loading User credential Client has ClientDetailService for loading Client crediential to validate user we have user detailService for client authentication notice we are using tokenstore with covnerter -> we are storing access token made of JWT if we don't specifiy tokenStore , just like previous lecture spring security will use default opaque token notice w..

instead of actually going to Authentication Server to validate access token resource server just ask database if this access token is there and check if it is same but sharing database with other service is anti architecture pattern -> not recommended preferred option is for authorization server to persist tokens and resource server to use introspection to authenticate token @Bean public TokenSt..

2 server will be made authencitation server and resource server first withClient is real app client and second withClient is for resource server(faking it , for "isauthenticated()" ) first get access token from authentication server checking access token maunally -> we don't need to do this because resource server has configured this by writing this on application.properties server.port=9090 sec..