We would need to set up the Todo API application to act as a resource server.
We use the @EnableResourceServer annotation in order to enable the application to be a resource server:
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
We extend ResourceServerConfigurerAdapter in order to configure authorizations on the resource server resources:
@Override
public void configure(HttpSecurity http) throws Exception {
http.anonymous().disable()
.authorizeRequests()
.antMatchers("/users/**").access("hasRole('USER')")
.and().exceptionHandling()
.accessDeniedHandler(new OAuth2AccessDeniedHandler());
}
In the previous code, we are configuring that all requests to URIs that match the /users/** pattern should have a role of USER. We are also configuring the error handler, in case access is denied by the OAuth Server.
Next, we need to configure a resource ID, and declare it as stateless, as the REST API does not have any state:
private static final String RESOURCE_ID = "resource_id";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID).stateless(false);
}