Separate Resource Server and Authorization Server

[blindingillusion]

In my teams project we are separating out the Resource Server and the Authorization Server. I am shooting from the hip on this one using the user guide, the github source, and some trial and error. I am wondering what the purpose of the "authentication manager" configuration is in the resource-server config. My config currently has a copy-pasted authentication manager at the moment, but I don't see how it is ever going to be used.

Code:

<oauth:resource-server id="resourceServerFilter"
		resource-id="class" token-services-ref="resourceServerTokenService" />

	<bean id="resourceServerTokenService" class="gov.noaa.cls.m2m.auth.ClassResourceServerTokenServices" />

	<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
		<authentication-provider>
			<user-service>
				<user name="marissa" password="koala" authorities="ROLE_USER" />
				<user name="paul" password="emu" authorities="ROLE_USER" />
			</user-service>
		</authentication-provider>
	</authentication-manager>

	<!-- The OAuth2 protected resources are separated out into their own block 
		so we can deal with authorization and error handling separately. This isn't 
		mandatory, but it makes it easier to control the behaviour. -->
	<http pattern="/**" entry-point-ref="oauthAuthenticationEntryPoint"
		access-decision-manager-ref="accessDecisionManager"
		xmlns="http://www.springframework.org/schema/security">
		<intercept-url pattern="/" access="ROLE_ANONYMOUS" />
		<intercept-url pattern="/**" access="ROLE_USER,SCOPE_READ" />
		<custom-filter ref="resourceServerFilter" before="EXCEPTION_TRANSLATION_FILTER" />
		<access-denied-handler ref="oauthAccessDeniedHandler" />
	</http>

	<bean id="oauthAuthenticationEntryPoint"
		class="org.springframework.security.oauth2.provider.error.MediaTypeAwareAuthenticationEntryPoint">
		<property name="realmName" value="class" />
	</bean>

	<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
		<constructor-arg>
			<list>
				<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
				<bean class="org.springframework.security.access.vote.RoleVoter" />
				<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
			</list>
		</constructor-arg>
	</bean>

	<bean id="oauthAccessDeniedHandler"
		class="org.springframework.security.oauth2.provider.error.MediaTypeAwareAccessDeniedHandler" />

	<mvc:annotation-driven />

	<mvc:default-servlet-handler />

	<sec:global-method-security
		pre-post-annotations="enabled" proxy-target-class="true">
		<sec:expression-handler ref="oauthExpressionHandler" />
	</sec:global-method-security>

[Dave Syer]

The authentication-manager isn't needed in a pure ResourceServer (at least the way it is implemented right now - but I have been thinking about maybe making changes). It's just a "feature" of the Spring Security XML namespace that an authentication manager is mandatory - you can install an empty one because it isn't used at run time.

[willcainsvg]

Is there an example anywhere of having these 2 servers in at least separate servlets? (Or separate servers.) I am having difficulty trying to set that up. Thanks!

[Dave Syer]

See here: https://github.com/cloudfoundry/uaa/...ng-servlet.xml. It's pretty straightforward, if annoying.

[willcainsvg]

Thank you; that will help a lot!

[kldavis4]

Is this the corresponding stand alone authorization server? https://github.com/cloudfoundry/uaa/...ng-servlet.xml