Separate Resource Server and Authorization Server

**blindingillusion** · Feb 29th, 2012, 04:00 PM

In my teams project we are separating out the Resource Server and the Authorization Server. I am shooting from the hip on this one using the user guide, the github source, and some trial and error. I am wondering what the purpose of the "authentication manager" configuration is in the resource-server config. My config currently has a copy-pasted authentication manager at the moment, but I don't see how it is ever going to be used.

Code:

<oauth:resource-server id="resourceServerFilter"
		resource-id="class" token-services-ref="resourceServerTokenService" />

	<bean id="resourceServerTokenService" class="gov.noaa.cls.m2m.auth.ClassResourceServerTokenServices" />

	<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
		<authentication-provider>
			<user-service>
				<user name="marissa" password="koala" authorities="ROLE_USER" />
				<user name="paul" password="emu" authorities="ROLE_USER" />
			</user-service>
		</authentication-provider>
	</authentication-manager>

	<!-- The OAuth2 protected resources are separated out into their own block 
		so we can deal with authorization and error handling separately. This isn't 
		mandatory, but it makes it easier to control the behaviour. -->
	<http pattern="/**" entry-point-ref="oauthAuthenticationEntryPoint"
		access-decision-manager-ref="accessDecisionManager"
		xmlns="http://www.springframework.org/schema/security">
		<intercept-url pattern="/" access="ROLE_ANONYMOUS" />
		<intercept-url pattern="/**" access="ROLE_USER,SCOPE_READ" />
		<custom-filter ref="resourceServerFilter" before="EXCEPTION_TRANSLATION_FILTER" />
		<access-denied-handler ref="oauthAccessDeniedHandler" />
	</http>

	<bean id="oauthAuthenticationEntryPoint"
		class="org.springframework.security.oauth2.provider.error.MediaTypeAwareAuthenticationEntryPoint">
		<property name="realmName" value="class" />
	</bean>

	<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
		<constructor-arg>
			<list>
				<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
				<bean class="org.springframework.security.access.vote.RoleVoter" />
				<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
			</list>
		</constructor-arg>
	</bean>

	<bean id="oauthAccessDeniedHandler"
		class="org.springframework.security.oauth2.provider.error.MediaTypeAwareAccessDeniedHandler" />

	<mvc:annotation-driven />

	<mvc:default-servlet-handler />

	<sec:global-method-security
		pre-post-annotations="enabled" proxy-target-class="true">
		<sec:expression-handler ref="oauthExpressionHandler" />
	</sec:global-method-security>

**Dave Syer** · Mar 1st, 2012, 02:18 AM

The authentication-manager isn't needed in a pure ResourceServer (at least the way it is implemented right now - but I have been thinking about maybe making changes). It's just a "feature" of the Spring Security XML namespace that an authentication manager is mandatory - you can install an empty one because it isn't used at run time.

**willcainsvg** · Apr 3rd, 2012, 02:25 PM

Is there an example anywhere of having these 2 servers in at least separate servlets? (Or separate servers.) I am having difficulty trying to set that up. Thanks!

**Dave Syer** · Apr 4th, 2012, 03:50 AM

See here: https://github.com/cloudfoundry/uaa/...ng-servlet.xml. It's pretty straightforward, if annoying.

**willcainsvg** · Apr 4th, 2012, 08:57 AM

Thank you; that will help a lot!

**kldavis4** · Jul 23rd, 2012, 03:18 PM

Is this the corresponding stand alone authorization server? https://github.com/cloudfoundry/uaa/...ng-servlet.xml

**Dave Syer** · Jul 23rd, 2012, 03:49 PM

Not quite vanilla (although it is an authorization server). The vanilla auth server is https://github.com/cloudfoundry/uaa/...ng-servlet.xml.

**kldavis4** · Jul 23rd, 2012, 03:53 PM

Originally Posted by Dave Syer

Not quite vanilla (although it is an authorization server). The vanilla auth server is https://github.com/cloudfoundry/uaa/...ng-servlet.xml.

great, thanks for the quick reply

**kldavis4** · Jul 30th, 2012, 04:09 PM

Another question... if I split the authorization and resource server for sparklr2 and run them in different app servers, do I need to use a different token store implementation besides InMemoryTokenStore, so that resource and authorization server have access to the same tokens?

**Dave Syer** · Jul 31st, 2012, 07:06 AM

Correct. Either the tokens have to be decodable locally by the resource server or it has to share storage with the auth server.

Thread: Separate Resource Server and Authorization Server

Thread Tools

Display

Separate Resource Server and Authorization Server

Example?

Tags for this Thread

Posting Permissions