Securing Server side.

Guidelines

Now that the client side is protected, Its time to protect the server side.

In this case the server side need not generate a token, but all it has to do is validate the token that has been sent by the client side.

To Validate the token, we need to contact the UAA instance

How To ?

• Checkout this commit to get an idea on what was done.
• Changes in application.yml. Use the todolist-server client id created here

  security:
    oauth2:
        client:
            client-id: todolist-server
            client-secret: todo_server_secret
        resource:
            id: service
            userInfoUri: https://<UAA_INSTANCE_ID>.predix-uaa.run.aws-usw02-pr.ice.predix.io/userinfo
            token-info-uri: https://<UAA_INSTANCE_ID>.predix-uaa.run.aws-usw02-pr.ice.predix.io/check_token
  

• Since Spring Data Rest project could not protect the PUT Operation (Which meant another user could possibly update another user's resource. I ended up writing the whole Controller -> Service -> Repository Layer. Please check this commit for details

Check this Pull Request For this Feature.

References

• Spring Boot Security Docs
• YAML Configuration in Spring
• Spring Hateoas Documentation
• Richardson Maturity Model
• Spring Hateoas Sample