Securing Server side.
Guidelines
Now that the client side is protected, Its time to protect the server side.
In this case the server side need not generate a token, but all it has to do is validate the token that has been sent by the client side.
To Validate the token, we need to contact the UAA instance
How To ?
- Checkout this commit to get an idea on what was done.
- Changes in application.yml. Use the
todolist-server
client id created heresecurity: oauth2: client: client-id: todolist-server client-secret: todo_server_secret resource: id: service userInfoUri: https://<UAA_INSTANCE_ID>.predix-uaa.run.aws-usw02-pr.ice.predix.io/userinfo token-info-uri: https://<UAA_INSTANCE_ID>.predix-uaa.run.aws-usw02-pr.ice.predix.io/check_token
- Since Spring Data Rest project could not protect the PUT Operation (Which meant another user could possibly update another user's resource. I ended up writing the whole Controller -> Service -> Repository Layer. Please check this commit for details
Check this Pull Request For this Feature.