Securing Server side.

Guidelines

Now that the client side is protected, Its time to protect the server side.

In this case the server side need not generate a token, but all it has to do is validate the token that has been sent by the client side.

To Validate the token, we need to contact the UAA instance

How To ?

  • Checkout this commit to get an idea on what was done.
  • Changes in application.yml. Use the todolist-server client id created here
    security:
      oauth2:
          client:
              client-id: todolist-server
              client-secret: todo_server_secret
          resource:
              id: service
              userInfoUri: https://<UAA_INSTANCE_ID>.predix-uaa.run.aws-usw02-pr.ice.predix.io/userinfo
              token-info-uri: https://<UAA_INSTANCE_ID>.predix-uaa.run.aws-usw02-pr.ice.predix.io/check_token
    
  • Since Spring Data Rest project could not protect the PUT Operation (Which meant another user could possibly update another user's resource. I ended up writing the whole Controller -> Service -> Repository Layer. Please check this commit for details

Check this Pull Request For this Feature.

References