[mitreid-connect] protecting authorize endpoint

Zhanna Tsitkov tsitkova at mit.edu
Thu Aug 20 10:04:40 EDT 2015


In this block access intercept is set to permitAll: <security:intercept-url pattern="/**" access="permitAll" />
What mechanism is used to protect this EP?

Thanks,
Zhanna

On Aug 20, 2015, at 9:47 AM, Justin Richer <jricher at MIT.EDU<mailto:jricher at MIT.EDU>> wrote:

As it says in the paragraph of documentation that you quoted below, it’s protected the same way that the rest of the UI is protected. This is handled in the main <security:http> block in user-context.xml.

 — Justin

On Aug 20, 2015, at 9:45 AM, Zhanna Tsitkov <tsitkova at mit.edu<mailto:tsitkova at mit.edu>> wrote:

Hi,
According to the documentation for configure method of  AuthorizationServerConfigurer interface
"



        * The /oauth/authorize endpoint also needs to be secure, but that is a normal user-facing endpoint and should be
        * secured the same way as the rest of your UI, so is not covered here. The default settings cover the most common
        * requirements, following recommendations from the OAuth2 spec, so you don't need to do anything here to get a
        * basic server up and running.
"
In MitreID Connect it looks like  this EP is not explicitly protected.   How it is done?
Thanks,
Zhanna
_______________________________________________
mitreid-connect mailing list
mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
http://mailman.mit.edu/mailman/listinfo/mitreid-connect


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150820/4426a887/attachment-0001.html


More information about the mitreid-connect mailing list