[mitreid-connect] protecting authorize endpoint
Justin Richer
jricher at mit.edu
Thu Aug 20 10:14:56 EDT 2015
The rest of Spring Security, which is configured throughout the code, outside the XML. Specifically, the authorization endpoint requires ROLE_USER to access.
— Justin
> On Aug 20, 2015, at 10:04 AM, Zhanna Tsitkov <tsitkova at mit.edu> wrote:
>
> In this block access intercept is set to permitAll: <security:intercept-url
> pattern="/**"
> access="permitAll"
> />
> What mechanism is used to protect this EP?
>
> Thanks,
> Zhanna
>
> On Aug 20, 2015, at 9:47 AM, Justin Richer <jricher at MIT.EDU <mailto:jricher at MIT.EDU>> wrote:
>
>> As it says in the paragraph of documentation that you quoted below, it’s protected the same way that the rest of the UI is protected. This is handled in the main <security:http> block in user-context.xml.
>>
>> — Justin
>>
>>> On Aug 20, 2015, at 9:45 AM, Zhanna Tsitkov <tsitkova at mit.edu <mailto:tsitkova at mit.edu>> wrote:
>>>
>>> Hi,
>>> According to the documentation for configure method of
>>> AuthorizationServerConfigurer
>>> interface
>>> "
>>>
>>>
>>>
>>>
>>>
>>> * The /oauth/authorize endpoint also needs to be secure, but that is a normal user-facing endpoint and should be
>>>
>>> * secured the same way as the rest of your UI, so is not covered here. The default settings cover the most common
>>>
>>> * requirements, following recommendations from the OAuth2 spec, so you don't need to do anything here to get a
>>>
>>> * basic server up and running.
>>> "
>>> In MitreID Connect it looks like this EP is not explicitly protected. How it is done?
>>> Thanks,
>>> Zhanna
>>> _______________________________________________
>>> mitreid-connect mailing list
>>> mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>
>>> http://mailman.mit.edu/mailman/listinfo/mitreid-connect <http://mailman.mit.edu/mailman/listinfo/mitreid-connect>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150820/54405e05/attachment.html
More information about the mitreid-connect
mailing list