[mitreid-connect] protecting authorize endpoint

Justin Richer jricher at mit.edu
Thu Aug 20 16:48:38 EDT 2015 

I suggest reading the documentation for Spring Security and Spring Security OAuth.

 — Justin

> On Aug 20, 2015, at 10:21 AM, Zhanna Tsitkov <tsitkova at mit.edu> wrote:
> 
> ok. Sounds good. Can you please point to a particular place where this is implemented. 
> 
> Thanks,
> Zhanna
> 
> On Aug 20, 2015, at 10:14 AM, Justin Richer <jricher at mit.edu <mailto:jricher at mit.edu>> wrote:
> 
>> The rest of Spring Security, which is configured throughout the code, outside the XML. Specifically, the authorization endpoint requires ROLE_USER to access.
>> 
>>  — Justin
>> 
>>> On Aug 20, 2015, at 10:04 AM, Zhanna Tsitkov <tsitkova at mit.edu <mailto:tsitkova at mit.edu>> wrote:
>>> 
>>> In this block access intercept is set to permitAll: <security:intercept-url
>>> pattern="/**"
>>> access="permitAll"
>>>  />
>>> What mechanism is used to protect this EP?  
>>> 
>>> Thanks,
>>> Zhanna
>>> 
>>> On Aug 20, 2015, at 9:47 AM, Justin Richer <jricher at MIT.EDU <mailto:jricher at MIT.EDU>> wrote:
>>> 
>>>> As it says in the paragraph of documentation that you quoted below, it’s protected the same way that the rest of the UI is protected. This is handled in the main <security:http> block in user-context.xml. 
>>>> 
>>>>  — Justin
>>>> 
>>>>> On Aug 20, 2015, at 9:45 AM, Zhanna Tsitkov <tsitkova at mit.edu <mailto:tsitkova at mit.edu>> wrote:
>>>>> 
>>>>> Hi,
>>>>> According to the documentation for configure method of
>>>>>  AuthorizationServerConfigurer
>>>>> interface
>>>>> "
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> * The /oauth/authorize endpoint also needs to be secure, but that is a normal user-facing endpoint and should be
>>>>> 
>>>>> * secured the same way as the rest of your UI, so is not covered here. The default settings cover the most common
>>>>> 
>>>>> * requirements, following recommendations from the OAuth2 spec, so you don't need to do anything here to get a
>>>>> 
>>>>> * basic server up and running.
>>>>> "
>>>>> In MitreID Connect it looks like  this EP is not explicitly protected.   How it is done? 
>>>>> Thanks,
>>>>> Zhanna
>>>>> _______________________________________________
>>>>> mitreid-connect mailing list
>>>>> mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>
>>>>> http://mailman.mit.edu/mailman/listinfo/mitreid-connect <http://mailman.mit.edu/mailman/listinfo/mitreid-connect>
>>>> 
>>> 
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150820/14576e58/attachment.html

More information about the mitreid-connect mailing list