Being the resource server, we are enabling global method security so that every method exposing an API is secured, as shown in the following code snippet:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringSecurityConfig extends GlobalMethodSecurityConfiguration {
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return new OAuth2MethodSecurityExpressionHandler();
}
}
Here, we are using OAuth2MethodSecurityExpressionHandler as the method security exception handler so that we can use annotations, as follows:
@PreAuthorize("#oauth2.hasScope('movie') and #oauth2.hasScope('read')")