I have a following architecture:
- a CAS server 5.1 which is acting as a OAuth2 server
- Resource server implemented by the Spring REST API
- Angular JS GUI which accesses the REST API
When logging into the application, the user enters his username/password and these get send to the CAS server to obtain the access token (within the resource owner password schema). With this token, the angular GUI should be querying the resource server. Now the following questions:
1.) With every call to the REST API the access token must be validated. But the only one who can validate this is the CAS authorization server. So does this mean, with every REST API request the resource server must create another request to the CAS server and check if the token is valid? Or is there any other possibility?
2.) How can I configure the spring resource server security to check the access token with every request?