How to allow access to resource from client only in Spring Security OAuth2?

Question

I have developed a simple web-app using Spring-Boot with Spring Security OAuth2 and I want to allow access to all resources from the Client app only. Some resources will require the client to be authenticated while some will not.

I have the following configuration:

@Configuration
@EnableResourceServer
protected static class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.requestMatchers()
            .and()
            .authorizeRequests()
            .antMatchers("/account/**").permitAll()
            .antMatchers("/user/**").access("#oauth2.hasScope('read')")
            .antMatchers("/transaction/**").access("#oauth2.hasScope('read')");
    }

}

@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
        endpoints.authenticationManager(authenticationManager);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
            .withClient("my-trusted-client")
            .authorizedGrantTypes("authorization_code", "password", "refresh_token")
            .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
            .scopes("read", "write", "trust")
            .accessTokenValiditySeconds(3600);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.allowFormAuthenticationForClients();
    }

}

What I'm trying to do is for the resource "/account/**", it should not require the client to be authenticated but will still only allow access through client.

For the other resources, it will only allow access through the client and must be authenticated as well.

Unfortunately in the current setup above, I'm still able to access the "/account/**" from outside the client.

Appreciate any help.

UPDATE 1

Additional info I forgot to include, I'm using the grant_type password.

So what I want is this. For example:

/account - Should only be accessible with client_id/client_secret. Does not require user to be authenticated, meaning user does not need to have access token.

/user - Should only be accessible with client_id/client_secret. And requires user to be authenticated, meaning user must have access token.

Client I'm referring to is the Mobile Application that has the client_id and client_secret.

Let me know if I'm still not clear.

Answer 1

Something like this then:

.authorizeRequests()
   .antMatchers("/account/**").access("#oauth2.isClient()")
   .antMatchers("/user/**").access("#oauth2.isUser() && #oauth2.hasScope('read')")