diff --git a/CallAutomation_Live_Transcription/pom.xml b/CallAutomation_Live_Transcription/pom.xml
index 60fed6c..aeb6d08 100644
--- a/CallAutomation_Live_Transcription/pom.xml
+++ b/CallAutomation_Live_Transcription/pom.xml
@@ -135,6 +135,27 @@
json
20231013
+
+ org.springframework.boot
+ spring-boot-starter-security
+
+
+ io.jsonwebtoken
+ jjwt
+ 0.9.1
+
+
+ org.springframework.boot
+ spring-boot-starter-security
+
+
+ org.springframework.security
+ spring-security-oauth2-jose
+
+
+ org.springframework.security
+ spring-security-oauth2-resource-server
+
@@ -187,7 +208,6 @@
-
diff --git a/CallAutomation_Live_Transcription/src/main/java/com/communication/callautomation/SecurityConfig.java b/CallAutomation_Live_Transcription/src/main/java/com/communication/callautomation/SecurityConfig.java
new file mode 100644
index 0000000..a9042a3
--- /dev/null
+++ b/CallAutomation_Live_Transcription/src/main/java/com/communication/callautomation/SecurityConfig.java
@@ -0,0 +1,60 @@
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+public class SecurityConfig {
+
+ @Value("ACS resource ID")
+ private String audience;
+
+ @Value("https://acscallautomation.communication.azure.com")
+ private String issuer;
+
+ @Bean
+ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+ http
+ .csrf().disable()
+ .authorizeHttpRequests()
+ .requestMatchers("/ws/**").permitAll() // WebSocket handshake is handled separately
+ .anyRequest()
+ .and()
+ .oauth2ResourceServer()
+ .jwt()
+ .decoder(jwtDecoder());
+
+ return http.build();
+ }
+
+ class AudienceValidator implements OAuth2TokenValidator {
+ private String audience;
+
+ OAuth2Error error = new OAuth2Error("invalid_token", "The required audience is missing", null);
+
+ public AudienceValidator(String audience) {
+ this.audience = audience;
+ }
+
+ @Override
+ public OAuth2TokenValidatorResult validate(Jwt token) {
+ if (token.getAudience().contains(audience)) {
+ return OAuth2TokenValidatorResult.success();
+ } else {
+ return OAuth2TokenValidatorResult.failure(error);
+ }
+ }
+ }
+
+ JwtDecoder jwtDecoder()
+ {
+ OAuth2TokenValidator withAudience = new AudienceValidator(audience);
+ OAuth2TokenValidator withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
+ OAuth2TokenValidator validator = new DelegatingOAuth2TokenValidator<>(withAudience, withIssuer);
+ NimbusJwtDecoder jwtDecoder = (NimbusJwtDecoder) JwtDecoders.fromOidcIssuerLocation(issuer);
+ jwtDecoder.setJwtValidator(validator);
+
+ return jwtDecoder;
+ }
+
+}