Securing Legacy Apps With OAuth 2.0 and Spring Cloud Gateway
Join the DZone community and get the full member experience.Join For Free
Do you find it painful to modernize your old, form-based logins? It doesn’t have to be that way. The lack of support in the underlying framework can make adding OAuth 2.0 support to legacy applications tough, but this blog post will show you a low-code way to use Spring Cloud Gateway and Okta to secure your legacy apps.
Learn how to set up Spring Cloud Gateway as a standalone application that proxies HTTP requests and handles OAuth before sending the request to your app.
The first step is to create a new project on the Spring Initializr. I typically create it from my IDE or the command line:
|If you create the project through your IDE or the Web interface, use the dependencies "Okta", "Gateway", and "Cloud Security."|
application.yml (more on that in a moment).
Next, secure the new application with OIDC/OAuth 2.0.
If you already have an Okta account, see the Create a Web Application in Okta sidebar below. Otherwise, we created a Maven plugin that configures a free Okta developer account + an OIDC app (in under a minute!).
To use it run:
./mvnw com.okta:okta-maven-plugin:setup to create an account and configure your Spring Boot app to work with Okta.
Create a Web Application in Okta
Log in to your Okta Developer account (or sign up if you don’t have an account).
From the Applications page, choose Add Application.
On the Create New Application page, select Web.
Give your app a memorable name, add
http://localhost:8080/login/oauth2/code/oktaas a Login redirect URI, select Refresh Token (in addition to Authorization Code), and click Done.
Copy the issuer (found under API > Authorization Servers), client ID, and client secret into
application.yml for both projects.
Next, you’ll configure Spring Cloud Gateway to forward routes to your legacy application. For this post, the legacy application serves two paths
Once again in your
application.yml file, add the following block:
|The Base URL for the "legacy" application.|
|Define the two paths to forward:
|Includ OAuth access tokens to the downstream request|
If this is too much YAML for you, replace the above block with the following Java code in
That’s it! Start it up by running
A quick recap before we move on: that
application.yml has a lot going on. It contains the OAuth 2.0 configuration (issuer, client ID, client secret) and everything needed to securely proxy to the legacy application.
Updating a legacy application usually isn’t simple; if it were, you probably wouldn’t have assigned the "legacy" label to it! To keep things focused, I’ve created a straightforward servlet application that contains a single servlet:
Grab the full code on GitHub (in the
The above example uses static strings, a real application likely has a form to collect a username and password along with a user service that connects to a database; you can use your imagination. ��
Start this application with
./mvnw jetty:run and browse to
|This application is running on port
You can now access the servlet application through Spring Cloud Gateway! Now it’s time to secure it. To do that, add a servlet
Filter to validate the access token added by Spring Cloud Gateway.
Add a new class:
The last step is to update the
UserProfileServlet with data from the JWT access token. To do so, replace the
doGet() method with the one below:
Before restarting the servlet application, grab the "issuer" URL you used in the first step by copying it from
src/main/resources/application.yml. You can also find this in your Okta Admin Console under API → Authorization Servers.
Start the legacy application with:
That is it! Open an incognito/private browser and navigate to
http://localhost:8080/ where you’ll be redirected to Okta for login and then back to the profile page!
In this post, you learned how to secure a simple servlet application with OAuth 2.0 and just a few lines of code (plus a healthy dose of configuration and error handling). You also used Spring Cloud Gateway to proxy and secure requests before they even get to your application!
The full source code for this post is available on GitHub.
If you want to learn more about Java, Spring, and securing applications, check out the following posts:
- Spring Method Security with PreAuthorize
- Angular 8 + Spring Boot 2.2: Build a CRUD App Today!
- A Quick Guide to Spring Boot Login Options
Published at DZone with permission of Brian Demers, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.