DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Modern Digital Website Security: Prepare to face any form of malicious web activity and enable your sites to optimally serve your customers.

Low-Code Development: Learn the concepts of low code, features + use cases for professional devs, and the low-code implementation process.

E-Commerce Development Essentials: Considering starting or working on an e-commerce business? Learn how to create a backend that scales.

Getting Started With Jenkins: Learn fundamentals that underpin CI/CD, how to create a pipeline, and when and where to use Jenkins.

Related

  • Authentication With Remote LDAP Server in Spring Web MVC
  • Implementing Authentication and Authorization With Vaadin
  • Spring Security Oauth2: Google Login
  • How to Implement Oauth2 Security in Microservices

Trending

  • Unblock Your Software Engineers With Unblocked
  • Modernizing SCADA Systems and OT/IT Integration With Apache Kafka
  • Production-Like Testing Environments in Software Development
  • Empowering Secure Access: Unleashing the Potential of Microsoft Entra ID Application Proxy
  1. DZone
  2. Coding
  3. Frameworks
  4. How to Implement Spring Security With OAuth2

How to Implement Spring Security With OAuth2

Want to learn how to implement the OAuth2 authorization with Spring Security? Check out this post to learn how.

Dev Bhatia user avatar by
Dev Bhatia
·
Updated Jul. 23, 18 · Tutorial
Like (21)
Save
Tweet
Share
151.3K Views

Join the DZone community and get the full member experience.

Join For Free

spring security provides comprehensive security services for j2ee-based enterprise software applications. it is powerful, flexible, and pluggable. it is not like a proxy server, firewall, os level security, intrusion detection system, or jvm security.

oauth is an open-authorization protocol that allows accessing resources of the resource owner by enabling the client applications on http services, such as gmail, github, etc.

the oauth 2.0 framework enables a third-party application to obtain limited access to an http service, either on behalf of a resource owner by orchestrating an approval interaction between resource owner and http service or by allowing the third-party application to obtain access on its own behalf.

oauth2 roles: there are four roles that can be applied on oauth2:

  1. resource owner: the owner of the resource — this is pretty self-explanatory.
  2. resource server: this serves resources that are protected by the oauth2 token.
  3. client: the application accessing the resource server.
  4. authorization server: this is the server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.

oauth2 tokens: tokens are implementation specific random strings, generated by the authorization server.

  • access token: sent with each request, usually valid for about an hour only.
  • refresh token: it is used to get a 00new access token, not sent with each request, usually lives longer than access token.

let's implement the project for spring security with oauth2:

first, create a maven project here, in eclipse ide, which will look like :

resource server 

package com.security.oauth.security;

import org.springframework.context.annotation.configuration;
import org.springframework.security.config.annotation.web.builders.httpsecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.enableresourceserver;
import org.springframework.security.oauth2.config.annotation.web.configuration.resourceserverconfigureradapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.resourceserversecurityconfigurer;
import org.springframework.security.oauth2.provider.error.oauth2accessdeniedhandler;

@configuration
@enableresourceserver 
/*@enableresourceserver enables a spring security filter that authenticates requests using an incoming oauth2 token.*/
public class resourceserverconfiguration extends resourceserverconfigureradapter {
/*class resourceserverconfigureradapter implements resourceserverconfigurer providing methods to adjust the access rules and paths that are protected by oauth2 security.*/
private static final string resource_id = "my_rest_api";

@override
public void configure(resourceserversecurityconfigurer resources) {
resources.resourceid(resource_id).stateless(false);
}

@override
public void configure(httpsecurity http) throws exception {
http.
anonymous().disable()
.requestmatchers().antmatchers("/user/**")
.and().authorizerequests()
.antmatchers("/user/**").access("hasrole('admin')")
.and().exceptionhandling().accessdeniedhandler(new oauth2accessdeniedhandler());
}

}

authorization server 

package com.security.oauth.security;

import org.springframework.beans.factory.annotation.autowired;
import org.springframework.beans.factory.annotation.qualifier;
import org.springframework.context.annotation.configuration;
import org.springframework.security.authentication.authenticationmanager;
import org.springframework.security.oauth2.config.annotation.configurers.clientdetailsserviceconfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.authorizationserverconfigureradapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.enableauthorizationserver;
import org.springframework.security.oauth2.config.annotation.web.configurers.authorizationserverendpointsconfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.authorizationserversecurityconfigurer;
import org.springframework.security.oauth2.provider.approval.userapprovalhandler;
import org.springframework.security.oauth2.provider.token.tokenstore;

@configuration
@enableauthorizationserver
/*@enableauthorizationserver enables an authorization server (i.e. an authorizationendpoint and a tokenendpoint) in the current application context.*/
public class authorizationserverconfiguration extends authorizationserverconfigureradapter {
/*class authorizationserverconfigureradapter implements authorizationserverconfigurer which provides all the necessary methods to configure an authorization server.*/
private static string realm="my_oauth_realm";

@autowired
private tokenstore tokenstore;

@autowired
private userapprovalhandler userapprovalhandler;

@autowired
@qualifier("authenticationmanagerbean")
private authenticationmanager authenticationmanager;

@override
public void configure(clientdetailsserviceconfigurer clients) throws exception {

clients.inmemory()
        .withclient("my-trusted-client")
            .authorizedgranttypes("password", "authorization_code", "refresh_token", "implicit")
            .authorities("role_client", "role_trusted_client")
            .scopes("read", "write", "trust")
            .secret("secret")
            .accesstokenvalidityseconds(120).//access token is only valid for 2 minutes.
            refreshtokenvalidityseconds(600);//refresh token is only valid for 10 minutes.
}

@override
public void configure(authorizationserverendpointsconfigurer endpoints) throws exception {
endpoints.tokenstore(tokenstore).userapprovalhandler(userapprovalhandler)
.authenticationmanager(authenticationmanager);
}

@override
public void configure(authorizationserversecurityconfigurer oauthserver) throws exception {
oauthserver.realm(realm+"/client");
}

}


security configuration 

package com.security.oauth.security;

import org.springframework.beans.factory.annotation.autowired;
import org.springframework.context.annotation.bean;
import org.springframework.context.annotation.configuration;
import org.springframework.security.authentication.authenticationmanager;
import org.springframework.security.config.annotation.authentication.builders.authenticationmanagerbuilder;
import org.springframework.security.config.annotation.web.builders.httpsecurity;
import org.springframework.security.config.annotation.web.configuration.enablewebsecurity;
import org.springframework.security.config.annotation.web.configuration.websecurityconfigureradapter;
import org.springframework.security.crypto.password.nooppasswordencoder;
import org.springframework.security.oauth2.provider.clientdetailsservice;
import org.springframework.security.oauth2.provider.approval.approvalstore;
import org.springframework.security.oauth2.provider.approval.tokenapprovalstore;
import org.springframework.security.oauth2.provider.approval.tokenstoreuserapprovalhandler;
import org.springframework.security.oauth2.provider.request.defaultoauth2requestfactory;
import org.springframework.security.oauth2.provider.token.tokenstore;
import org.springframework.security.oauth2.provider.token.store.inmemorytokenstore;

@configuration
@enablewebsecurity
public class oauth2securityconfiguration extends websecurityconfigureradapter {

@autowired
private clientdetailsservice clientdetailsservice;

@autowired
    public void globaluserdetails(authenticationmanagerbuilder auth) throws exception {
        auth.inmemoryauthentication()
        .withuser("bill").password("abc123").roles("admin").and()
        .withuser("bob").password("abc123").roles("user");
    }


    @override
    protected void configure(httpsecurity http) throws exception {
http
.csrf().disable()
.anonymous().disable()
  .authorizerequests()
  .antmatchers("/oauth/token").permitall();
    }

    @override
    @bean
    public authenticationmanager authenticationmanagerbean() throws exception {
        return super.authenticationmanagerbean();
    }


@bean
public tokenstore tokenstore() {
return new inmemorytokenstore();
}

@bean
@autowired
public tokenstoreuserapprovalhandler userapprovalhandler(tokenstore tokenstore){
tokenstoreuserapprovalhandler handler = new tokenstoreuserapprovalhandler();
handler.settokenstore(tokenstore);
handler.setrequestfactory(new defaultoauth2requestfactory(clientdetailsservice));
handler.setclientdetailsservice(clientdetailsservice);
return handler;
}

@bean
@autowired
public approvalstore approvalstore(tokenstore tokenstore) throws exception {
tokenapprovalstore store = new tokenapprovalstore();
store.settokenstore(tokenstore);
return store;
}

}

method security configuration 

package com.security.oauth.security;

import org.springframework.beans.factory.annotation.autowired;
import org.springframework.context.annotation.configuration;
import org.springframework.security.access.expression.method.methodsecurityexpressionhandler;
import org.springframework.security.config.annotation.method.configuration.enableglobalmethodsecurity;
import org.springframework.security.config.annotation.method.configuration.globalmethodsecurityconfiguration;
import org.springframework.security.oauth2.provider.expression.oauth2methodsecurityexpressionhandler;

@configuration
@enableglobalmethodsecurity(prepostenabled = true, proxytargetclass = true)
public class methodsecurityconfig extends globalmethodsecurityconfiguration {
    @suppresswarnings("unused")
@autowired
    private oauth2securityconfiguration securityconfig;

    @override
    protected methodsecurityexpressionhandler createexpressionhandler() {
        return new oauth2methodsecurityexpressionhandler();
    }
}


controller 

package com.security.oauth.controller;

import java.util.list;

import org.springframework.beans.factory.annotation.autowired;
import org.springframework.http.httpheaders;
import org.springframework.http.httpstatus;
import org.springframework.http.mediatype;
import org.springframework.http.responseentity;
import org.springframework.web.bind.annotation.pathvariable;
import org.springframework.web.bind.annotation.requestbody;
import org.springframework.web.bind.annotation.requestmapping;
import org.springframework.web.bind.annotation.requestmethod;
import org.springframework.web.bind.annotation.restcontroller;
import org.springframework.web.util.uricomponentsbuilder;

import com.security.oauth.model.user;
import com.security.oauth.service.userservice;

@restcontroller
public class oauth2restcontroller {

    @autowired
    userservice userservice;  //service which will do all data retrieval/manipulation work


    //-------------------retrieve all users--------------------------------------------------------

    @requestmapping(value = "/user/", method = requestmethod.get)
    public responseentity<list<user>> listallusers() {
        list<user> users = userservice.findallusers();
        if(users.isempty()){
            return new responseentity<list<user>>(users, httpstatus.no_content);//you many decide to return httpstatus.not_found
        }
        return new responseentity<list<user>>(users, httpstatus.ok);
    }


    //-------------------retrieve single user--------------------------------------------------------

    @requestmapping(value = "/user/{id}", method = requestmethod.get, produces = {mediatype.application_json_value,mediatype.application_xml_value})
    public responseentity<user> getuser(@pathvariable("id") long id) {
        system.out.println("fetching user with id " + id);
        user user = userservice.findbyid(id);
        if (user == null) {
            system.out.println("user with id " + id + " not found");
            return new responseentity<user>(httpstatus.not_found);
        }
        return new responseentity<user>(user, httpstatus.ok);
    }



    //-------------------create a user--------------------------------------------------------

    @requestmapping(value = "/user/", method = requestmethod.post)
    public responseentity<void> createuser(@requestbody user user, uricomponentsbuilder ucbuilder) {
        system.out.println("creating user " + user.getname());

        if (userservice.isuserexist(user)) {
            system.out.println("a user with name " + user.getname() + " already exist");
            return new responseentity<void>(httpstatus.conflict);
        }

        userservice.saveuser(user);

        httpheaders headers = new httpheaders();
        headers.setlocation(ucbuilder.path("/user/{id}").buildandexpand(user.getid()).touri());
        return new responseentity<void>(headers, httpstatus.created);
    }


    //------------------- update a user --------------------------------------------------------

    @requestmapping(value = "/user/{id}", method = requestmethod.put)
    public responseentity<user> updateuser(@pathvariable("id") long id, @requestbody user user) {
        system.out.println("updating user " + id);

        user currentuser = userservice.findbyid(id);

        if (currentuser==null) {
            system.out.println("user with id " + id + " not found");
            return new responseentity<user>(httpstatus.not_found);
        }

        currentuser.setname(user.getname());
        currentuser.setage(user.getage());
        currentuser.setsalary(user.getsalary());

        userservice.updateuser(currentuser);
        return new responseentity<user>(currentuser, httpstatus.ok);
    }

    //------------------- delete a user --------------------------------------------------------

    @requestmapping(value = "/user/{id}", method = requestmethod.delete)
    public responseentity<user> deleteuser(@pathvariable("id") long id) {
        system.out.println("fetching & deleting user with id " + id);

        user user = userservice.findbyid(id);
        if (user == null) {
            system.out.println("unable to delete. user with id " + id + " not found");
            return new responseentity<user>(httpstatus.not_found);
        }

        userservice.deleteuserbyid(id);
        return new responseentity<user>(httpstatus.no_content);
    }


    //------------------- delete all users --------------------------------------------------------

    @requestmapping(value = "/user/", method = requestmethod.delete)
    public responseentity<user> deleteallusers() {
        system.out.println("deleting all users");

        userservice.deleteallusers();
        return new responseentity<user>(httpstatus.no_content);
    }

}

running the application

  • you can either run the application by hitting the rest api by postman .
  • you can also run this application by springrestclient class present in src/test/java, which is internally hitting the rest api by resttemplateclass.
Spring Security authentication Spring Framework application

Published at DZone with permission of Dev Bhatia. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Authentication With Remote LDAP Server in Spring Web MVC
  • Implementing Authentication and Authorization With Vaadin
  • Spring Security Oauth2: Google Login
  • How to Implement Oauth2 Security in Microservices
Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: