Pages

Spring Boot Oauth2 Security

This post is an enhancement for my previous post which talks about how to secure your REST API using Spring security oauth2.
In case if you missed it, here is the place to grab.
http://blog.rajithdelantha.com/2015/09/secure-your-rest-api-with-spring.html

Spring boot is one of the new inventions from Spring framework that makes developers' lives easier when building large scale applications. Here is a good place to grab the concepts.

If you check my previous post related to oauth2 security then you know there is a bit of configuration that needs to be done in Spring side. But on the other hand Spring boot will do all the hard work and we just need to tell them what to do by a simple annotation.

So this post is about how to configure Spring boot project with Spring security and Oauth2. Actually we can't really say configure because all most all configurations are done by Spring boot itself.

Source code : https://github.com/rajithd/spring-boot-oauth2

Step 1
For this project I'm using H2 in memory database. Because of that you don't need to create any database and tables as the creation happens at run time. But if you want this project to use MySQL as the data source then first create the database and then create the tables.

 CREATE TABLE user (  
  username VARCHAR(50) NOT NULL PRIMARY KEY,  
  email VARCHAR(50),  
  password VARCHAR(500),  
  activated BOOLEAN DEFAULT FALSE,  
  activationkey VARCHAR(50) DEFAULT NULL,  
  resetpasswordkey VARCHAR(50) DEFAULT NULL  
 );  
 CREATE TABLE authority (  
  name VARCHAR(50) NOT NULL PRIMARY KEY  
 );  
 CREATE TABLE user_authority (  
   username VARCHAR(50) NOT NULL,  
   authority VARCHAR(50) NOT NULL,  
   FOREIGN KEY (username) REFERENCES user (username),  
   FOREIGN KEY (authority) REFERENCES authority (name),  
   UNIQUE INDEX user_authority_idx_1 (username, authority)  
 );  
 CREATE TABLE oauth_access_token (  
  token_id VARCHAR(256) DEFAULT NULL,  
  token BLOB,  
  authentication_id VARCHAR(256) DEFAULT NULL,  
  user_name VARCHAR(256) DEFAULT NULL,  
  client_id VARCHAR(256) DEFAULT NULL,  
  authentication BLOB,  
  refresh_token VARCHAR(256) DEFAULT NULL  
 );  
 CREATE TABLE oauth_refresh_token (  
  token_id VARCHAR(256) DEFAULT NULL,  
  token BLOB,  
  authentication BLOB  
 );  


  • user table - system users
  • authority -  roles
  • user_authority - many to many table for user and role
  • oauth_access_token - to hold access_token
  • oauth_refresh_token - to hold refresh_token
Add some seed data.

 INSERT INTO user (username,email, password, activated) VALUES ('admin', 'admin@mail.me', 'b8f57d6d6ec0a60dfe2e20182d4615b12e321cad9e2979e0b9f81e0d6eda78ad9b6dcfe53e4e22d1', true);  
 INSERT INTO user (username,email, password, activated) VALUES ('user', 'user@mail.me', 'd6dfa9ff45e03b161e7f680f35d90d5ef51d243c2a8285aa7e11247bc2c92acde0c2bb626b1fac74', true);  
 INSERT INTO user (username,email, password, activated) VALUES ('rajith', 'rajith@abc.com', 'd6dfa9ff45e03b161e7f680f35d90d5ef51d243c2a8285aa7e11247bc2c92acde0c2bb626b1fac74', true);  
 INSERT INTO authority (name) VALUES ('ROLE_USER');  
 INSERT INTO authority (name) VALUES ('ROLE_ADMIN');  
 INSERT INTO user_authority (username,authority) VALUES ('rajith', 'ROLE_USER');  
 INSERT INTO user_authority (username,authority) VALUES ('user', 'ROLE_USER');  
 INSERT INTO user_authority (username,authority) VALUES ('admin', 'ROLE_USER');  
 INSERT INTO user_authority (username,authority) VALUES ('admin', 'ROLE_ADMIN');  

Step 2
Configure WebSecurityAdapter

 @Configuration  
 @EnableWebSecurity  
 public class SecurityConfiguration extends WebSecurityConfigurerAdapter {  
   @Autowired  
   private UserDetailsService userDetailsService;  
   @Bean  
   public PasswordEncoder passwordEncoder() {  
     return new StandardPasswordEncoder();  
   }  
   @Autowired  
   public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {  
     auth  
         .userDetailsService(userDetailsService)  
         .passwordEncoder(passwordEncoder());  
   }  
   @Override  
   public void configure(WebSecurity web) throws Exception {  
     web  
         .ignoring()  
         .antMatchers("/h2console/**")  
         .antMatchers("/api/register")  
         .antMatchers("/api/activate")  
         .antMatchers("/api/lostpassword")  
         .antMatchers("/api/resetpassword");  
   }  
   @Override  
   @Bean  
   public AuthenticationManager authenticationManagerBean() throws Exception {  
     return super.authenticationManagerBean();  
   }  
   @EnableGlobalMethodSecurity(prePostEnabled = true, jsr250Enabled = true)  
   private static class GlobalSecurityConfiguration extends GlobalMethodSecurityConfiguration {  
     @Override  
     protected MethodSecurityExpressionHandler createExpressionHandler() {  
       return new OAuth2MethodSecurityExpressionHandler();  
     }  
   }  
 }  


Step 3
Configuration for Oauth2

 @Configuration  
 public class OAuth2Configuration {  
   @Configuration  
   @EnableResourceServer  
   protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {  
     @Autowired  
     private CustomAuthenticationEntryPoint customAuthenticationEntryPoint;  
     @Autowired  
     private CustomLogoutSuccessHandler customLogoutSuccessHandler;  
     @Override  
     public void configure(HttpSecurity http) throws Exception {  
       http  
           .exceptionHandling()  
           .authenticationEntryPoint(customAuthenticationEntryPoint)  
           .and()  
           .logout()  
           .logoutUrl("/oauth/logout")  
           .logoutSuccessHandler(customLogoutSuccessHandler)  
           .and()  
           .csrf()  
           .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize"))  
           .disable()  
           .headers()  
           .frameOptions().disable()  
           .sessionManagement()  
           .sessionCreationPolicy(SessionCreationPolicy.STATELESS)  
           .and()  
           .authorizeRequests()  
           .antMatchers("/hello/**").permitAll()  
           .antMatchers("/secure/**").authenticated();  
     }  
   }  
   @Configuration  
   @EnableAuthorizationServer  
   protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter implements EnvironmentAware {  
     private static final String ENV_OAUTH = "authentication.oauth.";  
     private static final String PROP_CLIENTID = "clientid";  
     private static final String PROP_SECRET = "secret";  
     private static final String PROP_TOKEN_VALIDITY_SECONDS = "tokenValidityInSeconds";  
     private RelaxedPropertyResolver propertyResolver;  
     @Autowired  
     private DataSource dataSource;  
     @Bean  
     public TokenStore tokenStore() {  
       return new JdbcTokenStore(dataSource);  
     }  
     @Autowired  
     @Qualifier("authenticationManagerBean")  
     private AuthenticationManager authenticationManager;  
     @Override  
     public void configure(AuthorizationServerEndpointsConfigurer endpoints)  
         throws Exception {  
       endpoints  
           .tokenStore(tokenStore())  
           .authenticationManager(authenticationManager);  
     }  
     @Override  
     public void configure(ClientDetailsServiceConfigurer clients) throws Exception {  
       clients  
           .inMemory()  
           .withClient(propertyResolver.getProperty(PROP_CLIENTID))  
           .scopes("read", "write")  
           .authorities(Authorities.ROLE_ADMIN.name(), Authorities.ROLE_USER.name())  
           .authorizedGrantTypes("password", "refresh_token")  
           .secret(propertyResolver.getProperty(PROP_SECRET))  
           .accessTokenValiditySeconds(propertyResolver.getProperty(PROP_TOKEN_VALIDITY_SECONDS, Integer.class, 1800));  
     }  
     @Override  
     public void setEnvironment(Environment environment) {  
       this.propertyResolver = new RelaxedPropertyResolver(environment, ENV_OAUTH);  
     }  
   }  
 }  

This is it. Try running Spring boot application by
mvn spring-boot:run

Then check your oauth2 security by executing following curls.
https://github.com/rajithd/spring-boot-oauth2 

41 comments:

  1. Thank you for sharing the information. And please update some useful article like this.

    digital marketing training Chennai

    ReplyDelete
  2. I am reading the articles one by one since yesterday night and every time i find a new article grabbing my attention within a post.
    iOS Training in Chennai

    ReplyDelete
  3. I read this book really awesome.You provided another one great article.I hope this information may change my carrier.


    Oracle SQL Training in Chennai

    ReplyDelete
  4. Wow amazing i saw the article with execution models you had posted. It was such informative. Really its a wonderful article. Thank you for sharing and please keep update like this type of article because i want to learn more relevant to this topic.

    Web Designing Training in Chennai

    ReplyDelete
  5. Nice article, is it possible SSO using spring oauth2 framework authorization and authentication please provide some example code

    ReplyDelete
  6. The future of software testing is on positive note. It offers huge career prospects for talented professionals to be skilled software testers. Best software testing training institute in Chennai | Software Testing Training in Chennai | Software testing course in Chennai

    ReplyDelete
  7. It’s really amazing that we can record what our visitors do on our site. Thanks for sharing this awesome guide. I’m happy that I came across with your site this article is on point,thanks again and have a great day.

    Microstrategy Training in Chennai

    ReplyDelete
  8. You made some decent factors there. I looked on the internet for the difficulty and found most individuals will associate with along with your website.Keep update more excellent posts.

    Digital marketing company in Chennai

    ReplyDelete
  9. Really an amazing post..! By reading your blog post i gained more information. Thanks a lot for posting unique information and made me more knowledgeable person. Keep on blogging!!
    Hadoop Training in Chennai Adyar

    ReplyDelete
  10. I do believe all of the concepts you’ve introduced in your post. They’re very convincing and will definitely work. Nonetheless, the posts are too short for novices. May you please extend them a bit from subsequent time? Thank you for the post.

    Online Training in Chennai

    ReplyDelete

  11. I do trust all of the concepts you’ve presented on your post. They’re really convincing and will definitely work. Still, the posts are too brief for newbies. May you please extend them a little from subsequent time?Also, I’ve shared your website in my social networks.

    Corporate Training in Chennai

    ReplyDelete
  12. Great information shared in this blog. Helps in gaining concepts about new information and concepts.Awsome information provided.Very useful for the beginners.
    Dotnet Training in Chennai

    ReplyDelete
  13. Nice Blog

    Telugu70mm.com Provides Latest Telugu Movie Reviews and other news like Telugu Movie News , Telugu Political News and Movie Released Dates

    ReplyDelete
  14. Wow amazing i saw the article with execution models you had posted. It was such informative.By explaining this type we can identify the concepts easily. So thank you for this sharing.

    SEO Training in Chennai

    ReplyDelete
  15. Great information shared in this blog. Helps in gaining concepts about new information and concepts.Awsome information provided.Very useful for the beginners.
    SEO training in Chennai

    ReplyDelete
  16. very useful information provided in this blog. concepts were explained in a detailed manner. Keep giving these types of information.
    SEO training in Chennai

    ReplyDelete
  17. Wow really nice and by explaining with execution models we can easily interact with the concepts as well. And within this how it will be enabled with API systems? Other than that i am okey and if you are having some other suggestion mean share that please.

    Car Wash Services in Mumbai

    ReplyDelete
  18. Pretty article! I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing.
    Regards,
    SAP Training in Chennai with placement | java training in chennai with placement

    ReplyDelete
  19. We appreciate, result in I ran across what exactly I had been seeking. You could have wrapped up my own Some evening extended quest! Our god Bless you man. Use a fantastic time. Ok bye

    App-v Online Training By Realtime Trainer In India

    Dellboomi Online Training By Realtime Trainer In India

    Hadoop Online Training By Realtime Trainer In India

    My SQL Online Training By Realtime Trainer In India

    ReplyDelete
  20. This blog having the details of Processes running. The way of running is explained clearly. The content quality is really great. The full document is entirely amazing. Thank you very much for this blog.
    SEO Company in India
    Digital Marketing Company in India

    ReplyDelete
  21. A nice article here with some useful tips for those who are not used-to comment that frequently. Thanks for this helpful information I agree with all points you have given to us. I will follow all of them.

    Best Laser Clinic In Chennai

    Best Implant Clinic In Chennai

    ReplyDelete
  22. Thank you for sharing the information here. Its much informative and really i got some valid information. You had posted the amazing article.

    MSBI Training in Chennai

    Informatica Training in Chennai

    Dataware Housing Training in Chennai

    ReplyDelete
  23. This blog having the details of Processes running. The way of running is explained clearly. The content quality is really great. The full document is entirely amazing. Thank you very much for this blog.

    Android Training Institute in Chennai

    ReplyDelete
  24. Thanks for sharing such informative article. Know about Know about English to Tamil from techfizy.

    ReplyDelete
  25. Thanks this article, This save my time. Thanks.

    ReplyDelete