- \n
- Eclipse IDE for Enterprise Java Developers Version: 2020-09 (4.17.0) <\/li>\n
- Spring Tools 4 \u2013 for Spring Boot<\/li>\n<\/ul>\n
Spring Tools 4 for Spring Boot is a set of plugins for Eclipse that support building and running Spring Boot applications. You can add Spring Tools 4 to your existing Eclipse installation by going to the Eclipse Marketplace and searching for \u201cSpring Tools 4\u201d.<\/p>\n
2. Spring Boot and OAuth2 Tutorial<\/h2>\n
2.1 Quick Introduction to OAuth2<\/h3>\n
OAuth2 is a framework used by client applications to access a user\u2019s resources (with the user\u2019s consent) without exploiting the user\u2019s credentials. It performs this by using access tokens in place of usernames and passwords.<\/p>\n
OAuth2 defines four roles:<\/p>\n
- \n
- Resource Owner \u2013 The user that owns the account data to be shared, for example, an end-user employing your application.<\/li>\n
- Resource Server \u2013 The server that hosts the user\u2019s resources including (but not limited to) credentials and profile data.<\/li>\n
- Client Application \u2013 The application requesting resources from the resource server on behalf of the resource owner, such as a web application.<\/li>\n
- Authorization Server \u2013 The server that will process the request to give the client application access to the owner\u2019s resources.<\/li>\n<\/ul>\n
Clear as mud? Hopefully, these concepts will become plainer as we proceed.<\/p>\n
2.2 Create the Client Application<\/h3>\n
We\u2019ll start by creating the client application. Create a new Spring Starter Project using the new project wizard in Eclipse. Select \u201cSpring Web\u201d, \u201cThymeleaf\u201d, \u201cSpring Boot Actuator\u201d, and \u201cOAuth2 Client\u201d as dependencies.<\/p>\n
- \n
- Spring Web \u2013 adds Spring MVC and embedded Tomcat container<\/li>\n
- Thymeleaf \u2013 used as the template engine for rendering HTML<\/li>\n
- Spring Boot Actuator \u2013 adds endpoints for monitoring your application<\/li>\n
- OAuth2 Client \u2013 adds Spring Security and OAuth2 client support<\/li>\n<\/ul>\n\n
![\"spring](\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2020\/11\/oauth2-dependencies-wm.jpg\")
Project Dependencies<\/figcaption><\/figure>\n<\/div>\n Click Finish.<\/p>\n
Start the application using the Boot Dashboard. (Alternatively, you can package the application in an executable jar file or run the \u201cmvn spring-boot:run\u201d command from the console.<\/p>\n
Open a browser and enter http:\/\/localhost:8080\/actuator<\/a>.<\/p>\n
\n![\"spring](\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2020\/11\/please-sign-in-wm.jpg\")
Spring Sign In<\/figcaption><\/figure>\n<\/div>\n Spring Security auto-configures a
DefaultSecurityFilterChain<\/code>, which protects all URL requests by default. To allow non-authenticated access to the actuator endpoint, we will need to configure web security. We can do this by creating a configuration class that extendsWebSecurityConfigurerAdapter<\/code> and implement itsconfigure(HttpSecurity http<\/code>) method.<\/p>\nSecurityConfiguration.java<\/em><\/span><\/p>\n
import org.springframework.context.annotation.Configuration;\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\nimport org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;\n\n@Configuration\npublic class SecurityConfiguration extends WebSecurityConfigurerAdapter {\n\n\t@Override\n\tprotected void configure(HttpSecurity http) throws Exception {\n\t\thttp.authorizeRequests()\n\t\t\t.antMatchers(\"\/actuator\").permitAll()\n\t\t\t.anyRequest().authenticated();\n\t}\n\t\n}\n<\/pre>\nThe
@Configuration<\/code> annotation registers this as a configuration classs. We used anantMatcher<\/code> to specify that the \/actuator<\/em> endpoint is permitted to all. It serves as a whitelist since we then specify that any request is accessible to authenticated users only with .anyRequest().authenticated()<\/code>. This is typically used as a catch-all<\/em> mechanism to prevent unauthenticated access to your site.<\/p>\nRestart the application. You will now be able to access the \/actuator<\/em> endpoint.<\/p>\n
\n![\"spring](\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2020\/11\/actuator-wm.jpg\")
Actuator Endpoint<\/figcaption><\/figure>\n<\/div>\n 2.3 More on OAuth2<\/h3>\n
Access tokens are used by the client application to gain restricted access to a user resource. An access token contains information about the privileges the user consented to give to the client application. Tokens are temporary. You can use a refresh token<\/em> (if provided) to request a new access token when it has expired. Access tokens are obtained from the authorization server.<\/em><\/p>\n
A grant type flow is used to acquire an access token. OAuth 2 defines several grant types, each suited for a particular use case. The authorization code<\/em> grant type is the most appropriate for server-side client applications, such as your typical web application.
<\/div> <\/div><\/p>\nIn the authorization code<\/em> grant type, the client uses an authorization code to obtain an access token from the authorization server<\/em>. The application client id <\/em>and client secret<\/em> credentials are used for interactions with the authorization server. Since the application source code is not accessible outside the client application, it is acceptable to store this information in a properties file.<\/p>\n
2.4 Integrating OAuth2 with Spring Boot<\/h3>\n
To use an authentication provider in a Spring Boot application three steps are required:<\/p>\n
- \n
- Register your application with the authentication provider<\/li>\n
- Edit applicaition.properties<\/em> or application.yml<\/em> with the configuration details supplied by the provider, e.g. client id<\/em> and client secret<\/em><\/li>\n
- Configure OAuth2 in your security configuration class\u2019
configure(HttpSecurity http)<\/code> method<\/li>\n<\/ul>\nThere are many OAuth2 authentication providers from which to choose. You can use a social network that offers identity services, such as Google or GitHub. (This arrangement is sometimes referred to as a social login). There are also corporate login providers like Okta and AuthO. Spring Security contains default configurations for Google, Facebook, GitHub, and Okta. We will use GitHub in our first example. (You can sign up for a GitHub account at https:\/\/github.com\/join<\/a>.)<\/p>\n
Once you have a GitHub account you can register the client application at https:\/\/github.com\/settings\/developers<\/a>.<\/p>\n
On the Developer setting page, select “OAuth Apps” and then click the “New OAuth App\u201d button. Enter the application name and the application\u2019s Homepage URL, (http:\/\/localhost:8080<\/em>, in this example). Set the Authorization callback URL as http:\/\/localhost:8080\/login\/oauth2\/code\/<\/em>.<\/p>\n
\n![\"spring](\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2020\/11\/register-oauth-app-wm.jpg\")
GitHub OAuth Client Registration<\/figcaption><\/figure>\n<\/div>\n The Authorization callback URL (aka redirection URL) is the path in the client application (our Spring Boot application) that the browser is redirected back to after the user authenticates and grants access. Spring Security uses a URI template for the aforementioned providers:
{baseUrl}\/login\/oauth2\/code\/{registrationId}<\/code>. The registrationId<\/em> is the unique identifier of the provider, in our example, \u201cgithub\u201d. The redirect URL endpoint receives the authentication code from the provider and uses it to acquire an access token.<\/p>\nClick the Register Application<\/em> button. Copy the client id and client secret. We will use these credentials to configure our client application to use the client registration we just created.<\/p>\n
Open the application.properties<\/em> file and add the client registration information:<\/p>\n
application.properties<\/em><\/span><\/p>\n
spring.security.oauth2.client.registration.github.client-id=<your-client-id>\nspring.security.oauth2.client.registration.github.client-secret=<your-client-secret>\n<\/pre>\n
If you use Google, Facebook, GitHub, or Okta as your authentication provider, you are only required to provide the client id and client secret as Spring Boot will use a default configuration for the other necessary properties. The property names are prefixed with \u201cspring.security.oauth2.client.registration<\/em>\u201d followed by the client name, then the name of the client property. If you are using a different provider, additional properties are required. You can view the documentation for configuring your specific provider on their site.<\/p>\n
Next, we\u2019ll create two views, home.html<\/em> and classified.htm<\/em>l in the \/src\/main\/resources\/templates\/<\/em> folder.<\/p>\n
home.html<\/em><\/span><\/p>\n
<!DOCTYPE html>\n<html xmlns:th=\"http:\/\/www.thymeleaf.org\">\n<head>\n<meta charset=\"ISO-8859-1\">\n<title>Home Page<\/title>\n<\/head>\n<body>\n<h2>Hello!<\/h2>\n\n<\/body>\n<\/html>\n<\/pre>\n
classified.html<\/em><\/span><\/p>\n
<!DOCTYPE html>\n<html xmlns:th=\"http:\/\/www.thymeleaf.org\">\n<head>\n<meta charset=\"ISO-8859-1\">\n<title>Classified<\/title>\n<\/head>\n<body>\n<h2>This Page is Classified!<\/h2>\n\n\n<\/body>\n<\/html>\n<\/pre>\n
Notice that we declare the Thymeleaf namespace within the HTML tag, xmlns:th<\/em>=“http:\/\/www.thymeleaf.org<\/em>“.<\/p>\n
Let\u2019s add a controller to map these views to request URIs.<\/p>\n
AppController.java<\/em><\/span><\/p>\n
import org.springframework.stereotype.Controller;\nimport org.springframework.web.bind.annotation.GetMapping;\n\n@Controller\npublic class AppController {\n\n\t@GetMapping(\"\/\")\n\tpublic String home() {\n\t\treturn \"home\";\n\t}\n\t\n\t@GetMapping(\"\/classified\")\n\tpublic String classified() {\n\t\treturn \"classified\";\n\t}\n}\n<\/pre>\nLastly, we\u2019ll update the
SecurityConfiguration <\/code>class. Modify it as follows:<\/p>\nSecurityConfiguration.java<\/em><\/span><\/p>\n
@Configuration\npublic class SecurityConfiguration extends WebSecurityConfigurerAdapter {\n\n\t@Override\n\tprotected void configure(HttpSecurity http) throws Exception {\n\t\thttp.authorizeRequests()\n\t\t.antMatchers(\"\/\", \"\/actuator\").permitAll()\n\t\t.antMatchers(\"\/classified\").authenticated()\n\t\t.anyRequest().authenticated()\n\t\t.and()\n\t\t.oauth2Login();\n\t}\n}\n<\/pre>\nWe added \u201c\/\u201d<\/em> to the
antMatcher <\/code>that permits anyone access. We also explicitly protect “\/classified<\/em>” to authenticated users only. Finally, we added theOauth2LoginConfigurer <\/code>with oauth2Login()<\/em>.<\/p>\nRestart the application and point your browser to http:\/\/localhost:8080\/classified<\/em>. The client application redirects you to the GitHub client login page. <\/p>\n
\n![\"\"](\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2020\/11\/github-oauth-login-wm.jpg\")
GitHub OAuth Login<\/figcaption><\/figure>\n<\/div>\n Enter your credentials. You will be asked to give the client application read-only access to your profile data. <\/p>\n
\n![\"\"](\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2020\/11\/auth-user-github-wm.jpg\")
GitHub Authorization Page<\/figcaption><\/figure>\n<\/div>\n Authorize and you will be redirected to http:\/\/localhost:8080\/classified<\/em>.<\/p>\n
In this example, GitHub acts as both the authentication server and the resource server. (The user data is the resource.) You can use the Developer Tools in Chrome, Firefox, or Edge to view how the request gets redirected between the client application and GitHub. (Use the Network tab for this task.)<\/p>\n
A diagram and detailed explanation of the Authorization Code Grant is available at the IETF tools web site here: https:\/\/tools.ietf.org\/html\/rfc6749#section-4<\/a><\/p>\n
2.5 Add a Second Authentication Provider<\/h3>\n
Let\u2019s give the user an option to sign in through Google. First, you\u2019ll need to create a project in the Google API Console. Instructions are provided here https:\/\/developers.google.com\/identity\/protocols\/oauth2\/openid-connect#appsetup<\/a>. Don\u2019t forget to copy the client id and client secret. Add the Google registration details in application.properties<\/em>.<\/p>\n
application.properties<\/em><\/span><\/p>\n
spring.security.oauth2.client.registration.github.client-id=<your-client-id>\nspring.security.oauth2.client.registration.google.client-secret=<your-client-secret>\n<\/pre>\n
Restart the application and open a private browser window. (This is the simplest way to clear cached cookies and HTTP basic credentials.) Navigate to http:\/\/localhost:8080\/classified<\/em>. Spring Boot will generate a login page with both options since it does not know which of the two registered authentication providers to use.<\/p>\n
![\"\"](\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2020\/11\/login-with-oauth2-wm.jpg\")
Login with OAuth2<\/figcaption><\/figure>\n Click on the Google link. You will be redirected to the Google OAuth2 login page. Notice that the page is asking for consent to share your:<\/p>\n
- \n
- name<\/li>\n
- email address<\/li>\n
- language preference<\/li>\n
- profile picture<\/li>\n<\/ul>\n
Enter your credentials and you will be redirected to http:\/\/localhost:8080\/classified\/classified<\/em>.<\/p>\n
2.6 Add Personalization<\/h3>\n
Let\u2019s add a touch of personalization by displaying the user\u2019s name on the protected page. We cannot retrieve the name from the
Principal <\/code>object by calling itsgetName <\/code>method, since that will return the user\u2019s id and not the name. We can, however, retrieve it with theOAuth2User::getAttribute<\/code> method and add it to the model. We\u2019ll also add the user\u2019s authorities to the model to display, Add the following code to the controller class’classified <\/code>method:<\/p>\nAppController.java<\/em><\/span><\/p>\n
\t@GetMapping(\"\/classified\")\n\tpublic String classified(@AuthenticationPrincipal OAuth2User principal, Model model) {\n\t\tmodel.addAttribute(\"name\", principal.getAttribute(\"name\"));\n\t\tmodel.addAttribute(\"authorities\", principal.getAuthorities());\n\t\treturn \"classified\";\n\t}\n<\/pre>\n@AuthenticationPrincipal is used to resolve
Authentication::getPrincipal()<\/code> to a method argument. OAuth2User represents a userPrincipal<\/code> that is registered with an OAuth 2.0 provider.principal.getAuthorities() <\/code>returns aCollection <\/code>ofGrantedAuthority<\/code>s associated with the OAuth 2.0 token<\/p>\nWe\u2019ll also add a check on the restricted page to display the name only if the user is authenticated. While there are different ways to accomplish this, let\u2019s make use of Thymeleaf\u2019s Spring Security integration module. Update the pom.xml<\/em> file by adding the following dependency:<\/p>\n
pom.xml<\/em><\/span><\/p>\n
<dependency>\n\t<groupId>org.thymeleaf.extras<\/groupId>\n\t<artifactId>thymeleaf-extras-springsecurity5<\/artifactId>\n<\/dependency>\n<\/pre>\n
Now we can update classified.html<\/em>. Add follows just below the
<h2><\/code> heading:<\/p>\nclassified.html<\/em><\/span><\/p>\n
\n<div th:if=\"${#authorization.expression('isAuthenticated()')}\">\n <h3 th:inline=\"text\">Welcome <span th:text=\"${name}\">John Doe<\/span>!<\/h3>\n <h3 th:inline=\"text\">You have the following roles and scopes: <span th:text=\"${authorities}\">[ROLE_USER, SCOPE_read:user]<\/span><\/h3>\n<\/div>\n \n<div th:if=\"${#authorization.expression('hasRole(''ROLE_ADMIN'')')}\">\n <h3> You are assigned the role of 'ADMIN'<\/h3>\n<\/div>\n\n<div th:if=\"${#authorization.expression('hasRole(''ROLE_USER'')')}\">\n <h3>You are assigned the role of 'USER'.<\/h3>\n<\/div>\n<\/pre>\n#authorization. expression<\/em> is a utility object with methods used to check authorization, based on expressions. If this evaluates to true, we use the inline and text attributes to display the user\u2019s name and authorities.<\/p>\n
Also, we will display some feedback, depending on the user\u2019s role. For more information on Thymeleaf\u2019s Spring Security integration module, click here: https:\/\/github.com\/thymeleaf\/thymeleaf-extras-springsecurity<\/a><\/p>\n
Restart the application and point your browser to http:\/\/localhost:8080\/classified<\/em>.<\/p>\n
- Configure OAuth2 in your security configuration class\u2019
![\"\"](\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2020\/11\/roles-and-scopes-wm.jpg\")
![\"\"](\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2020\/11\/logout-button-wm.jpg\")
![\"\"](\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2020\/11\/u-have-been-signed-out-wm.jpg\")