The source code is at\u00a0https:\/\/github.com\/tuanngda\/spring-boot-oauth2-demo.git<\/a><\/p>\n We will not go to detail when you want to use Oauth2 and JWT. In general, you may want to adopt Oauth if you need to allow other people to build front end app for you services. We focus on Oauth2 and JWT because they are the most popular authentication framework and protocol in the market.<\/p>\n Spring Security Oauth2 is an implementation of Oauth 2 that built on top of Spring Security, which is a very extensible authentication framework.<\/p>\n In overall, Spring Security includes 2 basic steps, creating an authentication object for each request and applying authorization check depending on authentication. The first step was done in a multi layer Security Filter. Depending on the configuration, each layer can help to create authentication for basic authentication, digest authentication, form authentication or any custom authentication that we choose to implement ourselves. The client side session we built in previous article is one custom authentication and Spring Security Oauth 2 is another custom authentication.<\/p>\n Because in this example, our application both provides and consume token, Spring Security Oauth 2 should not be the sole authentication layer for the application. We need another authentication mechanism to protect the token provider endpoint.<\/p>\n For a cluster environment, the token or the secret to sign token (for JWT) suppose to be persisted but we skip this step to simplify the example. Similarly, the user authentication and client identities are all hard-coded.<\/p>\n In our application, we need to setup 3 components<\/p>\n In the above picture, Oauth2AuthenticationProcessingFilter appear in front of BasicAuthenticationFilter.<\/p>\n Here is our config for Authorization and Token Endpoint<\/p>\n There are few things worth noticing about this implementation. Here is our configuration for Resource Server Configuration<\/p>\n Here are few things to take note:<\/p>\n As mentioned earlier, because we need to protect the token provider endpoint.<\/p>\n There are few things to take note:<\/p>\n We wrote one test scenario for each authorization grant type following exactly Oauth2 specifications. Because Spring Security Oauth 2 is an implementation based on Spring Security framework, our interest is veered toward seeing how the underlying authentication and principal are constructed.<\/p>\n Before summarizing the outcome of experiment, let take a quick look at somethings to take notes.<\/p>\n Here is our setup:<\/p>\nBackground<\/h2>\n
Oauth2 and JWT<\/h4>\n
Spring Security Oauth 2<\/h4>\n
System Design<\/h2>\n
Overview<\/h4>\n
\n
![\"FilterChain\"](\"http:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2016\/04\/FilterChain.png\")
<\/a><\/p>\nAuthorization Server Configuration<\/h4>\n
@Configuration\r\n@EnableAuthorizationServer\r\npublic class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {\r\n\r\n @Value(\"${resource.id:spring-boot-application}\")\r\n private String resourceId;\r\n \r\n @Value(\"${access_token.validity_period:3600}\")\r\n int accessTokenValiditySeconds = 3600;\r\n\r\n @Autowired\r\n private AuthenticationManager authenticationManager;\r\n \r\n @Bean\r\n public JwtAccessTokenConverter accessTokenConverter() {\r\n return new JwtAccessTokenConverter();\r\n }\r\n\r\n @Override\r\n public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {\r\n endpoints\r\n .authenticationManager(this.authenticationManager)\r\n .accessTokenConverter(accessTokenConverter());\r\n }\r\n \r\n @Override\r\n public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {\r\n oauthServer.tokenKeyAccess(\"isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')\")\r\n .checkTokenAccess(\"hasAuthority('ROLE_TRUSTED_CLIENT')\");\r\n }\r\n\r\n @Override\r\n public void configure(ClientDetailsServiceConfigurer clients) throws Exception {\r\n clients.inMemory()\r\n .withClient(\"normal-app\")\r\n .authorizedGrantTypes(\"authorization_code\", \"implicit\")\r\n .authorities(\"ROLE_CLIENT\")\r\n .scopes(\"read\", \"write\")\r\n .resourceIds(resourceId)\r\n .accessTokenValiditySeconds(accessTokenValiditySeconds)\r\n .and()\r\n .withClient(\"trusted-app\")\r\n .authorizedGrantTypes(\"client_credentials\", \"password\")\r\n .authorities(\"ROLE_TRUSTED_CLIENT\")\r\n .scopes(\"read\", \"write\")\r\n .resourceIds(resourceId)\r\n .accessTokenValiditySeconds(accessTokenValiditySeconds)\r\n .secret(\"secret\");\r\n }\r\n}<\/pre>\n\n
Resource Server Configuration<\/h4>\n
@Configuration\r\n@EnableResourceServer\r\npublic class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {\r\n \r\n @Value(\"${resource.id:spring-boot-application}\")\r\n private String resourceId;\r\n \r\n @Override\r\n public void configure(ResourceServerSecurityConfigurer resources) {\r\n resources.resourceId(resourceId);\r\n }\r\n\r\n @Override\r\n public void configure(HttpSecurity http) throws Exception {\r\n http.requestMatcher(new OAuthRequestedMatcher())\r\n .authorizeRequests()\r\n .antMatchers(HttpMethod.OPTIONS).permitAll()\r\n .anyRequest().authenticated();\r\n }\r\n \r\n private static class OAuthRequestedMatcher implements RequestMatcher {\r\n public boolean matches(HttpServletRequest request) {\r\n String auth = request.getHeader(\"Authorization\");\r\n \/\/ Determine if the client request contained an OAuth Authorization\r\n boolean haveOauth2Token = (auth != null) && auth.startsWith(\"Bearer\");\r\n boolean haveAccessToken = request.getParameter(\"access_token\")!=null;\r\n return haveOauth2Token || haveAccessToken;\r\n }\r\n }\r\n\r\n}<\/pre>\n\n
\n
Basic Authentication Security Configuration<\/h4>\n
@Configuration\r\n@EnableGlobalMethodSecurity(prePostEnabled = true)\r\n@EnableWebSecurity\r\npublic class SecurityConfiguration extends WebSecurityConfigurerAdapter {\r\n \r\n @Autowired\r\n public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {\r\n auth.inMemoryAuthentication().withUser(\"user\").password(\"password\").roles(\"USER\").and().withUser(\"admin\")\r\n .password(\"password\").roles(\"USER\", \"ADMIN\");\r\n }\r\n \r\n @Override\r\n protected void configure(HttpSecurity http) throws Exception {\r\n http\r\n .authorizeRequests()\r\n .antMatchers(HttpMethod.OPTIONS).permitAll()\r\n .anyRequest().authenticated()\r\n .and().httpBasic()\r\n .and().csrf().disable();\r\n }\r\n \r\n @Override\r\n @Bean\r\n public AuthenticationManager authenticationManagerBean() throws Exception {\r\n return super.authenticationManagerBean();\r\n }\r\n}<\/pre>\n\n
Testing<\/h2>\n
\n