{"id":70234,"date":"2017-11-06T19:40:28","date_gmt":"2017-11-06T17:40:28","guid":{"rendered":"http:\/\/www.javacodegeeks.com\/?p=70234"},"modified":"2017-11-14T09:53:49","modified_gmt":"2017-11-14T07:53:49","slug":"secure-java-app-spring-security-thymeleaf-okta","status":"publish","type":"post","link":"https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html","title":{"rendered":"Secure Your Java App with Spring Security, Thymeleaf, and Okta"},"content":{"rendered":"

Never Build Auth Again<\/b> – Love building user management? With Okta, you can add social login, multi-factor authentication, and OpenID Connect support to your app in minutes. Create a free developer account today.<\/a><\/span><\/p>\n

When you\u2019re building your java app, user management is a critical consideration. It\u2019s common for apps and APIs to partition access to different parts of an application, depending on the roles assigned to a user \u2013 this is role-based access control (RBAC).<\/p>\n

This is where Okta comes in \u2013 Okta simplifies this by managing roles within groups (users can belong to one or more groups). With Okta\u2019s Spring Security integration, this process becomes automated through the use of common annotations that map groups to specific roles and either allow or deny access. This is done using common Spring Security annotations, which we\u2019ve outlined below.<\/p>\n

To show this in practice, I\u2019ve put together a demo below that walks through a simple, but common scenario. For our example, we\u2019ll look at a mix of unprotected pages, pages that only an authenticated user\u00a0 can access, and pages that require users to have an extra level of authorization before they can access them.<\/p>\n

We\u2019ve added all of the code we reference throughout here.<\/a><\/p>\n

If you\u2019re already looking to dive in and get started with built-in RBAC for your Java app, simply wire up your Okta tenant to a Spring Boot application here<\/a>.<\/p>\n

If you have any questions, contact Okta\u2019s dev support team here.<\/a><\/em><\/p>\n

Step One: Configure Your Okta Account<\/h2>\n

The first step is setting up your Okta tenant. This way, you can launch the sample app we\u2019ve created and see this in action. Sign up for a developer account here<\/a> and then follow the steps below:<\/p>\n

    \n
  1. Create an admins<\/code> group<\/li>\n
  2. Create a users<\/code> group<\/li>\n
  3. Create a user who belongs to the users<\/code> groups<\/li>\n
  4. Create a second user who belongs to both groups<\/li>\n
  5. Create an OpenID Connect (OIDC) application<\/li>\n
  6. Add the two groups to the application<\/li>\n
  7. Configure the default Authorization Server to include group memberships in access tokens<\/li>\n<\/ol>\n

    Let\u2019s walk through what this looks like:<\/p>\n

    Setting Up Groups<\/h3>\n

    In your Okta Admin Dashboard menu, find Users<\/code> and then click Groups<\/code>. Click Add Group<\/code> and enter admins<\/code> in the Name<\/code> field and add a group description, like: Admins. Click Add Group<\/code> to finish this step.<\/p>\n

    Follow the same process to add a users<\/code> Group.<\/p>\n

    \"\"<\/a><\/p>\n

    Setting Up Users<\/h3>\n

    Again, navigate to Users<\/code> in the Okta Admin Dashboard, but this time click People<\/code>. Click Add User<\/code> and fill in the form with the user information. (Use a real email address for either the primary or secondary email address \u2013 and one that you have access to \u2013 so that you can validate the email later.) In the Groups<\/code> field, add this users to the users<\/code> group you created earlier. Make sure you\u2019ve clicked the Send user activation email now<\/code> checkbox and then click “Save and Add Another”.<\/p>\n

    \"\"<\/a><\/p>\n

    Repeat the steps we outlined above, only this time, add the second user to both<\/em> the users<\/code> and admins<\/code> groups.<\/p>\n

    \"\"<\/a><\/p>\n

    Hop over to your email and validate those email addresses. Click the links for both users to activate them.<\/p>\n

    Creating an OIDC Application<\/h3>\n

    Now it\u2019s time to set up your authentication layer.<\/p>\n

    In the Okta Admin Dashboard, click Applications<\/code> in the menu and then click Add Application<\/code>.<\/p>\n

    \"\"<\/a><\/p>\n

    Choose Web<\/code> and click Next<\/code>.<\/p>\n

    When you\u2019re prompted to fill out the form, use these values:<\/p>\n

    | Field\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | Value\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |\r\n| ------------------- | ------------------------------ |\r\n| Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | Fun with Spring Security Roles |\r\n| Base URIs\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | http:\/\/localhost:8080\/\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |\r\n| Login redirect URIs | http:\/\/localhost:8080\/\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |\r\n| Group assignments\u00a0\u00a0 | `admins` and `users`\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |\r\n| Grant type allowed\u00a0 | Check: `Implicit`\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |<\/pre>\n
    Once you\u2019re ready, click `Done` and you\u2019ll see the resulting page below:<\/p>\n
    \"\"<\/a><\/p>\n
    Tip<\/strong>
    \nThe URIs specified are the Spring Boot defaults. You can easily change these later on.<\/div>\n
    Before moving on to the next step, scroll down and note the Client ID<\/code>. You’ll need it to configure the Spring Boot app.<\/p>\n
    \u00a0Setting Up Your Authorization Server<\/h3>\n
    Next, look for API<\/code> in the Okta Admin Dashboard menu and click Authorization Servers<\/code> to launch the following:<\/p>\n
    \"\"<\/a><\/p>\n
    Take note of the Issuer URI<\/code>. You’ll also need this later to configure the Spring Boot app.<\/p>\n
    Click default<\/code> and choose the Claims<\/code> tab. Click Add Claim<\/code> and fill out the fields as follows:
     
    <\/div> <\/div><\/p>\n
    | Field\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | Value\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |\r\n| --------------------- | ------------ |\r\n| Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | groups\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |\r\n| Include in token type | Access Token |\r\n| Value type\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | Groups\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |\r\n| Filter\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | Regex .*\u00a0\u00a0\u00a0\u00a0 |\r\n| Include in\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | Any scope\u00a0\u00a0\u00a0 |<\/pre>\n
    Click Create<\/code> to finish this step.<\/p>\n
    \"\"<\/a><\/p>\n
    Creating this Claim ensures that group membership information is included in the Access Token when a user authenticates. This step is critical to hook into Spring Security\u2019s roles and authorities mechanism.<\/p>\n
    Step Two: Configure Your Spring Boot App<\/h2>\n
    First, clone the at this link.<\/a><\/p>\n
    Open the project in your preferred IDE or editor. The screenshots below are from here.<\/a><\/p>\n
    Make a copy of the application.yml.sample<\/code> file and name it application.yml<\/code><\/p>\n
    Remember those values we flagged to save earlier? Update your information with those. Here\u2019s our example:<\/p>\n
    | Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | Value\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |\r\n| ----------- | ------------------------------------------------- |\r\n| baseUrl\u00a0\u00a0\u00a0\u00a0 | https:\/\/dev-237330.oktapreview.com\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |\r\n| issuer\u00a0\u00a0\u00a0\u00a0\u00a0 | https:\/\/dev-237330.oktapreview.com\/oauth2\/default |\r\n| audience\u00a0\u00a0\u00a0 | api:\/\/default\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |\r\n| clientId\u00a0\u00a0\u00a0 | 0oacdldhkydGGruON0h7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |\r\n| rolesClaim\u00a0 | groups\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |\r\n| redirectUri | http:\/\/localhost:8080\/\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |<\/pre>\n
    Before we jump into the code, let\u2019s see the application in action.<\/p>\n
    Run this from the command line to get started:<\/p>\n
    mvn spring-boot:run<\/pre>\n
    See the App in Action<\/h2>\n
    Navigate to the home page and click Login<\/code>.<\/p>\n
    \"\"<\/a><\/p>\n
    To sign in, use the credentials for the user that belongs to the Users<\/code> group you created in step one. From there, you\u2019ll see that the app shows your user information and displays a row of buttons below it.<\/p>\n
    These correspond with access permissions within the app. Members of the users<\/code> group will be able to see the page when Users Only<\/code> is clicked. This is the same case for users of the admins<\/code> group, who can see the page when Admins Only<\/code> is clicked.<\/p>\n
    \"\"<\/a><\/p>\n
    Let\u2019s see how this works.<\/p>\n
    Click Users Only<\/code>. You\u2019ll see a page that shows that you\u2019re a member of the users<\/code> group.
    \nClick Back<\/code> and then click Admins Only<\/code>. This time, you\u2019ll get a 403 Unauthorized<\/code> page because you\u2019re not a member of the admins<\/code> group.
    \nClick Logout<\/code> and sign in again, but this time as the user that belongs to both groups (the second user you created in Step One).
    \nClick Admins Only<\/code>.<\/p>\n
    \"\"<\/a><\/p>\n
    This time, you\u2019ll see that you are in both the admins<\/code> and users<\/code> groups.<\/p>\n
    Pretty straightforward! Now let\u2019s jump into the code…<\/p>\n
    Step Three: Spring Security Code Review<\/h2>\n
    This section outlines how Okta groups link up to Spring Security roles.<\/p>\n
    The demo<\/a> application\u00a0uses the following:<\/p>\n
      \n
    1. Spring Boot<\/li>\n
    2. Spring Security<\/li>\n
    3. Spring Security OAuth2<\/li>\n
    4. Okta Spring Security Starter<\/li>\n
    5. Thymeleaf Templates<\/li>\n
    6. Thymeleaf Extras for Spring Security 4<\/li>\n
    7. Okta Sign-In Widget<\/li>\n<\/ol>\n
      We depend on the okta-spring-security-starter<\/code> (from pom.xml). That\u2019s how the behind-the-scenes magic happens:<\/p>\n
      ...\r\n<dependency>\r\n\t<groupId>com.okta.spring<\/groupId>\r\n\t<artifactId>okta-spring-security-starter<\/artifactId>\r\n\t<version>0.1.0<\/version>\r\n<\/dependency>\r\n...\r\n<\/pre>\n
      Let’s start with the Javascript Okta Sign-In Widget and see how it connects the client side to Spring Boot.<\/p>\n
      Setting Up the Okta Sign-In Widget<\/h3>\n
      Here\u2019s how we set up the Okta Sign-In widget in the `login.html` Thymeleaf template:<\/p>\n
      $( document ).ready(function() {\r\n    var data = {\r\n        baseUrl: [[${appProperties.baseUrl}]],\r\n        clientId: [[${appProperties.clientId}]],\r\n        redirectUri: [[${appProperties.redirectUri}]],\r\n        authParams: {\r\n            issuer: [[${appProperties.issuer}]],\r\n            responseType: ['token']\r\n        }\r\n    };\r\n    window.oktaSignIn = new OktaSignIn(data);\r\n\r\n    \/\/ Check if we already have an access token\r\n    var token = oktaSignIn.tokenManager.get('token');\r\n    if (token) {\r\n        window.location.href = \"\/authenticated\";\r\n    } else {\r\n        renderWidget();\r\n    }\r\n});<\/pre>\n
      In lines 3\u20138, you\u2019ll see that we\u2019ve embedded all the settings to connect to our Okta tenant as inline Thymeleaf Template variables. These values are passed in from the Spring Boot controller as part of the model. By doing this, you only have to specify these settings once \u2013 now both the server and client side can make sure of them. We\u2019ll elaborate on how these settings are managed below (they all come from the application.yml<\/code> file).<\/p>\n
      After we\u2019ve configured and instantiated the Okta Sign-In Widget, the next step is to check whether or not the user has logged in. Then we take one of two actions. If they have, we send them to the \/authenticated<\/code> page. If they haven\u2019t, we render the widget, which gives the user the opportunity to log in.<\/p>\n
      Here’s the renderWidget<\/code> function:<\/p>\n
      function renderWidget() {\r\n    oktaSignIn.renderEl(\r\n        {el: '#okta-login-container'},\r\n        function (response) {\r\n\r\n            \/\/ check if success\r\n            if (response.status === 'SUCCESS') {\r\n\r\n                \/\/ for our example we have the id token and the access token\r\n                oktaSignIn.tokenManager.add('token', response[0]);\r\n\r\n                if (!document.location.protocol.startsWith('https')) {\r\n                    console.log(\r\n                        'WARNING: You are about to pass a bearer token in a cookie over an insecure\\n' +\r\n                        'connection. This should *NEVER* be done in a production environment per\\n' +\r\n                        'https:\/\/tools.ietf.org\/html\/rfc6750'\r\n                    );\r\n                }\r\n                document.cookie = 'access_token=' + oktaSignIn.tokenManager.get('token').accessToken;\r\n                document.location.href = \"\/authenticated\";\r\n            }\r\n        },\r\n        function (err) {\r\n            \/\/ handle any errors\r\n            console.log(err);\r\n        }\r\n    );\r\n}\r\n<\/pre>\n
      Once the widget is rendered on the page, the internal logic takes over based on your settings when the user logs in. In this case, you are using this<\/a> flow and will get back only an access token as specified by the responseType<\/code> parameter of the configuration.<\/p>\n
      On successful login, you enter the callback function with a response<\/code> object. The response object has your (or in this case, your user\u2019s) access token.<\/p>\n
      Line 19 sets a cookie with the access token and line 20 sends the (now authenticated) user to the \/authenticated<\/code> endpoint.<\/p>\n
      At this point, Spring Security can recognize the authenticated user.<\/p>\n
      Before we look at Spring Security roles, let’s see how Spring Security deals with the access token.<\/p>\n
      Spring Security Token Extractor<\/h3>\n
      By default, the Spring Security OAuth 2.0 plugin processes access tokens coming in on an Authorization<\/code> header as a bearer token. This is fine for applications that are creating RESTful responses for clients, such as an Angular client.<\/p>\n
      For this example, I kept the architecture and amount of Javascript minimal, so I wanted full page transitions. This is a little old-school, but it keeps the example code tight and small.<\/p>\n
      In order for Spring Security to recognize that a user has authenticated, we need it to be able to handle the token coming in on a cookie.<\/p>\n
      Fortunately, Spring Security makes it pretty easy to override the default behavior by setting a TokenExtractor<\/code>. Here’s the code that makes this happen from OktaSpringSecurityRolesExampleApplication<\/code>:<\/p>\n
      @Bean\r\nprotected ResourceServerConfigurerAdapter resourceServerConfigurerAdapter() {\r\n    return new ResourceServerConfigurerAdapter() {\r\n\r\n        ...\r\n\r\n        @Override\r\n        public void configure(ResourceServerSecurityConfigurer resources) throws Exception {\r\n            resources.tokenExtractor(new TokenExtractor() {\r\n\r\n                @Override\r\n                public Authentication extract(HttpServletRequest request) {\r\n                    String tokenValue = findCookie(ACCESS_TOKEN_COOKIE_NAME, request.getCookies());\r\n                    if (tokenValue == null) { return null; }\r\n\r\n                    return new PreAuthenticatedAuthenticationToken(tokenValue, \"\");\r\n                }\r\n\r\n                ...\r\n            });\r\n        }\r\n    };\r\n}\r\n<\/pre>\n
      What this does is pull the access token from the list of cookies on the incoming request, if it can. Then the parsing and validation is done automatically. Voila!<\/p>\n
      Establishing Role Based Access Controls<\/h3>\n
      In the application setup, you define which paths are open. All other paths require an authenticated session at least.<\/p>\n
      Here’s another excerpt from OktaSpringSecurityRolesExampleApplication<\/code>:<\/p>\n
      @Bean\r\nprotected ResourceServerConfigurerAdapter resourceServerConfigurerAdapter() {\r\n    return new ResourceServerConfigurerAdapter() {\r\n\r\n        @Override\r\n        public void configure(HttpSecurity http) throws Exception {\r\n            http.authorizeRequests()\r\n                .antMatchers(\"\/\", \"\/login\", \"\/images\/**\").permitAll()\r\n                .and()\r\n                .exceptionHandling().accessDeniedHandler(customAccessDeniedHandler);\r\n        }\r\n        ...\r\n    };\r\n}<\/pre>\n
      In this case, you are telling Spring Security to let any unauthenticated user access the home page (\/<\/code>), the login page (\/login<\/code>), and anything that comes from the static images folder. This means that every other path is automatically restricted by default.<\/p>\n
      At this point, you also define a custom access-denied handler.<\/p>\n
      @Controller\r\npublic class SecureController {\r\n\r\n    @Autowired\r\n    protected AppProperties appProperties;\r\n\r\n    @RequestMapping(\"\/authenticated\")\r\n    public String authenticated(Model model) {\r\n        model.addAttribute(\"appProperties\", appProperties);\r\n        return \"authenticated\";\r\n    }\r\n\r\n    @RequestMapping(\"\/users\")\r\n    @PreAuthorize(\"hasAuthority('users')\")\r\n    public String users() {\r\n        return \"roles\";\r\n    }\r\n\r\n    @RequestMapping(\"\/admins\")\r\n    @PreAuthorize(\"hasAuthority('admins')\")\r\n    public String admins() {\r\n        return \"roles\";\r\n    }\r\n\r\n    @RequestMapping(\"\/403\")\r\n    public String error403() {\r\n        return \"403\";\r\n    }\r\n}<\/pre>\n
      Within this controller, we\u2019ve defined four paths, which all require an authenticated user at a minimum.<\/p>\n
      The real value comes in with the \/users<\/code> and \/admins<\/code> paths. Notice that they both have the @PreAuthorize<\/code> annotation. This means that the<\/a> expression that follows must be satisfied before the method will even be entered. The hasAuthority<\/code> function confirms whether the authenticated user belongs to those roles. In this example, these are automatically mapped to the Okta groups we created previously, which is why it was important to include the groups<\/code> claim in the access token from Okta.<\/p>\n
      While this involves a bit of set-up, now you have role-based access control with just one line of code!<\/p>\n
      End-to-End Configuration<\/h2>\n
      On the client side, we have a set of HTML pages in the form of Thymeleaf templates served from the application itself. Because of this, it makes sense to have a single source for configuration values required by both the client and server.<\/p>\n
      This is easy with Spring\u2019s @Component<\/code> and @ConfigurationProperties<\/code> annotations.<\/p>\n
      Here’s the AppProperties<\/code> class:<\/p>\n
      @Component\r\n@ConfigurationProperties(\"okta.oauth\")\r\npublic class AppProperties {\r\n    private String issuer;\r\n    private String audience;\r\n    private String clientId;\r\n    private String rolesClaim;\r\n    private String baseUrl;\r\n    private String redirectUri;\r\n\r\n    ... getters and setters ...\r\n}<\/pre>\n
      The @ConfigurationProperties<\/code> tells Spring to pull in all the properties from the application.yml <\/code>file that belong to the okta.oauth<\/code> key.<\/p>\n
      The @Component<\/code> annotation causes Spring to instantiate this Object and make it available for auto-wiring elsewhere.<\/p>\n
      Take a look at this snippet from the HomeController<\/code>:<\/p>\n
      @Controller\r\npublic class HomeController {\r\n\r\n    @Autowired\r\n    protected AppProperties appProperties;\r\n\r\n    ...\r\n\r\n    @RequestMapping(\"\/login\")\r\n    public String login(Model model) {\r\n        model.addAttribute(\"appProperties\", appProperties);\r\n        return \"login\";\r\n    }\r\n}<\/pre>\n
      Before returning the login<\/code> view when the \/login <\/code>endpoint is hit, the AppProperties<\/code> object (autowired in on lines 4 & 5) is added to the model.<\/p>\n
      This is what makes it available to the Thymeleaf template as you saw before:<\/p>\n
      <script th:inline=\"javascript\">\r\n    \/*<![CDATA[*\/\r\n    $( document ).ready(function() {\r\n        var data = {\r\n            baseUrl: [[${appProperties.baseUrl}]],\r\n            clientId: [[${appProperties.clientId}]],\r\n            redirectUri: [[${appProperties.redirectUri}]],\r\n            authParams: {\r\n                issuer: [[${appProperties.issuer}]],\r\n                responseType: ['token']\r\n            }\r\n        };\r\n        window.oktaSignIn = new OktaSignIn(data);\r\n        ...\r\n    });\r\n    ...\r\n    \/*]]>*\/\r\n<\/script><\/pre>\n
      Start Coding!<\/h2>\n
      And that\u2019s it! Give it a go and let me know how it goes! I\u2019m on Twitter.<\/a><\/p>\n
      While I\u2019ve outlined the benefits of using Okta\u2019s Groups mechanism with Spring Security\u2019s role-based access control, Okta\u2019s Java dev team is working hard on our next generation SDK and integrations as well. Keep an eye out for upcoming releases of the new Okta Java Spring Boot Integration, which will have have support for other OIDC workflows, including code<\/code> as well as hosted, configurable login and registration views.<\/p>\n
      This post has been adapted from here.<\/a><\/em><\/p>\n
      Never Build Auth Again<\/b> – Love building user management? With Okta, you can add social login, multi-factor authentication, and OpenID Connect support to your app in minutes. Create a free developer account today.<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
      Never Build Auth Again – Love building user management? With Okta, you can add social login, multi-factor authentication, and OpenID Connect support to your app in minutes. Create a free developer account today. When you\u2019re building your java app, user management is a critical consideration. It\u2019s common for apps and APIs to partition access to …<\/p>\n","protected":false},"author":1062,"featured_media":240,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[1594,297,1615,30,125,739],"class_list":["post-70234","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-enterprise-java","tag-okta","tag-security","tag-sponsored","tag-spring","tag-spring-security","tag-thymeleaf"],"yoast_head":"\nSecure Your Java App with Spring Security, Thymeleaf, and Okta - Java Code Geeks<\/title>\n<meta name=\"description\" content=\"Never Build Auth Again - Love building user management? With Okta, you can add social login, multi-factor authentication, and OpenID Connect support to\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Secure Your Java App with Spring Security, Thymeleaf, and Okta - Java Code Geeks\" \/>\n<meta property=\"og:description\" content=\"Never Build Auth Again - Love building user management? With Okta, you can add social login, multi-factor authentication, and OpenID Connect support to\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html\" \/>\n<meta property=\"og:site_name\" content=\"Java Code Geeks\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/javacodegeeks\" \/>\n<meta property=\"article:published_time\" content=\"2017-11-06T17:40:28+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-11-14T07:53:49+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-logo.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"150\" \/>\n\t<meta property=\"og:image:height\" content=\"150\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Micah Silverman\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@javacodegeeks\" \/>\n<meta name=\"twitter:site\" content=\"@javacodegeeks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Micah Silverman\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/11\\\/secure-java-app-spring-security-thymeleaf-okta.html#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/11\\\/secure-java-app-spring-security-thymeleaf-okta.html\"},\"author\":{\"name\":\"Micah Silverman\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/person\\\/fd211fe0d3a9791d30dd0ca5276d9660\"},\"headline\":\"Secure Your Java App with Spring Security, Thymeleaf, and Okta\",\"datePublished\":\"2017-11-06T17:40:28+00:00\",\"dateModified\":\"2017-11-14T07:53:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/11\\\/secure-java-app-spring-security-thymeleaf-okta.html\"},\"wordCount\":1909,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/11\\\/secure-java-app-spring-security-thymeleaf-okta.html#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/spring-logo.jpg\",\"keywords\":[\"Okta\",\"Security\",\"Sponsored\",\"Spring\",\"Spring Security\",\"Thymeleaf\"],\"articleSection\":[\"Enterprise Java\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/11\\\/secure-java-app-spring-security-thymeleaf-okta.html#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/11\\\/secure-java-app-spring-security-thymeleaf-okta.html\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/11\\\/secure-java-app-spring-security-thymeleaf-okta.html\",\"name\":\"Secure Your Java App with Spring Security, Thymeleaf, and Okta - Java Code Geeks\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/11\\\/secure-java-app-spring-security-thymeleaf-okta.html#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/11\\\/secure-java-app-spring-security-thymeleaf-okta.html#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/spring-logo.jpg\",\"datePublished\":\"2017-11-06T17:40:28+00:00\",\"dateModified\":\"2017-11-14T07:53:49+00:00\",\"description\":\"Never Build Auth Again - Love building user management? With Okta, you can add social login, multi-factor authentication, and OpenID Connect support to\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/11\\\/secure-java-app-spring-security-thymeleaf-okta.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/11\\\/secure-java-app-spring-security-thymeleaf-okta.html\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/11\\\/secure-java-app-spring-security-thymeleaf-okta.html#primaryimage\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/spring-logo.jpg\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/spring-logo.jpg\",\"width\":150,\"height\":150,\"caption\":\"spring-interview-questions-answers\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/11\\\/secure-java-app-spring-security-thymeleaf-okta.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Java\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/category\\\/java\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Enterprise Java\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/category\\\/java\\\/enterprise-java\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Secure Your Java App with Spring Security, Thymeleaf, and Okta\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#website\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\",\"name\":\"Java Code Geeks\",\"description\":\"Java Developers Resource Center\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\"},\"alternateName\":\"JCG\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.javacodegeeks.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\",\"name\":\"Exelixis Media P.C.\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/exelixis-logo.png\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/exelixis-logo.png\",\"width\":864,\"height\":246,\"caption\":\"Exelixis Media P.C.\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/javacodegeeks\",\"https:\\\/\\\/x.com\\\/javacodegeeks\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/person\\\/fd211fe0d3a9791d30dd0ca5276d9660\",\"name\":\"Micah Silverman\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fdd31b256ed406e9651be5c9f709a208535846dc978cc1b1211f9ca2473709de?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fdd31b256ed406e9651be5c9f709a208535846dc978cc1b1211f9ca2473709de?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fdd31b256ed406e9651be5c9f709a208535846dc978cc1b1211f9ca2473709de?s=96&d=mm&r=g\",\"caption\":\"Micah Silverman\"},\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/author\\\/micah-silverman\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Secure Your Java App with Spring Security, Thymeleaf, and Okta - Java Code Geeks","description":"Never Build Auth Again - Love building user management? With Okta, you can add social login, multi-factor authentication, and OpenID Connect support to","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html","og_locale":"en_US","og_type":"article","og_title":"Secure Your Java App with Spring Security, Thymeleaf, and Okta - Java Code Geeks","og_description":"Never Build Auth Again - Love building user management? With Okta, you can add social login, multi-factor authentication, and OpenID Connect support to","og_url":"https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html","og_site_name":"Java Code Geeks","article_publisher":"https:\/\/www.facebook.com\/javacodegeeks","article_published_time":"2017-11-06T17:40:28+00:00","article_modified_time":"2017-11-14T07:53:49+00:00","og_image":[{"width":150,"height":150,"url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-logo.jpg","type":"image\/jpeg"}],"author":"Micah Silverman","twitter_card":"summary_large_image","twitter_creator":"@javacodegeeks","twitter_site":"@javacodegeeks","twitter_misc":{"Written by":"Micah Silverman","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html#article","isPartOf":{"@id":"https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html"},"author":{"name":"Micah Silverman","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/person\/fd211fe0d3a9791d30dd0ca5276d9660"},"headline":"Secure Your Java App with Spring Security, Thymeleaf, and Okta","datePublished":"2017-11-06T17:40:28+00:00","dateModified":"2017-11-14T07:53:49+00:00","mainEntityOfPage":{"@id":"https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html"},"wordCount":1909,"commentCount":0,"publisher":{"@id":"https:\/\/www.javacodegeeks.com\/#organization"},"image":{"@id":"https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html#primaryimage"},"thumbnailUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-logo.jpg","keywords":["Okta","Security","Sponsored","Spring","Spring Security","Thymeleaf"],"articleSection":["Enterprise Java"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html","url":"https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html","name":"Secure Your Java App with Spring Security, Thymeleaf, and Okta - Java Code Geeks","isPartOf":{"@id":"https:\/\/www.javacodegeeks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html#primaryimage"},"image":{"@id":"https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html#primaryimage"},"thumbnailUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-logo.jpg","datePublished":"2017-11-06T17:40:28+00:00","dateModified":"2017-11-14T07:53:49+00:00","description":"Never Build Auth Again - Love building user management? With Okta, you can add social login, multi-factor authentication, and OpenID Connect support to","breadcrumb":{"@id":"https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html#primaryimage","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-logo.jpg","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-logo.jpg","width":150,"height":150,"caption":"spring-interview-questions-answers"},{"@type":"BreadcrumbList","@id":"https:\/\/www.javacodegeeks.com\/2017\/11\/secure-java-app-spring-security-thymeleaf-okta.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.javacodegeeks.com\/"},{"@type":"ListItem","position":2,"name":"Java","item":"https:\/\/www.javacodegeeks.com\/category\/java"},{"@type":"ListItem","position":3,"name":"Enterprise Java","item":"https:\/\/www.javacodegeeks.com\/category\/java\/enterprise-java"},{"@type":"ListItem","position":4,"name":"Secure Your Java App with Spring Security, Thymeleaf, and Okta"}]},{"@type":"WebSite","@id":"https:\/\/www.javacodegeeks.com\/#website","url":"https:\/\/www.javacodegeeks.com\/","name":"Java Code Geeks","description":"Java Developers Resource Center","publisher":{"@id":"https:\/\/www.javacodegeeks.com\/#organization"},"alternateName":"JCG","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.javacodegeeks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.javacodegeeks.com\/#organization","name":"Exelixis Media P.C.","url":"https:\/\/www.javacodegeeks.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","width":864,"height":246,"caption":"Exelixis Media P.C."},"image":{"@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/javacodegeeks","https:\/\/x.com\/javacodegeeks"]},{"@type":"Person","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/person\/fd211fe0d3a9791d30dd0ca5276d9660","name":"Micah Silverman","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/fdd31b256ed406e9651be5c9f709a208535846dc978cc1b1211f9ca2473709de?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/fdd31b256ed406e9651be5c9f709a208535846dc978cc1b1211f9ca2473709de?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fdd31b256ed406e9651be5c9f709a208535846dc978cc1b1211f9ca2473709de?s=96&d=mm&r=g","caption":"Micah Silverman"},"url":"https:\/\/www.javacodegeeks.com\/author\/micah-silverman"}]}},"_links":{"self":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/70234","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/users\/1062"}],"replies":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/comments?post=70234"}],"version-history":[{"count":0,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/70234\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/media\/240"}],"wp:attachment":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/media?parent=70234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/categories?post=70234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/tags?post=70234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}