\nIt is not Proxy server, firewall, OS level Security, Intrusion Detection System,\u00a0 and JVM Security.<\/p>\n
OAuth<\/strong> is open authorization protocol, which allows accessing resources of the resource owner by enabling the client applications on HTTP services such as Gmail, GitHub, etc.<\/p>\n The OAuth 2.0 framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between resource owner and HTTP service, or by allowing the third-party application to obtain access on its own behalf.<\/p><\/blockquote>\n OAuth2 Roles :<\/strong> There are four roles which can applied on OAuth2.<\/p>\n OAuth2 Tokens :<\/strong> Tokens are implementation specific random strings, generated by the authorization server.<\/p>\n First create a maven project<\/strong> here.,in eclipse IDE which will looks like :<\/p>\n <\/p>\n <\/p>\n <\/p>\n\n
![\"\"](\"https:\/\/www.innovationm.com\/blog\/wp-content\/uploads\/2018\/06\/Oauth-architecture-300x167.png\")
<\/p>\n\n
Now, let’s implement the project for Spring Security with OAuth2 :<\/h4>\n
![\"\"](\"https:\/\/www.innovationm.com\/blog\/wp-content\/uploads\/2018\/06\/image-178x300.png\")
<\/p>\nResource Server<\/h2>\n
package com.security.oauth.security;\r\n\r\nimport org.springframework.context.annotation.Configuration;\r\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\r\nimport org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;\r\nimport org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;\r\nimport org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;\r\nimport org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler;\r\n\r\n@Configuration\r\n@EnableResourceServer \r\n\/*@EnableResourceServer enables a Spring Security filter that authenticates requests using an incoming OAuth2 token.*\/\r\npublic class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {\r\n\t\/*class ResourceServerConfigurerAdapter implements ResourceServerConfigurer providing methods to adjust the access rules and paths that are protected by OAuth2 security.*\/\r\n\tprivate static final String RESOURCE_ID = \"my_rest_api\";\r\n\t\r\n\t@Override\r\n\tpublic void configure(ResourceServerSecurityConfigurer resources) {\r\n\t\tresources.resourceId(RESOURCE_ID).stateless(false);\r\n\t}\r\n\r\n\t@Override\r\n\tpublic void configure(HttpSecurity http) throws Exception {\r\n\t\thttp.\r\n\t\tanonymous().disable()\r\n\t\t.requestMatchers().antMatchers(\"\/user\/**\")\r\n\t\t.and().authorizeRequests()\r\n\t\t.antMatchers(\"\/user\/**\").access(\"hasRole('ADMIN')\")\r\n\t\t.and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());\r\n\t}\r\n\r\n}<\/pre>\nAuthorization Server<\/h2>\n
package com.security.oauth.security;\r\n\r\nimport org.springframework.beans.factory.annotation.Autowired;\r\nimport org.springframework.beans.factory.annotation.Qualifier;\r\nimport org.springframework.context.annotation.Configuration;\r\nimport org.springframework.security.authentication.AuthenticationManager;\r\nimport org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;\r\nimport org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;\r\nimport org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;\r\nimport org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;\r\nimport org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;\r\nimport org.springframework.security.oauth2.provider.approval.UserApprovalHandler;\r\nimport org.springframework.security.oauth2.provider.token.TokenStore;\r\n\r\n@Configuration\r\n@EnableAuthorizationServer\r\n\/*@EnableAuthorizationServer enables an Authorization Server (i.e. an AuthorizationEndpoint and a TokenEndpoint) in the current application context.*\/\r\npublic class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {\r\n\/*class AuthorizationServerConfigurerAdapter implements AuthorizationServerConfigurer which provides all the necessary methods to configure an Authorization server.*\/\r\n\tprivate static String REALM=\"MY_OAUTH_REALM\";\r\n\t\r\n\t@Autowired\r\n\tprivate TokenStore tokenStore;\r\n\r\n\t@Autowired\r\n\tprivate UserApprovalHandler userApprovalHandler;\r\n\r\n\t@Autowired\r\n\t@Qualifier(\"authenticationManagerBean\")\r\n\tprivate AuthenticationManager authenticationManager;\r\n\r\n\t@Override\r\n\tpublic void configure(ClientDetailsServiceConfigurer clients) throws Exception {\r\n\r\n\t\tclients.inMemory()\r\n\t .withClient(\"my-trusted-client\")\r\n .authorizedGrantTypes(\"password\", \"authorization_code\", \"refresh_token\", \"implicit\")\r\n .authorities(\"ROLE_CLIENT\", \"ROLE_TRUSTED_CLIENT\")\r\n .scopes(\"read\", \"write\", \"trust\")\r\n .secret(\"secret\")\r\n .accessTokenValiditySeconds(120).\/\/Access token is only valid for 2 minutes.\r\n refreshTokenValiditySeconds(600);\/\/Refresh token is only valid for 10 minutes.\r\n\t}\r\n\r\n\t@Override\r\n\tpublic void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {\r\n\t\tendpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler)\r\n\t\t\t\t.authenticationManager(authenticationManager);\r\n\t}\r\n\r\n\t@Override\r\n\tpublic void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {\r\n\t\toauthServer.realm(REALM+\"\/client\");\r\n\t}\r\n\r\n}<\/pre>\nSecurity Configuration<\/h2>\n
package com.security.oauth.security;\r\n\r\nimport org.springframework.beans.factory.annotation.Autowired;\r\nimport org.springframework.context.annotation.Bean;\r\nimport org.springframework.context.annotation.Configuration;\r\nimport org.springframework.security.authentication.AuthenticationManager;\r\nimport org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;\r\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\r\nimport org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;\r\nimport org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;\r\nimport org.springframework.security.crypto.password.NoOpPasswordEncoder;\r\nimport org.springframework.security.oauth2.provider.ClientDetailsService;\r\nimport org.springframework.security.oauth2.provider.approval.ApprovalStore;\r\nimport org.springframework.security.oauth2.provider.approval.TokenApprovalStore;\r\nimport org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler;\r\nimport org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory;\r\nimport org.springframework.security.oauth2.provider.token.TokenStore;\r\nimport org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;\r\n\r\n@Configuration\r\n@EnableWebSecurity\r\npublic class OAuth2SecurityConfiguration extends WebSecurityConfigurerAdapter {\r\n\r\n\t@Autowired\r\n\tprivate ClientDetailsService clientDetailsService;\r\n\t\r\n\t@Autowired\r\n public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {\r\n auth.inMemoryAuthentication()\r\n .withUser(\"bill\").password(\"abc123\").roles(\"ADMIN\").and()\r\n .withUser(\"bob\").password(\"abc123\").roles(\"USER\");\r\n }\r\n\t\r\n\r\n @Override\r\n protected void configure(HttpSecurity http) throws Exception {\r\n\t\thttp\r\n\t\t.csrf().disable()\r\n\t\t.anonymous().disable()\r\n\t \t.authorizeRequests()\r\n\t \t.antMatchers(\"\/oauth\/token\").permitAll();\r\n }\r\n\r\n @Override\r\n @Bean\r\n public AuthenticationManager authenticationManagerBean() throws Exception {\r\n return super.authenticationManagerBean();\r\n }\r\n\r\n\r\n\t@Bean\r\n\tpublic TokenStore tokenStore() {\r\n\t\treturn new InMemoryTokenStore();\r\n\t}\r\n\r\n\t@Bean\r\n\t@Autowired\r\n\tpublic TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore){\r\n\t\tTokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();\r\n\t\thandler.setTokenStore(tokenStore);\r\n\t\thandler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));\r\n\t\thandler.setClientDetailsService(clientDetailsService);\r\n\t\treturn handler;\r\n\t}\r\n\t\r\n\t@Bean\r\n\t@Autowired\r\n\tpublic ApprovalStore approvalStore(TokenStore tokenStore) throws Exception {\r\n\t\tTokenApprovalStore store = new TokenApprovalStore();\r\n\t\tstore.setTokenStore(tokenStore);\r\n\t\treturn store;\r\n\t}\r\n\t\r\n}\r\n<\/pre>\nMethod Security Configuration<\/h2>\n
package com.security.oauth.security;\r\n\r\nimport org.springframework.beans.factory.annotation.Autowired;\r\nimport org.springframework.context.annotation.Configuration;\r\nimport org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;\r\nimport org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;\r\nimport org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;\r\nimport org.springframework.security.oauth2.provider.expression.OAuth2MethodSecurityExpressionHandler;\r\n\r\n@Configuration\r\n@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)\r\npublic class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {\r\n @SuppressWarnings(\"unused\")\r\n\t@Autowired\r\n private OAuth2SecurityConfiguration securityConfig;\r\n \r\n @Override\r\n protected MethodSecurityExpressionHandler createExpressionHandler() {\r\n return new OAuth2MethodSecurityExpressionHandler();\r\n }\r\n}\r\n<\/pre>\nController<\/h2>\n
package com.security.oauth.controller;\r\n \r\nimport java.util.List;\r\n \r\nimport org.springframework.beans.factory.annotation.Autowired;\r\nimport org.springframework.http.HttpHeaders;\r\nimport org.springframework.http.HttpStatus;\r\nimport org.springframework.http.MediaType;\r\nimport org.springframework.http.ResponseEntity;\r\nimport org.springframework.web.bind.annotation.PathVariable;\r\nimport org.springframework.web.bind.annotation.RequestBody;\r\nimport org.springframework.web.bind.annotation.RequestMapping;\r\nimport org.springframework.web.bind.annotation.RequestMethod;\r\nimport org.springframework.web.bind.annotation.RestController;\r\nimport org.springframework.web.util.UriComponentsBuilder;\r\n\r\nimport com.security.oauth.model.User;\r\nimport com.security.oauth.service.UserService;\r\n \r\n@RestController\r\npublic class OAuth2RestController {\r\n \r\n @Autowired\r\n UserService userService; \/\/Service which will do all data retrieval\/manipulation work\r\n \r\n \r\n \/\/-------------------Retrieve All Users--------------------------------------------------------\r\n \r\n @RequestMapping(value = \"\/user\/\", method = RequestMethod.GET)\r\n public ResponseEntity<List<User>> listAllUsers() {\r\n List<User> users = userService.findAllUsers();\r\n if(users.isEmpty()){\r\n return new ResponseEntity<List<User>>(users, HttpStatus.NO_CONTENT);\/\/You many decide to return HttpStatus.NOT_FOUND\r\n }\r\n return new ResponseEntity<List<User>>(users, HttpStatus.OK);\r\n }\r\n \r\n \r\n \/\/-------------------Retrieve Single User--------------------------------------------------------\r\n \r\n @RequestMapping(value = \"\/user\/{id}\", method = RequestMethod.GET, produces = {MediaType.APPLICATION_JSON_VALUE,MediaType.APPLICATION_XML_VALUE})\r\n public ResponseEntity<User> getUser(@PathVariable(\"id\") long id) {\r\n System.out.println(\"Fetching User with id \" + id);\r\n User user = userService.findById(id);\r\n if (user == null) {\r\n System.out.println(\"User with id \" + id + \" not found\");\r\n return new ResponseEntity<User>(HttpStatus.NOT_FOUND);\r\n }\r\n return new ResponseEntity<User>(user, HttpStatus.OK);\r\n }\r\n \r\n \r\n \r\n \/\/-------------------Create a User--------------------------------------------------------\r\n \r\n @RequestMapping(value = \"\/user\/\", method = RequestMethod.POST)\r\n public ResponseEntity<Void> createUser(@RequestBody User user, UriComponentsBuilder ucBuilder) {\r\n System.out.println(\"Creating User \" + user.getName());\r\n \r\n if (userService.isUserExist(user)) {\r\n System.out.println(\"A User with name \" + user.getName() + \" already exist\");\r\n return new ResponseEntity<Void>(HttpStatus.CONFLICT);\r\n }\r\n \r\n userService.saveUser(user);\r\n \r\n HttpHeaders headers = new HttpHeaders();\r\n headers.setLocation(ucBuilder.path(\"\/user\/{id}\").buildAndExpand(user.getId()).toUri());\r\n return new ResponseEntity<Void>(headers, HttpStatus.CREATED);\r\n }\r\n \r\n \r\n \/\/------------------- Update a User --------------------------------------------------------\r\n \r\n @RequestMapping(value = \"\/user\/{id}\", method = RequestMethod.PUT)\r\n public ResponseEntity<User> updateUser(@PathVariable(\"id\") long id, @RequestBody User user) {\r\n System.out.println(\"Updating User \" + id);\r\n \r\n User currentUser = userService.findById(id);\r\n \r\n if (currentUser==null) {\r\n System.out.println(\"User with id \" + id + \" not found\");\r\n return new ResponseEntity<User>(HttpStatus.NOT_FOUND);\r\n }\r\n \r\n currentUser.setName(user.getName());\r\n currentUser.setAge(user.getAge());\r\n currentUser.setSalary(user.getSalary());\r\n \r\n userService.updateUser(currentUser);\r\n return new ResponseEntity<User>(currentUser, HttpStatus.OK);\r\n }\r\n \r\n \/\/------------------- Delete a User --------------------------------------------------------\r\n \r\n @RequestMapping(value = \"\/user\/{id}\", method = RequestMethod.DELETE)\r\n public ResponseEntity<User> deleteUser(@PathVariable(\"id\") long id) {\r\n System.out.println(\"Fetching & Deleting User with id \" + id);\r\n \r\n User user = userService.findById(id);\r\n if (user == null) {\r\n System.out.println(\"Unable to delete. User with id \" + id + \" not found\");\r\n return new ResponseEntity<User>(HttpStatus.NOT_FOUND);\r\n }\r\n \r\n userService.deleteUserById(id);\r\n return new ResponseEntity<User>(HttpStatus.NO_CONTENT);\r\n }\r\n \r\n \r\n \/\/------------------- Delete All Users --------------------------------------------------------\r\n \r\n @RequestMapping(value = \"\/user\/\", method = RequestMethod.DELETE)\r\n public ResponseEntity<User> deleteAllUsers() {\r\n System.out.println(\"Deleting All Users\");\r\n \r\n userService.deleteAllUsers();\r\n return new ResponseEntity<User>(HttpStatus.NO_CONTENT);\r\n }\r\n \r\n}<\/pre>\nRunning the application :<\/h2>\n
![\"\"](\"https:\/\/www.innovationm.com\/blog\/wp-content\/uploads\/2018\/06\/unnamed-300x62.png\")
<\/a><\/h3>\n