1. Overview

The Spring Cloud Security module provides functionality related to token-based security in Spring Boot applications.

Specifically, it simplifies OAuth2-based single sign-on – with support for token relaying between resource servers, as well as configuring downstream authentication using a built-in Zuul proxy.

In this quick article, we’ll look at how to configure these features using a Spring Boot client application, an authorization server, and a REST API that functions as a resource server.

Note that in this example, a single client application uses single sign-on to demonstrate security features in the cloud. However, in a typical scenario, at least two client applications would justify the need for single sign-on.

2. Quickly start a cloud security application

Let’s start by configuring SSO in a Spring Boot application.

First, we need to add the spring-cloud-stoud-oauth2 dependency :

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-oauth2</artifactId>
    <version>1.2.2.RELEASE</version>
</dependency>

This will also introduce the spring-cloud-starter-security dependency.

locally deployed at http: // localhost: 7070 / authserver.

Our authorization server uses JWT tokens.

Additionally, for any client to be able to retrieve a user’s credentials, we must configure our resource server, running on port 9000, with an endpoint that can serve that credentials.

Here we have configured an endpoint / user available at http: // localhost: 9000 / user.

@Configuration
@EnableOAuth2Sso
public class SiteSecurityConfigurer
  extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
       //...
    }
}

Any request requiring authentication will be redirected to the authorization server. ** For this to work, we also need to set the server properties :

security:
  oauth2:
    client:
      accessTokenUri: http://localhost:7070/authserver/oauth/token
      userAuthorizationUri: http://localhost:7070/authserver/oauth/authorize
      clientId: authserver
      clientSecret: passwordforauthserver
    resource:
      userInfoUri: http://localhost:9000/user

Note that we need __ spring-boot-starter-security in our classpath for the above configuration to work.

3. Relaying Tokens Access

While relaying a token, an OAuth2 client transfers the OAuth2 token it received to an outgoing resource request. **

Since we declared the @ EnableOauth2Sso annotation, Spring Boot adds an OAuth2ClientContext bean in the scope of the request. Based on this, we can create our own OAuth2RestTemplate in our client application:

@Bean
public OAuth2RestOperations restOperations(
  OAuth2ProtectedResourceDetails resource, OAuth2ClientContext context) {
    return new OAuth2RestTemplate(resource, context);
}

Une fois que nous avons configuré le bean _, _ , le contexte transférera le jeton d’accès aux services demandés et actualisera également le jeton s’il expire.

4. Relay an OAuth token using RestTemplate

We previously defined a restOperations bean of type OAuth2RestTemplate in our client application. As a result, we can use the getForObject () method of OAuth2RestTemplate to send a request with the necessary tokens to a protected resource server of our client.

First, let’s define an endpoint that requires authentication in our resource server:

@GetMapping("/person")
@PreAuthorize("hasAnyRole('ADMIN', 'USER')")
public @ResponseBody Person personInfo(){
    return new Person("abir", "Dhaka", "Bangladesh", 29, "Male");
 }

This is a simple REST endpoint that returns a JSON representation of a Person object.

Now we can send a request from the client application using the getForObject () method which will pass the token to the resource server:

@Autowired
private RestOperations restOperations;

@GetMapping("/personInfo")
public ModelAndView person() {
    ModelAndView mav = new ModelAndView("personinfo");
    String personResourceUrl = "http://localhost:9000/person";
    mav.addObject("person",
      restOperations.getForObject(personResourceUrl, String.class));

    return mav;
}

5. Configuration de Zuul pour jeton de relais

If we want to relay a token downstream to proxy services, we can use Cloud Cloud Zuul reverse proxy.

First, we need to add the Maven dependency to work with Zuul:

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-zuul</artifactId>
</dependency>

Next, we need to add the @EnableZuulProxy annotation to our configuration class in the client application :

@Configuration
@EnableOAuth2Sso
@EnableZuulProxy
public class SiteSecurityConfigurer
  extends WebSecurityConfigurerAdapter {
   //...
}

All that remains is to add the Zuul configuration properties to our application.yml file:

zuul:
  routes:
    resource:
      path:/api/** **
      url: http://localhost:9000
    user:
      path:/user/** **
      url: http://localhost:9000/user

Any request from the endpoint / api of the client application will be redirected to the URL of the resource server. We also need to provide the endpoint URL for the user credentials.

6. Conclusion

In this quick article, we explained how to use Spring Cloud Security with OAuth2 and Zuul to configure secure authorization and resource servers, and how to relay OAuth2 tokens between servers using Oauth2RestTemplate and the embedded proxy.

As always, the code is available at over on GitHub.

Laisser un commentaire