Spring boot security - Learning project for Resource server Authentication and Authorization - using OAuth Resource Server starter project.
These are learnings from pluralsight https://github.com/jzheaux/resolutions from Jos Cumings,
- Spring Security has own classes for UserDetails , in order to overwrite/custom implement it by implmenting UserDetailsService interface.
- JDBCUserDetailsManager is available to provide own implementation for loading authorities and UserDetails values from Database.
- Using WebSecurityConfigurerAdapter and adding ANT/MVC matchers to excersie authorities control.
JWT Token - Authentication + Authorisation using Spring Security OAuth2 Resource Server
- Dependencies needed for
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-oauth2-resource-server</artifactId> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-oauth2-jose</artifactId> </dependency>
- No other annotations needed other than this to enable resource server ,except to enable global pre post authorize only
@EnableGlobalMethodSecurity(prePostEnabled = true)
- Keycloak starting , understanding and setting it up took considerable amount of time
- Realm creation
- roles can be placed at two levels - realm level and client level.
- Relam level is good one , as irrespective of client id , user will get roles information . If we create at client level its specific to that client id .
Think scenario like we are using two different client ids for same application for two entry points like mobile and desktop. :- ( - Client Creation
- Enabling client secret by having access type to confidential and enabling of various OAuth flows.
- Roles created will come in complex object, we can map it to custom simple/array object by using client level mappers.
- Postman - latest postman OAuthorisation code grant enabled - settings
- Complex object - simple custom object mapping -
- Spring Security provides converters to provide custom implementation of roles and authority by overriding defaults provided by JwtAuthenticationConverter , JwtGrantedAuthoritiesConverter
@SpringBootApplication
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class ResourceserverApplication extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests(a -> a.anyRequest().authenticated()).oauth2ResourceServer(
o -> o.jwt(j -> j.jwtAuthenticationConverter(jwtAuthenticationConverter()))
);
}
public static void main(String[] args) {
SpringApplication.run(ResourceserverApplication.class, args);
}
private JwtAuthenticationConverter jwtAuthenticationConverter(){
JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
jwtGrantedAuthoritiesConverter.setAuthoritiesClaimName("user-roles");
jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter);
return jwtAuthenticationConverter;
}
}