A common requirement in Java API development is to implement user authentication and authorization functions. In order to provide more secure and reliable API services, the authorization function has become particularly important. Spring Security OAuth is an excellent open source framework that can help us implement authorization functions in Java APIs. This article will introduce how to use Spring Security OAuth for secure authorization.
Spring Security OAuth is an extension of the Spring Security framework, which can help us implement OAuth authentication and authorization functions.
OAuth is an open standard for authorizing third-party applications to access resources. It can help us achieve business logic decoupling and secure applications. The OAuth authorization process usually includes the following roles:
Spring Security OAuth implements OAuth Four endpoints in the authorization process:
Spring Security OAuth implements the four aspects of OAuth 2.0 Large authorization mode:
Add Spring Security OAuth dependency in the project. Configure the following in pom.xml:
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.3.4.RELEASE</version>
</dependency>We need to define the authorization server for authorization. In Spring Security OAuth, you can define an authorization server by enabling an OAuth2 authentication server and implementing the AuthorizationServerConfigurer interface.
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
TokenStore tokenStore;
@Autowired
AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("client")
.secret("{noop}secret")
.authorizedGrantTypes("client_credentials", "password")
.scopes("read", "write")
.accessTokenValiditySeconds(3600)
.refreshTokenValiditySeconds(7200);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore)
.authenticationManager(authenticationManager);
}
}In the above code, we define a memory-based client details service, configure the authorization type as client_credentials and password, and also specify the validity period of the access token and the validity period of the refresh token. Additionally, we define the endpoints and their required tokenStore and authenticationManager.
To use Spring Security OAuth security authorization, we also need to configure the resource server. In Spring Security OAuth, we can define resource servers by implementing the ResourceServerConfigurer interface.
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/api/**").authenticated()
.anyRequest().permitAll();
}
@Override
public void configure(ResourceServerSecurityConfigurer config) throws Exception {
config.resourceId("my_resource_id");
}
}In the above code, we defined /api/** to give authentication while other requests allow anonymous access. We also configure the resource ID "my_resource_id" for use in subsequent authorization processes.
In order to use Spring Security OAuth security authorization, we also need to configure Web security. In Spring Security OAuth, security can be defined by implementing the SecurityConfigurer interface.
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user")
.password("{noop}password")
.roles("USER");
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/oauth/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.permitAll();
}
}In the above code, we define a memory-based user details service and declare requests that require authentication (that is, all paths following /oauth/** require authentication, and other paths can be accessed anonymously). We also configured a simple form login for users to log into the application.
We need to implement the UserDetailsService interface for use in security authorization. Here we directly use memory to save user accounts and passwords, and do not involve database operations.
@Service
public class UserDetailsServiceImpl implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
if ("user".equals(username)) {
return new User("user", "{noop}password",
AuthorityUtils.createAuthorityList("ROLE_USER"));
} else {
throw new UsernameNotFoundException("username not found");
}
}
}Next we need to implement a simple API. We added a getGreeting() API under the /api/** path to return a greeting to the client.
@RestController
@RequestMapping("/api")
public class ApiController {
@GetMapping("/greeting")
public String getGreeting() {
return "Hello, World!";
}
}Finally, we need to test whether the authorization process is running as expected. First, we use the authorization code mode to obtain the authorization code:
http://localhost:8080/oauth/authorize?response_type=code&client_id=client&redirect_uri=http://localhost:8080&scope=read
Visit the above URL in your browser, you will be asked to enter your username and password for authorization. Enter the username user and password password and click Authorize, you will be redirected to http://localhost:8080/?code=xxx, where xxx is the authorization code.
Next, we use the password pattern to obtain the access token:
curl -X POST http://localhost:8080/oauth/token -H 'content-type: application/x-www-form-urlencoded' -d 'grant_type=password&username=user&password=password&client_id=client&client_secret=secret'
You will receive a JSON response containing the access token and refresh token:
{
"access_token":"...",
"token_type":"bearer",
"refresh_token":"...",
"expires_in":3600,
"scope":"read"
}Now you can use this access token to access the API service:
curl -X GET http://localhost:8080/api/greeting -H 'authorization: Bearer xxx'
where xxx is your access token. You will receive a JSON response containing the greeting "Hello, World!".
In this article, we introduce how to use Spring Security OAuth for secure authorization. Spring Security OAuth is a very powerful framework that can help us implement all roles in the OAuth authorization process. In practical applications, we can choose different authorization modes and service configurations according to different security requirements.
The above is the detailed content of Using Spring Security OAuth for secure authorization in Java API development. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
