Monday, July 28, 2014

Integrate Oauth-2.0 Security, Spring-Security And Jersey For Rest Services Using Database.

Introduction:

Hello Friends, Today we are discuss about Oauth-2.0 Integration with Spring-Security. Thanks to Spring, provide some user friendly API's for using Oauth2 with Spring-Security easily. Here we are not discuss about What is Oauth and Spring-Security, because these topics are itself so large and we assume you already have knowledge of these two topics. Here we just discuss about, how we integrate Oauth-2.0 with Spring-Security with the help of database. We Store our client Information and token information in database. Because i think, in real life we use database for store our client and token information. If you need to download the source code of example go to below link :-
https://github.com/harmeetsingh0013/oauth2-jersey-rest-spring-db

Step 1: pom.xml

<properties>
 <jdk-version>1.8</jdk-version>
 <maven-compiler-plugin>3.0</maven-compiler-plugin>
 <maven-war-pugin>2.4</maven-war-pugin>
 <org .springframework.version="">4.0.5.RELEASE</org>
 <hibernate>4.3.6.Final</hibernate>
 <spring-security-oauth2>2.0.1.RELEASE</spring-security-oauth2>
 <spring .security.version="">3.2.4.RELEASE</spring>
 <jersey-spring>1.18.1</jersey-spring>
 <servlet-version>3.0.1</servlet-version>
</properties>

<dependencies>
 <!-- Spring Dependencies -->
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-beans</artifactid>
  <version>${org.springframework.version}</version>
 </dependency>
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-expression</artifactid>
  <version>${org.springframework.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-aop</artifactid>
  <version>${org.springframework.version}</version>
 </dependency>
 <!-- Spring web dependencies -->
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-web</artifactid>
  <version>${org.springframework.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-context</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-aop</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-webmvc</artifactid>
  <version>${org.springframework.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-web</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-context</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-expression</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
  <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-jdbc</artifactid>
  <version>${org.springframework.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-context</artifactid>
  <version>${org.springframework.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-aop</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-expression</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-orm</artifactid>
  <version>${org.springframework.version}</version>
 </dependency>
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-context-support</artifactid>
  <version>${org.springframework.version}</version>
 </dependency>
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-oxm</artifactid>
  <version>${org.springframework.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
  <!-- Spring security Dependencies -->
 <dependency>
  <groupid>org.springframework.security</groupid>
  <artifactid>spring-security-core</artifactid>
  <version>${spring.security.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-context</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-aop</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-expression</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
  <dependency>
  <groupid>org.springframework.security</groupid>
  <artifactid>spring-security-web</artifactid>
  <version>${spring.security.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-context</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-aop</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-web</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework.security</groupid>
    <artifactid>spring-security-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-expression</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
 <dependency>
  <groupid>org.springframework.security</groupid>
  <artifactid>spring-security-config</artifactid>
  <version>${spring.security.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-context</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-aop</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework.security</groupid>
    <artifactid>spring-security-core</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
 <!-- for OAuth 2.0 -->
 <dependency>
  <groupid>org.springframework.security.oauth</groupid>
  <artifactid>spring-security-oauth2</artifactid>
  <version>${spring-security-oauth2}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-context</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework.security</groupid>
    <artifactid>spring-security-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework.security</groupid>
    <artifactid>spring-security-config</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework.security</groupid>
    <artifactid>spring-security-web</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-webmvc</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
  <!-- Hibernate Dependencies -->
 <dependency>
  <groupid>org.hibernate</groupid>
  <artifactid>hibernate-entitymanager</artifactid>
  <version>${hibernate}</version>
 </dependency>
 <dependency>
  <groupid>org.hibernate</groupid>
  <artifactid>hibernate-core</artifactid>
  <version>${hibernate}</version>
 </dependency>
 <dependency>
  <groupid>org.apache.commons</groupid>
  <artifactid>commons-dbcp2</artifactid>
  <version>2.0.1</version>
 </dependency>
 <dependency>
  <groupid>mysql</groupid>
  <artifactid>mysql-connector-java</artifactid>
  <version>5.1.31</version>
 </dependency>

 <!-- Jersey Spring Integration -->
 <dependency>
  <groupid>com.sun.jersey.contribs</groupid>
  <artifactid>jersey-spring</artifactid>
  <version>${jersey-spring}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-context</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-web</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-aop</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
 <dependency>
  <groupid>com.sun.jersey</groupid>
  <artifactid>jersey-server</artifactid>
  <version>${jersey-spring}</version>
 </dependency>
  <!--Start Servlet Dependencies -->
 <dependency>
  <groupid>javax.servlet</groupid>
  <artifactid>javax.servlet-api</artifactid>
  <version>${servlet-version}</version>
 </dependency>
</dependencies>

Step 2: db.sql

DROP TABLE IF EXISTS oauth_client_details;

CREATE TABLE oauth_client_details (
  client_id varchar(256) NOT NULL,
  resource_ids varchar(256) DEFAULT NULL,
  client_secret varchar(256) DEFAULT NULL,
  scope varchar(256) DEFAULT NULL,
  authorized_grant_types varchar(256) DEFAULT NULL,
  web_server_redirect_uri varchar(256) DEFAULT NULL,
  authorities varchar(256) DEFAULT NULL,
  access_token_validity int(11) DEFAULT NULL,
  refresh_token_validity int(11) DEFAULT NULL,
  additional_information varchar(4096) DEFAULT NULL,
  autoapprove varchar(4096) DEFAULT NULL,
  PRIMARY KEY (client_id)
);


INSERT INTO oauth_client_details(client_id, resource_ids, client_secret, scope, authorized_grant_types, authorities, access_token_validity, refresh_token_validity)
VALUES ('harmeet', 'rest_api', '$2a$11$gxpnezmYfNJRYnw/EpIK5Oe08TlwZDmcmUeKkrGcSGGHXvWaxUwQ2', 'trust,read,write', 'client_credentials,authorization_code,implicit,password,refresh_token', 'ROLE_USER', '4500', '45000');

  DROP TABLE IF EXISTS oauth_access_token;

  CREATE TABLE oauth_access_token (
  token_id varchar(256) DEFAULT NULL,
  token blob,
  authentication_id varchar(256) DEFAULT NULL,
  user_name varchar(256) DEFAULT NULL,
  client_id varchar(256) DEFAULT NULL,
  authentication blob,
  refresh_token varchar(256) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;


DROP TABLE IF EXISTS oauth_refresh_token;

CREATE TABLE oauth_refresh_token (
  token_id varchar(256) DEFAULT NULL,
  token blob,
  authentication blob
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

Step 3: db-config.xml

<beans xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xsi:schemalocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
  http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
  http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

 <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
  <property name="location">
   <value>classpath:properties/database.properties</value>
  </property>
 </bean>

 <bean class="org.apache.commons.dbcp2.BasicDataSource" id="dataSource">
  <property name="driverClassName" value="${jdbc.driverClassName}">
  <property name="url" value="${jdbc.url}">
  <property name="username" value="${jdbc.username}">
  <property name="password" value="${jdbc.password}">
 </property></property></property></property></bean>

 <bean class="org.springframework.orm.hibernate4.LocalSessionFactoryBean" id="sessionFactory">
  <property name="dataSource" ref="dataSource">
  <property name="hibernateProperties">
   <props>
    <prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
    <prop key="hibernate.show_sql">true</prop>
    <prop key="hibernate.hbm2ddl.auto">create</prop>
    <prop key="hibernate.hbm2ddl.import_files_sql_extractor">org.hibernate.tool.hbm2ddl.MultipleLinesSqlCommandExtractor
    </prop>
   </props>
  </property>
 </property></bean>

 <bean class="org.springframework.orm.hibernate4.HibernateTransactionManager" id="transactionManager">
  <property name="sessionFactory" ref="sessionFactory">
</property></bean></beans><h3 style="text-align: left;">
<beans xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xsi:schemalocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
  http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
  http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"><bean class="org.springframework.orm.hibernate4.HibernateTransactionManager"><property name="sessionFactory" ref="sessionFactory"></property></bean></beans></h3>
<beans xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xsi:schemalocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
  http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
  http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
 <tx:annotation-driven transaction-manager="transactionManager">

 <bean class="org.springframework.transaction.interceptor.TransactionInterceptor" id="transactionInterceptor">
  <property name="transactionManager" ref="transactionManager">
  <property name="transactionAttributeSource"></property>
 </property></bean>
</tx:annotation-driven></beans>

Step 4:  Spring-Security-Oauth-Config.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:oauth="http://www.springframework.org/schema/security/oauth2" xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemalocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd         http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd         http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
   <!-- Create client details bean for manage client details from database -->
   <!-- The JdbcClientDetailsService provide default implementation for fetching 
  the data from oauth_client_details table Other wise we need to create our 
  custom class that Implement ClientDetailsService Interface and override its   loadClientByClientId method -->
   <bean class="org.springframework.security.oauth2.provider.client.JdbcClientDetailsService" id="clientDetails">
      <constructor-arg index="0">
         <ref bean="dataSource" />
      </constructor-arg>
   </bean>
<!-- Configure Authentication manager -->
   <bean class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" id="passwordEncoder">
      <constructor-arg name="strength" value="11" />
   </bean>
<!-- This class is the custom implementation of UserDetailSerive Interface 
  that provide by the spring, which we Need to implement and override its method. 
  But for Oauth spring provide us ClientDetailsUserDetailsService, which already 
  implement UserDetailSerive Interface and override its method. -->
   <bean class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService" id="clientDetailsUserService">
      <constructor-arg ref="clientDetails" />
   </bean>
   <sec:authentication-manager alias="authenticationManager">
      <sec:authentication-provider user-service-ref="clientDetailsUserService">
         <sec:password-encoder ref="passwordEncoder" />
      </sec:authentication-provider>
   </sec:authentication-manager>
<!-- Oauth Token Service Using Database -->
   <!-- The JdbcTokenStore class provide the default implementation from access 
  the token from database. If we want to customize the JDBC implementation 
  we need to implement TokenStore interface and overrider its methods -->
   <bean class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore" id="tokenStore">
      <constructor-arg ref="dataSource" />
   </bean>
<!-- This the service class which is used to access the function of JdbcTokenStore 
  class. This is like MVC structure JdbcTokenStore is Dao layer and DefaultTokenServices 
  is service layer -->
   <bean class="org.springframework.security.oauth2.provider.token.DefaultTokenServices" id="tokenServices">
      <property name="tokenStore" ref="tokenStore">
         <property name="supportRefreshToken" value="true">
            <property name="clientDetailsService" ref="clientDetails">
               <property name="accessTokenValiditySeconds" value="4500" />
            </property>
         </property>
      </property>
   </bean>
<!-- A user approval handler that remembers approval decisions by consulting 
  existing tokens -->
   <bean class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory" id="oAuth2RequestFactory">
      <constructor-arg ref="clientDetails" />
   </bean>
   <bean class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler" id="userApprovalHandler">
      <property name="requestFactory" ref="oAuth2RequestFactory">
         <property name="tokenStore" ref="tokenStore" />
      </property>
   </bean>
<!-- Authorization Server Configuration of the server is used to provide 
  implementations of the client details service and token services and to enable 
  or disable certain aspects of the mechanism globally. -->
   <oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices" user-approval-handler-ref="userApprovalHandler">
      <oauth:authorization-code>
         <oauth:implicit>
            <oauth:refresh-token>
               <oauth:client-credentials>
                  <oauth:password authentication-manager-ref="authenticationManager" />
               </oauth:client-credentials>
            </oauth:refresh-token>
         </oauth:implicit>
      </oauth:authorization-code>
   </oauth:authorization-server>
<!-- A Resource Server serves resources that are protected by the OAuth2 
  token. Spring OAuth provides a Spring Security authentication filter that 
  implements this protection. -->
   <oauth:resource-server id="resourceServerFilter" resource-id="rest_api" token-services-ref="tokenServices">
      <!-- Grants access if only grant (or abstain) votes were received. We can 
  protect REST resource methods with JSR-250 annotations such as @RolesAllowed -->
      <bean class="org.springframework.security.access.vote.UnanimousBased" id="accessDecisionManager">
         <property name="decisionVoters">
            <list>
               <bean class="org.springframework.security.access.annotation.Jsr250Voter" />
            </list>
         </property>
      </bean>
<!-- If authentication fails and the caller has asked for a specific content 
  type response, this entry point can send one, along with a standard 401 status -->
      <bean class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" id="clientAuthenticationEntryPoint">
         <property name="realmName" value="Authorization/client">
            <property name="typeName" value="Basic" />
         </property>
      </bean>
      <bean class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" id="oauthAuthenticationEntryPoint">
         <property name="realmName" value="Authorization" />
      </bean>
      <bean class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" id="oauthAccessDeniedHandler">
         <!-- Allows clients to authenticate using request parameters if included 
  as a security filter. It is recommended by the specification that you permit 
  HTTP basic authentication for clients, and not use this filter at all. -->
         <bean class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter" id="clientCredentialsTokenEndpointFilter">
            <property name="authenticationManager" ref="authenticationManager" />
         </bean>
         <bean class="org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter" id="oAuth2ClientContextFilter" />
         <sec:http authentication-manager-ref="authenticationManager" create-session="stateless" pattern="/oauth/token">
            <sec:intercept-url access="IS_AUTHENTICATED_ANONYMOUSLY" pattern="/oauth/token">
               <sec:http-basic entry-point-ref="clientAuthenticationEntryPoint">
                  <sec:custom-filter before="BASIC_AUTH_FILTER" ref="clientCredentialsTokenEndpointFilter">
                     <sec:custom-filter after="EXCEPTION_TRANSLATION_FILTER " ref="oAuth2ClientContextFilter">
                        <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
                     </sec:custom-filter>
                  </sec:custom-filter>
               </sec:http-basic>
            </sec:intercept-url>
         </sec:http>
         <sec:http authentication-manager-ref="authenticationManager" create-session="never" pattern="/rest/**">
            <sec:anonymous enabled="false">
               <sec:intercept-url access="ROLE_USER" method="GET" pattern="/rest/**">
                  <sec:custom-filter before="PRE_AUTH_FILTER" ref="resourceServerFilter">
                     <sec:http-basic entry-point-ref="oauthAuthenticationEntryPoint">
                        <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
                     </sec:http-basic>
                  </sec:custom-filter>
               </sec:intercept-url>
            </sec:anonymous>
         </sec:http>
      </bean>
   </oauth:resource-server>
</beans>

Step 6:  RestServiceUsingJersey.java

import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;

import org.springframework.stereotype.Component;

/**
 * @author Harmeet Singh(Taara)
 *
 */

@Component
@Path(value="/")
public class RestServiceUsingJersey {

 @Path("/message")
 @GET
 public Response message() {
  return Response.status(Status.ACCEPTED).entity("Hello Jersy Rest Spring").build();
 }
}

Step 7:  web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="3.0" xsi:schemalocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
   <context-param>
      <param-name>contextConfigLocation</param-name>
      <param-value>classpath:applicationContext.xml</param-value>
   </context-param>
   <listener>
      <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
   </listener>
   <servlet>
      <servlet-name>spring</servlet-name>
      <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
   </servlet>
   <servlet-mapping>
      <servlet-name>spring</servlet-name>
      <url-pattern>/</url-pattern>
   </servlet-mapping>
   <servlet>
      <servlet-name>jersey-serlvet</servlet-name>
      <servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>
      <init-param>
         <param-name>com.sun.jersey.config.property.packages</param-name>
         <param-value>com.the13star.api</param-value>
      </init-param>
   </servlet>
   <servlet-mapping>
      <servlet-name>jersey-serlvet</servlet-name>
      <url-pattern>/rest/*</url-pattern>
   </servlet-mapping>
   <filter>
      <filter-name>springSecurityFilterChain</filter-name>
      <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
   </filter>
   <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>
</web-app>

From The above code, i am just trying to cover main configuration for regarding Oauth-2.0. I know i really missing so many things, so please go and download the code from above mentioned link or click on the link.
For Testing you can use CURL , POSTMAN, REST-CLIENT etc are many for calling rest services. I am using POSTMAN client by Chrome. Below is the screen shots of example.




26 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Hi harmeet - Thanks for your post. I am able to integrate the OAuth2 with spring security in my application with custom client authentication and username authentication. I am passing the client id, client secret, username and password in the URL as shown below,

    http://localhost:8180/myapp/oauth/token?grant_type=password&client_id=tlSFFXbpUSoECuOIPMQcPddmo&client_secret=vHQYwHdeEF2eDZ68GlyPffbHj&username=foE5pcQn93T0ux31PI&password=YPzcC5zVNVjXqUMI0WqGOU

    Is there any way to pass these values in request header instead of URL parameter?

    ReplyDelete
  3. is it possible to authenticate the OAuth / to retrieve the access token using the resource owner's credentials? could some tel how to configure this?

    ReplyDelete
  4. Hi Harmeet, thanks for this well explained tutorial, the module you explained is working fine. I am working on login api but could not achive it, Could you please help me on it or if you can point out any good tutorial. i am using database for user authentication but not able to do it.

    @POST
    @Path("/login")
    @Consumes({MediaType.APPLICATION_JSON})
    @Produces({MediaType.APPLICATION_JSON})
    public Response loginUser(@RequestBody LoginInbound loginDetails) throws Exception {

    Oauth2ProtectedPassword oauth2ProtectedPassword = new Oauth2ProtectedPassword(userName, password,clientId,clientSecret,tokenUrl);
    OAuth2ContextConfiguration.Password configPassword = new OAuth2ContextConfiguration.Password(oauth2ProtectedPassword);
    OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(configPassword);
    OAuth2AccessToken accessToken = restTemplate.getAccessToken();
    return accessToken;

    }

    above is just the starting point of my efforts, but i am not getting accessToken so could not work further. Please help me if you can.

    ReplyDelete
  5. Hello @soumyaansh i am not getting you point, at where you stuck into the code. Please explain, so i could help you.

    ReplyDelete
  6. Hi Harmeet,
    Thank you very much for this well explained tutorial. But I not able to get "Oauth2ProtectedPassword" jar for this and getting the error.Could you please help me on this.

    Thanks,
    Harvinder Singh

    ReplyDelete
  7. Hello Harvinder, Thanks for all.

    The jar problem means that, there is some issue with maven dependency. So, please update your maven pom.

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. Hi Harpreet, Thanks for nice article ..!
    I am using this url to get the access token

    http://localhost:7070/demo.rest.springsecurity.oauth2.0.authentication/oauth/token?grant_type=client_credentials&client_id=harmeet&client_secret=password&username=harmeet&password=password

    But getting access denied msg .. Kindly correct url if it is wrong.. I used same data base details provided by you ..!

    ReplyDelete
  10. what will be the url for refresh token?

    ReplyDelete
  11. HI Harpreet,
    The refresh_token is missing. Can you please help, how to get it in the response.

    ReplyDelete
  12. Its half of the implementation as the refresh token is not coming can you please help to complete the implementation please.

    ReplyDelete
    Replies
    1. Hello @Abhinav i know the refresh token is not implemented. In Future i will update this, but still i ma busy with some other work.

      Thanks

      Delete
    2. Hi,
      Could you please help me with refresh token generation

      Delete
  13. Hello Harmeet,

    Firstly thanks for sharing complete example but i am not able to get token. I am using below URL with parameter as x-www-form-urlencoded
    grant_type=client_credential & client_id = harmeet & client_secret = password but i am getting below error.

    {
    "error": "unsupported_grant_type",
    "error_description": "Unsupported grant type: client_credential"
    }

    ReplyDelete
  14. Hello @rajkamal, According to this error, your grant type is not valid. Please check your request parameters. I am using "client_credentials" instead of "client_credential". Please verify in your DB, what you will use?

    ReplyDelete
  15. Hi Harmeet,

    My request is : http://localhost:8080/UILite2.0/oauth/token?grant_type=password&client_id=project&client_secret=12345&username=test&password=test123

    Bu I am getting following exception
    {"error":"unauthorized","error_description":"No client with requested id: test"}

    I am using : spring-security-oauth2 2.0.1.jar
    spring-security 3.2.4jar

    What could be the problem ?

    Thanks
    Mallikarjun


    ReplyDelete
  16. Hello Harmeet

    This code working fine. I need to verify username and password from database. currently i get the token just by passing the client id and secret. So can u help me out to get the token after authenticating username and password from database.

    ReplyDelete
  17. This comment has been removed by the author.

    ReplyDelete
  18. Hi
    I am using




    instead ofJDBC. But it is giving me Bad client credentials

    ReplyDelete
    Replies
    1. Hi Neha,

      What are you using instead of JDBC? The reason of error is your invalid cridentials, please check you password encoder or grant type.

      Delete
  19. This comment has been removed by the author.

    ReplyDelete
  20. Hi Great one - I was looking for the Authorization flow of OAuth. where there is a default url - oauth/authorize. and redirection to accept/deny etc... Can you please help me with the same - May be a very simple example for the scenario?

    ReplyDelete
  21. Hello Harmeet,
    Thanks for post.
    i want this through Java Configuration and without using xml.if u have done it please share it satishchpn@gmail.com

    ReplyDelete
  22. Hello satish, Please look into this example https://github.com/harmeetsingh0013/Demo-Project-using-Spring-Security-Oauth2-Thymeleaf-and-Spring-Data/tree/master/project. This is incomplete project but Oauth 2.0 integration part is running successfully using Java Based Config.

    ReplyDelete