Introduction:
Hello Friends, Today we are discuss about Oauth-2.0 Integration with Spring-Security. Thanks to Spring, provide some user friendly API's for using Oauth2 with Spring-Security easily. Here we are not discuss about What is Oauth and Spring-Security, because these topics are itself so large and we assume you already have knowledge of these two topics. Here we just discuss about, how we integrate Oauth-2.0 with Spring-Security with the help of database. We Store our client Information and token information in database. Because i think, in real life we use database for store our client and token information. If you need to download the source code of example go to below link :-
https://github.com/harmeetsingh0013/oauth2-jersey-rest-spring-db
Step 1: pom.xml
<properties>
<jdk-version>1.8</jdk-version>
<maven-compiler-plugin>3.0</maven-compiler-plugin>
<maven-war-pugin>2.4</maven-war-pugin>
<org .springframework.version="">4.0.5.RELEASE</org>
<hibernate>4.3.6.Final</hibernate>
<spring-security-oauth2>2.0.1.RELEASE</spring-security-oauth2>
<spring .security.version="">3.2.4.RELEASE</spring>
<jersey-spring>1.18.1</jersey-spring>
<servlet-version>3.0.1</servlet-version>
</properties>
<dependencies>
<!-- Spring Dependencies -->
<dependency>
<groupid>org.springframework</groupid>
<artifactid>spring-beans</artifactid>
<version>${org.springframework.version}</version>
</dependency>
<dependency>
<groupid>org.springframework</groupid>
<artifactid>spring-expression</artifactid>
<version>${org.springframework.version}</version>
<exclusions>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-beans</artifactid>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupid>org.springframework</groupid>
<artifactid>spring-aop</artifactid>
<version>${org.springframework.version}</version>
</dependency>
<!-- Spring web dependencies -->
<dependency>
<groupid>org.springframework</groupid>
<artifactid>spring-web</artifactid>
<version>${org.springframework.version}</version>
<exclusions>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-beans</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-core</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-context</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-aop</artifactid>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupid>org.springframework</groupid>
<artifactid>spring-webmvc</artifactid>
<version>${org.springframework.version}</version>
<exclusions>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-web</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-beans</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-core</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-context</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-expression</artifactid>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupid>org.springframework</groupid>
<artifactid>spring-jdbc</artifactid>
<version>${org.springframework.version}</version>
<exclusions>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-beans</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-core</artifactid>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupid>org.springframework</groupid>
<artifactid>spring-context</artifactid>
<version>${org.springframework.version}</version>
<exclusions>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-beans</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-core</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-aop</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-expression</artifactid>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupid>org.springframework</groupid>
<artifactid>spring-orm</artifactid>
<version>${org.springframework.version}</version>
</dependency>
<dependency>
<groupid>org.springframework</groupid>
<artifactid>spring-context-support</artifactid>
<version>${org.springframework.version}</version>
</dependency>
<dependency>
<groupid>org.springframework</groupid>
<artifactid>spring-oxm</artifactid>
<version>${org.springframework.version}</version>
<exclusions>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-beans</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-core</artifactid>
</exclusion>
</exclusions>
</dependency>
<!-- Spring security Dependencies -->
<dependency>
<groupid>org.springframework.security</groupid>
<artifactid>spring-security-core</artifactid>
<version>${spring.security.version}</version>
<exclusions>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-beans</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-core</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-context</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-aop</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-expression</artifactid>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupid>org.springframework.security</groupid>
<artifactid>spring-security-web</artifactid>
<version>${spring.security.version}</version>
<exclusions>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-beans</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-core</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-context</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-aop</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-web</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework.security</groupid>
<artifactid>spring-security-core</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-expression</artifactid>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupid>org.springframework.security</groupid>
<artifactid>spring-security-config</artifactid>
<version>${spring.security.version}</version>
<exclusions>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-beans</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-core</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-context</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-aop</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework.security</groupid>
<artifactid>spring-security-core</artifactid>
</exclusion>
</exclusions>
</dependency>
<!-- for OAuth 2.0 -->
<dependency>
<groupid>org.springframework.security.oauth</groupid>
<artifactid>spring-security-oauth2</artifactid>
<version>${spring-security-oauth2}</version>
<exclusions>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-beans</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-core</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-context</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework.security</groupid>
<artifactid>spring-security-core</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework.security</groupid>
<artifactid>spring-security-config</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework.security</groupid>
<artifactid>spring-security-web</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-webmvc</artifactid>
</exclusion>
</exclusions>
</dependency>
<!-- Hibernate Dependencies -->
<dependency>
<groupid>org.hibernate</groupid>
<artifactid>hibernate-entitymanager</artifactid>
<version>${hibernate}</version>
</dependency>
<dependency>
<groupid>org.hibernate</groupid>
<artifactid>hibernate-core</artifactid>
<version>${hibernate}</version>
</dependency>
<dependency>
<groupid>org.apache.commons</groupid>
<artifactid>commons-dbcp2</artifactid>
<version>2.0.1</version>
</dependency>
<dependency>
<groupid>mysql</groupid>
<artifactid>mysql-connector-java</artifactid>
<version>5.1.31</version>
</dependency>
<!-- Jersey Spring Integration -->
<dependency>
<groupid>com.sun.jersey.contribs</groupid>
<artifactid>jersey-spring</artifactid>
<version>${jersey-spring}</version>
<exclusions>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-beans</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-core</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-context</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-web</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework</groupid>
<artifactid>spring-aop</artifactid>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupid>com.sun.jersey</groupid>
<artifactid>jersey-server</artifactid>
<version>${jersey-spring}</version>
</dependency>
<!--Start Servlet Dependencies -->
<dependency>
<groupid>javax.servlet</groupid>
<artifactid>javax.servlet-api</artifactid>
<version>${servlet-version}</version>
</dependency>
</dependencies>
Step 2: db.sql
DROP TABLE IF EXISTS oauth_client_details;
CREATE TABLE oauth_client_details (
client_id varchar(256) NOT NULL,
resource_ids varchar(256) DEFAULT NULL,
client_secret varchar(256) DEFAULT NULL,
scope varchar(256) DEFAULT NULL,
authorized_grant_types varchar(256) DEFAULT NULL,
web_server_redirect_uri varchar(256) DEFAULT NULL,
authorities varchar(256) DEFAULT NULL,
access_token_validity int(11) DEFAULT NULL,
refresh_token_validity int(11) DEFAULT NULL,
additional_information varchar(4096) DEFAULT NULL,
autoapprove varchar(4096) DEFAULT NULL,
PRIMARY KEY (client_id)
);
INSERT INTO oauth_client_details(client_id, resource_ids, client_secret, scope, authorized_grant_types, authorities, access_token_validity, refresh_token_validity)
VALUES ('harmeet', 'rest_api', '$2a$11$gxpnezmYfNJRYnw/EpIK5Oe08TlwZDmcmUeKkrGcSGGHXvWaxUwQ2', 'trust,read,write', 'client_credentials,authorization_code,implicit,password,refresh_token', 'ROLE_USER', '4500', '45000');
DROP TABLE IF EXISTS oauth_access_token;
CREATE TABLE oauth_access_token (
token_id varchar(256) DEFAULT NULL,
token blob,
authentication_id varchar(256) DEFAULT NULL,
user_name varchar(256) DEFAULT NULL,
client_id varchar(256) DEFAULT NULL,
authentication blob,
refresh_token varchar(256) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
DROP TABLE IF EXISTS oauth_refresh_token;
CREATE TABLE oauth_refresh_token (
token_id varchar(256) DEFAULT NULL,
token blob,
authentication blob
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
Step 3: db-config.xml
<beans xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xsi:schemalocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location">
<value>classpath:properties/database.properties</value>
</property>
</bean>
<bean class="org.apache.commons.dbcp2.BasicDataSource" id="dataSource">
<property name="driverClassName" value="${jdbc.driverClassName}">
<property name="url" value="${jdbc.url}">
<property name="username" value="${jdbc.username}">
<property name="password" value="${jdbc.password}">
</property></property></property></property></bean>
<bean class="org.springframework.orm.hibernate4.LocalSessionFactoryBean" id="sessionFactory">
<property name="dataSource" ref="dataSource">
<property name="hibernateProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
<prop key="hibernate.show_sql">true</prop>
<prop key="hibernate.hbm2ddl.auto">create</prop>
<prop key="hibernate.hbm2ddl.import_files_sql_extractor">org.hibernate.tool.hbm2ddl.MultipleLinesSqlCommandExtractor
</prop>
</props>
</property>
</property></bean>
<bean class="org.springframework.orm.hibernate4.HibernateTransactionManager" id="transactionManager">
<property name="sessionFactory" ref="sessionFactory">
</property></bean></beans><h3 style="text-align: left;">
<beans xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xsi:schemalocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"><bean class="org.springframework.orm.hibernate4.HibernateTransactionManager"><property name="sessionFactory" ref="sessionFactory"></property></bean></beans></h3>
<beans xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xsi:schemalocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<tx:annotation-driven transaction-manager="transactionManager">
<bean class="org.springframework.transaction.interceptor.TransactionInterceptor" id="transactionInterceptor">
<property name="transactionManager" ref="transactionManager">
<property name="transactionAttributeSource"></property>
</property></bean>
</tx:annotation-driven></beans>
Step 4: Spring-Security-Oauth-Config.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:oauth="http://www.springframework.org/schema/security/oauth2" xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemalocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- Create client details bean for manage client details from database -->
<!-- The JdbcClientDetailsService provide default implementation for fetching
the data from oauth_client_details table Other wise we need to create our
custom class that Implement ClientDetailsService Interface and override its loadClientByClientId method -->
<bean class="org.springframework.security.oauth2.provider.client.JdbcClientDetailsService" id="clientDetails">
<constructor-arg index="0">
<ref bean="dataSource" />
</constructor-arg>
</bean>
<!-- Configure Authentication manager -->
<bean class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" id="passwordEncoder">
<constructor-arg name="strength" value="11" />
</bean>
<!-- This class is the custom implementation of UserDetailSerive Interface
that provide by the spring, which we Need to implement and override its method.
But for Oauth spring provide us ClientDetailsUserDetailsService, which already
implement UserDetailSerive Interface and override its method. -->
<bean class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService" id="clientDetailsUserService">
<constructor-arg ref="clientDetails" />
</bean>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider user-service-ref="clientDetailsUserService">
<sec:password-encoder ref="passwordEncoder" />
</sec:authentication-provider>
</sec:authentication-manager>
<!-- Oauth Token Service Using Database -->
<!-- The JdbcTokenStore class provide the default implementation from access
the token from database. If we want to customize the JDBC implementation
we need to implement TokenStore interface and overrider its methods -->
<bean class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore" id="tokenStore">
<constructor-arg ref="dataSource" />
</bean>
<!-- This the service class which is used to access the function of JdbcTokenStore
class. This is like MVC structure JdbcTokenStore is Dao layer and DefaultTokenServices
is service layer -->
<bean class="org.springframework.security.oauth2.provider.token.DefaultTokenServices" id="tokenServices">
<property name="tokenStore" ref="tokenStore">
<property name="supportRefreshToken" value="true">
<property name="clientDetailsService" ref="clientDetails">
<property name="accessTokenValiditySeconds" value="4500" />
</property>
</property>
</property>
</bean>
<!-- A user approval handler that remembers approval decisions by consulting
existing tokens -->
<bean class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory" id="oAuth2RequestFactory">
<constructor-arg ref="clientDetails" />
</bean>
<bean class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler" id="userApprovalHandler">
<property name="requestFactory" ref="oAuth2RequestFactory">
<property name="tokenStore" ref="tokenStore" />
</property>
</bean>
<!-- Authorization Server Configuration of the server is used to provide
implementations of the client details service and token services and to enable
or disable certain aspects of the mechanism globally. -->
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices" user-approval-handler-ref="userApprovalHandler">
<oauth:authorization-code>
<oauth:implicit>
<oauth:refresh-token>
<oauth:client-credentials>
<oauth:password authentication-manager-ref="authenticationManager" />
</oauth:client-credentials>
</oauth:refresh-token>
</oauth:implicit>
</oauth:authorization-code>
</oauth:authorization-server>
<!-- A Resource Server serves resources that are protected by the OAuth2
token. Spring OAuth provides a Spring Security authentication filter that
implements this protection. -->
<oauth:resource-server id="resourceServerFilter" resource-id="rest_api" token-services-ref="tokenServices">
<!-- Grants access if only grant (or abstain) votes were received. We can
protect REST resource methods with JSR-250 annotations such as @RolesAllowed -->
<bean class="org.springframework.security.access.vote.UnanimousBased" id="accessDecisionManager">
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.access.annotation.Jsr250Voter" />
</list>
</property>
</bean>
<!-- If authentication fails and the caller has asked for a specific content
type response, this entry point can send one, along with a standard 401 status -->
<bean class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" id="clientAuthenticationEntryPoint">
<property name="realmName" value="Authorization/client">
<property name="typeName" value="Basic" />
</property>
</bean>
<bean class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" id="oauthAuthenticationEntryPoint">
<property name="realmName" value="Authorization" />
</bean>
<bean class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" id="oauthAccessDeniedHandler">
<!-- Allows clients to authenticate using request parameters if included
as a security filter. It is recommended by the specification that you permit
HTTP basic authentication for clients, and not use this filter at all. -->
<bean class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter" id="clientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean class="org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter" id="oAuth2ClientContextFilter" />
<sec:http authentication-manager-ref="authenticationManager" create-session="stateless" pattern="/oauth/token">
<sec:intercept-url access="IS_AUTHENTICATED_ANONYMOUSLY" pattern="/oauth/token">
<sec:http-basic entry-point-ref="clientAuthenticationEntryPoint">
<sec:custom-filter before="BASIC_AUTH_FILTER" ref="clientCredentialsTokenEndpointFilter">
<sec:custom-filter after="EXCEPTION_TRANSLATION_FILTER " ref="oAuth2ClientContextFilter">
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:custom-filter>
</sec:custom-filter>
</sec:http-basic>
</sec:intercept-url>
</sec:http>
<sec:http authentication-manager-ref="authenticationManager" create-session="never" pattern="/rest/**">
<sec:anonymous enabled="false">
<sec:intercept-url access="ROLE_USER" method="GET" pattern="/rest/**">
<sec:custom-filter before="PRE_AUTH_FILTER" ref="resourceServerFilter">
<sec:http-basic entry-point-ref="oauthAuthenticationEntryPoint">
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http-basic>
</sec:custom-filter>
</sec:intercept-url>
</sec:anonymous>
</sec:http>
</bean>
</oauth:resource-server>
</beans>
Step 6: RestServiceUsingJersey.java
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
import org.springframework.stereotype.Component;
/**
* @author Harmeet Singh(Taara)
*
*/
@Component
@Path(value="/")
public class RestServiceUsingJersey {
@Path("/message")
@GET
public Response message() {
return Response.status(Status.ACCEPTED).entity("Hello Jersy Rest Spring").build();
}
}
Step 7: web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="3.0" xsi:schemalocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>jersey-serlvet</servlet-name>
<servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>com.the13star.api</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>jersey-serlvet</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
From The above code, i am just trying to cover main configuration for regarding Oauth-2.0. I know i really missing so many things, so please go and download the code from above mentioned link or click on the link.
For Testing you can use CURL , POSTMAN, REST-CLIENT etc are many for calling rest services. I am using POSTMAN client by Chrome. Below is the screen shots of example.
For Testing you can use CURL , POSTMAN, REST-CLIENT etc are many for calling rest services. I am using POSTMAN client by Chrome. Below is the screen shots of example.
This comment has been removed by the author.
ReplyDeleteHi harmeet - Thanks for your post. I am able to integrate the OAuth2 with spring security in my application with custom client authentication and username authentication. I am passing the client id, client secret, username and password in the URL as shown below,
ReplyDeletehttp://localhost:8180/myapp/oauth/token?grant_type=password&client_id=tlSFFXbpUSoECuOIPMQcPddmo&client_secret=vHQYwHdeEF2eDZ68GlyPffbHj&username=foE5pcQn93T0ux31PI&password=YPzcC5zVNVjXqUMI0WqGOU
Is there any way to pass these values in request header instead of URL parameter?
is it possible to authenticate the OAuth / to retrieve the access token using the resource owner's credentials? could some tel how to configure this?
ReplyDeleteHi Harmeet, thanks for this well explained tutorial, the module you explained is working fine. I am working on login api but could not achive it, Could you please help me on it or if you can point out any good tutorial. i am using database for user authentication but not able to do it.
ReplyDelete@POST
@Path("/login")
@Consumes({MediaType.APPLICATION_JSON})
@Produces({MediaType.APPLICATION_JSON})
public Response loginUser(@RequestBody LoginInbound loginDetails) throws Exception {
Oauth2ProtectedPassword oauth2ProtectedPassword = new Oauth2ProtectedPassword(userName, password,clientId,clientSecret,tokenUrl);
OAuth2ContextConfiguration.Password configPassword = new OAuth2ContextConfiguration.Password(oauth2ProtectedPassword);
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(configPassword);
OAuth2AccessToken accessToken = restTemplate.getAccessToken();
return accessToken;
}
above is just the starting point of my efforts, but i am not getting accessToken so could not work further. Please help me if you can.
Hello @soumyaansh i am not getting you point, at where you stuck into the code. Please explain, so i could help you.
ReplyDeleteHi Harmeet,
ReplyDeleteThank you very much for this well explained tutorial. But I not able to get "Oauth2ProtectedPassword" jar for this and getting the error.Could you please help me on this.
Thanks,
Harvinder Singh
Hello Harvinder, Thanks for all.
ReplyDeleteThe jar problem means that, there is some issue with maven dependency. So, please update your maven pom.
This comment has been removed by the author.
ReplyDeleteHi Harpreet, Thanks for nice article ..!
ReplyDeleteI am using this url to get the access token
http://localhost:7070/demo.rest.springsecurity.oauth2.0.authentication/oauth/token?grant_type=client_credentials&client_id=harmeet&client_secret=password&username=harmeet&password=password
But getting access denied msg .. Kindly correct url if it is wrong.. I used same data base details provided by you ..!
what will be the url for refresh token?
ReplyDeleteHI Harpreet,
ReplyDeleteThe refresh_token is missing. Can you please help, how to get it in the response.
Its half of the implementation as the refresh token is not coming can you please help to complete the implementation please.
ReplyDeleteHello @Abhinav i know the refresh token is not implemented. In Future i will update this, but still i ma busy with some other work.
DeleteThanks
Hi,
DeleteCould you please help me with refresh token generation
Hello Harmeet,
ReplyDeleteFirstly thanks for sharing complete example but i am not able to get token. I am using below URL with parameter as x-www-form-urlencoded
grant_type=client_credential & client_id = harmeet & client_secret = password but i am getting below error.
{
"error": "unsupported_grant_type",
"error_description": "Unsupported grant type: client_credential"
}
Hello @rajkamal, According to this error, your grant type is not valid. Please check your request parameters. I am using "client_credentials" instead of "client_credential". Please verify in your DB, what you will use?
ReplyDeleteHi Harmeet,
ReplyDeleteMy request is : http://localhost:8080/UILite2.0/oauth/token?grant_type=password&client_id=project&client_secret=12345&username=test&password=test123
Bu I am getting following exception
{"error":"unauthorized","error_description":"No client with requested id: test"}
I am using : spring-security-oauth2 2.0.1.jar
spring-security 3.2.4jar
What could be the problem ?
Thanks
Mallikarjun
Hello Harmeet
ReplyDeleteThis code working fine. I need to verify username and password from database. currently i get the token just by passing the client id and secret. So can u help me out to get the token after authenticating username and password from database.
This comment has been removed by the author.
ReplyDeleteHi
ReplyDeleteI am using
instead ofJDBC. But it is giving me Bad client credentials
Hi Neha,
DeleteWhat are you using instead of JDBC? The reason of error is your invalid cridentials, please check you password encoder or grant type.
This comment has been removed by the author.
ReplyDeleteHi Great one - I was looking for the Authorization flow of OAuth. where there is a default url - oauth/authorize. and redirection to accept/deny etc... Can you please help me with the same - May be a very simple example for the scenario?
ReplyDeleteHello Harmeet,
ReplyDeleteThanks for post.
i want this through Java Configuration and without using xml.if u have done it please share it satishchpn@gmail.com
Hello satish, Please look into this example https://github.com/harmeetsingh0013/Demo-Project-using-Spring-Security-Oauth2-Thymeleaf-and-Spring-Data/tree/master/project. This is incomplete project but Oauth 2.0 integration part is running successfully using Java Based Config.
ReplyDeletethanks harmeet
Delete