spring security and oauth dependencies? - spring

I am confused what is the different between these dependencies and which one should I use. Would you explain the differences?
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!---------------------------------------------------------->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
</dependency>
<!---------------------------------------------------------->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
<!---------------------------------------------------------->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
and when to use
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>

spring-boot-starter-xxx are with no surprise starters for applications with Spring. It:
pulls most the dependencies you need on a subject
auto-wires many useful beans
enables to define many configuration options from properties (application.properties, application.yaml, command line arguments, environment variables,...)
For OAuth2, there are two starters provided by Spring:
spring-boot-starter-oauth2-resource-server if your app is a resource-server (contains #RestController or #Controller with #ResponseBody)
spring-boot-starter-oauth2-client if your app is a client
#Controller with methods returning a template name
using a REST client like WebClient to consume a web-service secured with OAuth2
I also wrote starters which are thin wrappers arround spring-boot-starter-oauth2-resource-server and enable to replace all of necessary Java configuration with just a few properties. Refer to README and tutorials for more details (and to figure out how much effort and errors it can save)
It is possible for an app to be both a resource-server and a client, in which case you'll need to declare both starters in your dependencies.
You can have a look at the tutorials I already linked if you have doubts on how to configure resource-servers. There are a few whith Spring starters or mine. One is even both a resource-server and a client with Thymeleaf page consuming secured REST resources with WebClient)
You don't need to declare dependencies on spring-boot-starter-security, spring-security-oauth2-client or spring-security-oauth2-jose when using OAuth2 starters as all are transitive dependencies.
spring-security-config is useful for defining Spring #Beans in Java configuration files. You might need it in addition to starters.

Related

Should I include the dependency spring-boot-starter into my custom spring boot starter?

If I create a custom spring boot starter module, Do I need to include the dependency spring-boot-starter ?
In the spring boot's github :
some starters add the dependency spring-boot-starter to its pom.xml (spring-boot-starter-web, spring-boot-starter-thymeleaf)
some others starters doesn't (spring-boot-starter-log4j2, spring-boot-starter-undertow, spring-boot-starter-tomcat).
Is there a reason to no adding it into the dependencies ?
If your starter depends on spring-boot-starter, any application that depends only on your starter will have all the dependencies that it needs to be a Spring Boot application. Generally speaking, this is how you want a starter to behave.
spring-boot-stater-log4j2, spring-boot-starter-undertow, and spring-boot-starter-tomcat are slightly different as they are not intended to be used on their own. The Spring Boot documentation calls them technical starters. They are intended to be used alongside an existing starter to change the underlying technology that's used. For example, if you are building a web application, you would depend on spring-boot-starter-web. This starter uses Tomcat as the embedded container by default. If you want to swap to Undertow, you'd exclude spring-boot-starter-tomcat and add a dependency on spring-boot-starter-undertow alongside your spring-boot-starter-web dependency:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<!-- Exclude the Tomcat dependency -->
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- Use Undertow instead -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-undertow</artifactId>
</dependency>

Spring: spring-data-mongodb or spring-boot-starter-data-mongodb

Which's the difference between
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-mongodb</artifactId>
</dependency>
and,
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-mongodb</artifactId>
</dependency>
I'm developing an spring boot service.
spring-boot-starter-data-mongodb contains configuration classes for Spring Boot. It also includes the spring-data-mongodb library so you would only need to include the start in your boot app:
https://search.maven.org/artifact/org.springframework.boot/spring-boot-starter-data-mongodb/2.0.5.RELEASE/jar
spring-boot-starter-data-mongodb is a spring boot starter pom. For more information on starters:
spring-boot-starters
Dependency management is a critical aspects of any complex project. And doing this manually is less than ideal; the more time you spent on it the less time you have on the other important aspects of the project.
Spring Boot starters were built to address exactly this problem. Starter POMs are a set of convenient dependency descriptors that you can include in your application. You get a one-stop-shop for all the Spring and related technology that you need, without having to hunt through sample code and copy paste loads of dependency descriptors.

Spring Boot 2 and ResourceServerProperties

We have Spring Boot Application(version 1.5.8). We tried to check if it's compatible with upcoming Spring Boot 2 release (currently it's M5).
And two classes are missing in spring-boot-autoconfigure dependency(UserInfoTokenServices and ResourceServerProperties).
Are there any replacements of them?
Thanks
Try it this. it's helped me with Oauth2 after migration to SpringBoot 2.
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>2.0.0.RELEASE</version>
</dependency>
Quoting Spring Boot 2.0.0.M5 release notes
Functionality from the Spring Security OAuth project is being migrated
to core Spring Security. OAuth 2.0 client support has already been
added and additional features will be migrated in due course.
If you depend on Spring Security OAuth features that have not yet been
migrated you will need to add
org.springframework.security.oauth:spring-security-oauth2 and
configure things manually. If you only need OAuth 2.0 client support
you can use the auto-configuration provided by Spring Boot 2.0. We’re
also continuing to support Spring Boot 1.5 so older applications can
continue to use that until an upgrade path is provided.
I think you have to define oauth2 dep, like
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-security</artifactId>
</dependency>

spring-boot-starter-tomcat vs spring-boot-starter-web

I'm trying to learn Spring boot and I notice there are two options.
spring-boot-starter-web - which according to the docs gives support for full-stack web development, including Tomcat and web-mvc
spring-boot-starter-tomcat
Since #1 supports Tomcat why would one want to use #2?
What are the differences?
Thanks
Since #1 supports Tomcat why would one want to use #2?
spring-boot-starter-web contains spring-boot-starter-tomcat. spring-boot-starter-tomcat could potentially be used on its own if spring mvc isn't needed (contained in spring-boot-starter-web).
Here is the dependency hierarchy of spring-boot-starter-web:
What are the differences?
spring-boot-starter-web contains spring web dependencies (including spring-boot-starter-tomcat):
spring-boot-starter
jackson
spring-core
spring-mvc
spring-boot-starter-tomcat
spring-boot-starter-tomcat contains everything related to an embdedded tomcat server:
core
el
logging
websocket
What if you want to use spring mvc without the embedded tomcat server?
Just exclude it from the dependency:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
Well a simple answer is that not all web applications are SpringMVC applications. For example if you wish to use JaxRS instead perhaps you have client applications that use RestTemplate and you like how they interact it doesn't mean you can't use spring boot or embedded tomcat
Here is an example application that uses spring-boot-starter-tomcat but not spring-boot-starter-web
Simple Jersey application in spring boot using spring-boot-starter-tomcat
https://github.com/spring-projects/spring-boot/tree/master/spring-boot-samples/spring-boot-sample-jersey
It's also important to remember that tomcat is not the only option for an embedded servlet container in spring boot. It's also easy to get started using jetty. And having spring-boot-starter-tomcat makes it easy to exclude all as one module while if they were all just part of spring-web it would be more work to exclude the tomcat libraries to bring in spring-boot-starter-jersey instead
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jetty</artifactId>
</dependency>
I copied this code from another SO question here.
How to configure Jetty in spring-boot (easily?)

spring-boot-starter versus spring-boot-starter-xxx

I noticed that the Spring Boot Sample Data Redis declares the following dependencies:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-redis</artifactId>
</dependency>
See here for full POM: https://github.com/spring-projects/spring-boot/blob/v1.0.0.RC4/spring-boot-samples/spring-boot-sample-data-redis/pom.xml
I see no mention of the <artifactId>spring-boot-starter-redis</artifactId>
My question is: when do I use spring-boot-starter versus spring-boot-starter-xxx where xxx is the name of the project (here Redis)?
The answer to the specific question: spring-boot-starter is a baseline for the others, and for standalone (non-web) apps that don't use any other Spring components - it has basic support for Spring, Logging, and Testing, but nothing else (no webapp features, no database etc.). Since all the other starters depend on it, once you use another one you can remove the vanilla starter. EDIT: see here https://github.com/spring-projects/spring-boot/commit/77fd127e09963a844f8fb4e574e1f0d9d3424d4e.
Up to you on the redis starter, but I would use the starter if it exists, since it will typically cut down on the number of dependencies you need to declare. The redis one actually doesn't add a lot of value (hence it didn't exist until recently), but it probably ought to be used in the sample.

Resources