I'm trying to start a new simple project with SpringBoot using AWS Cognito for authentication/authorization
Following some guide on web i found some different configuration, for example:
https://www.baeldung.com/spring-security-oauth-cognito
https://wilkom2009.hashnode.dev/how-to-secure-spring-boot-rest-api-endpoints-with-amazon-cognito
In the Baeldung is used only the spring module spring-security-oauth2-jose while in the second guide use only spring-boot-starter-oauth2-resource-server and he configures the resource-server. Both the configuration allow the user to login and access to application.
I can't figure out the difference between this 2 configuration and when I should use one instead of another.
In other guide i saw use both together.
Thanks to all
I'm trying to create a simple angular single page application.
The Baeldung article looks like it is just using Spring and not Spring Boot. So they wouldn't use spring-boot-starter modules.
If you are using Spring Boot you should be able use the spring-boot-starter-oauth2-resource-server and follow the second guide.
spring-security-oauth2-jose is actually a dependency of spring-boot-starter-oauth2-resource-server and is used by it under the hood.
Related post about spring-boot-starter vs spring modules:
What is the difference between spring-boot-starter-oauth2-client, spring-cloud-starter-oauth2 and spring-security-oauth2
Just for fun, a 3rd solution: the 2nd of my tutorials has a profile for Cognito (see the properties file). It is shorter / simpler than what you referenced and enables Role Based Access Control (using Cognito roles, not just the default scope claim)
<dependency>
<groupId>com.c4-soft.springaddons</groupId>
<artifactId>spring-addons-webmvc-jwt-resource-server</artifactId>
<version>6.0.8</version>
</dependency>
#EnableMethodSecurity
public static class SecurityConfig {
}
com.c4-soft.springaddons.security.issuers[0].location=https://cognito-idp.us-west-2.amazonaws.com/us-west-2_change-me
com.c4-soft.springaddons.security.issuers[0].authorities.claims=cognito:groups,scp
com.c4-soft.springaddons.security.cors[0].path=/your-api-path
com.c4-soft.springaddons.security.permit-all=/what,/should/be,/accessible,/to,/anonymous
Also, be sure to use a certified OpenID lib on client side. My favorite for Angular is angular-auth-oidc-client.
Related
I'm studying in details the use of spring security (not only oauth), so I'm following this official guide: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle.
This guide have Oauth section and following it I got everything works. But after another research in internet a found a another guide (from pivotal too): https://spring.io/guides/tutorials/spring-boot-oauth2/.
This second guide use others classes that don't exist in first guide, and other way to configure spring Oauth.
I'm very confused what guide should I follow and what is "more correct".
Both guides are correct.
The first guide you mentioned (https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle) uses the newer OAuth 2.0 functionality in the Spring Security project, so it's recommended you use that one.
To give you some background, functionality from the Spring Security OAuth project is being migrated to core Spring Security.
The first guide you mentioned uses core Spring Security, and the second guide uses the Spring Security OAuth project.
For more information on the features available in the various projects, as well as FAQs, you can check out the OAuth 2.0 Features Matrix.
What is the difference between spring-security-oauth2 and spring-security-oauth2-core in spring?
Is spring-security-oauth2 substituted by spring-security-oauth2-core?
spring-security-oauth2 release link :
http://repo.spring.io/release/org/springframework/security/oauth/spring-security-oauth2/
spring-security-oauth2-core release link
http://repo.spring.io/release/org/springframework/security/spring-security-oauth2-core/
Yes there is a big difference. spring-security-oauth2 (Spring Security OAuth Project) is no longer being actively developed.
Moving forward, it will be implemented in Spring Security 5 (in spring-security-oauth2-core). It's pretty confusing because many tutorials use the previous Spring Security OAuth (#EnableResourceServer, #EnableAuthorizationServer, and #EnableOAuth2Sso annotations usually give it away).
The first link is related to Spring 4 and it's matching Spring Security versions. You can verify this in the pom.xml files.
The second link is related to Spring 5 and Spring Security 5. Not only is this directly apparent from the version you see mentioned in that link but you can find the dependency directly named in the Spring Security 5 documentation.
The difference is described in the spring git repository
https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide
it is the old library: security/oauth/spring-security-oauth2/
As you see, the library is in the 'oauth' group of spring-security.
I don't recommend using the old library as a client because there are many unresolved issues including the issue about the storing of clientContext (the library use proxy instead of the plain entity for that reason you will have issues when you use MA with distributed cache ). Also, it doesn't allow to use several OAuth2.0 providers simultaneously (only one).
At the same time, that library provides a significant advantage, to use Authorization Server that doesn't implement in the new library.
I am working on building an oAuth2 application using spring boot. However, there are various sample projects in Github using spring-security-oauth2 and spring-cloud-starter-oauth2.
Do we have specific scenarios where we can use a specific jar among both for an application?
Though Spring cloud is mainly used for distributed systems. There are a lot of implementations on Github using spring-cloud-starter-oauth2 for even non-distributed applications. Thanks.
To resolve complex dependency management, Spring Boot starters were introduced. Starter POMs are a set of dependency descriptors (combines multiple commonly used dependencies into one POM) which otherwise you could also manually include in your application individually. Starters are available for web, test, data jpa, security, mailing and more. If it is not starter, it is a module: a simple artifact.
If you want to work with web, you could include tomcat, mvc and jackson all by yourself (manually) - a lot of dependencies for a single simple application. Instead, you just introduce one starter dependency:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
Coming to your question:
spring-security-oauth2 is an artifact of group org.springframework.security.oauth which supports oAuth2 (only) for Spring Security (not cloud), whereas spring-cloud-starter-oauth2 is a set of multiple dependencies like a starter web dependency above. This is OAuth2 starter for Spring Cloud that is only if you are working with Spring cloud. This starter comes with bundle of out-of-the-box dependencies underneath the OAuth2 framework for Spring Cloud like SSO, OAuth2 client.
Spring initially moved oauth2 to spring cloud started but as of version 2.4.0.M1 it was moved to spring security. You will be able to verify on start.spring.io that oauth2 cloud dependency is only in version >=2.0.0.RELEASE and <2.4.0.M1
I am new to Spring and Couchdb. I have made a login interface in Spring that authenticates the user using Spring-Security.
Can anybody tell how to add user information at the time of log-in in a Couchdb Database ?
Well, there is no defintion of "spring-mvc annotation" based project.
In this case, someone is trying to differentiate between the usage of annotations and xml-configuration based dependency injection and project configuration.
In case you are not familiar with the old way of using spring-mvc, you might take a look on this example.
If you are planning to use spring-mvc in a new project, i would strongly recommend to use spring and spring-mvc with an annotation based style, as described in the spring reference.
I have a really simple question, that I just can't find the answer.
If I want to use only Spring Security, do I need Spring core or any other dependency?
In this link, in the bottom I see only spring security jars as dependencies, but still I couldn't get it to work. I only got it to work when I used a lot more of spring jars (core, context, and more).
So, what are the minimal dependencies I need for using Spring Security? All I need is an authorization and authentication framework, and I want as little dependencies as possible.
Thank you!
For every spring extension you need to use Srping core, because every extension is build on top of spring core