Spring Boot Oauth2 Dependecy - spring

I want to create a simple program based upon oauth2 authentication including Auth server, resource server and client. I found there are various of dependencies used by online tutorials. I am confused why spring provides so many dependencies for oauth2. What is difference between below dependencies and when to use them. And which oauth2 dependency comes with springboot.
The First line is group-id and next line is artifact-id
org.springframework.security
spring-security-oauth2-client
org.springframework.security
spring-security-oauth2-jose
org.springframework.security
spring-security-oauth2-core
org.springframework.security
spring-security-oauth2-resource-server
org.springframework.security.oauth
spring-security-oauth2
org.springframework.security.oauth.boot
spring-security-oauth2-autoconfigure
org.springframework.cloud
spring-cloud-starter-oauth2

If you want to create a simple program based upon oauth2, then you can use the dependency from the point 7 and spring-cloud-starter will pick up the dependency itself under your version of Spring & Spring Cloud :)
The last point (7) contains all of the above. But if you don't need all dependencies from the 7, then import it into the project separately (1-6).

Related

Spring Boot requires spring-boot-starter-security as a dependency for ssl

I inherited Spring Boot application (version 1.5.8). I think it reads external foo.properties file then creates Map object having key/value pair then SpringApplication.setDefaultProperties consumes it.
When I inspected the properties file, it has many ssl related key/value properties
server.ssl.key-alias=<some_value>
server.ssl.key-password=<some_value>
server.ssl.key-store=<some_value>
server.ssl.key-store-type=<some_value>
From its pom.xml file I don't see spring-boot-starter-security as a dependency though. My assumption is it is ok. Although as newbie, when I went through simple tutorial of Spring Boot in regard to ssl, it has aforementioned lib as a dependency.
I plan to add more ssl key/value pairs like:
server.ssl.enabled=<some_value>
server.ssl.ciphers=<some_value>
server.ssl.protocol=<some_value>
My question is do I need spring-boot-starter-security lib as a dependency or not. I am sure I'd find out once I update/execute the application but I decided to ask first if anyone knows in advance. My initial research didn't come up with an answer I was looking for.
Update:
From its pom.xml, I see following added as dependency. Another attempt of research makes me believe spring-boot-starter comes with spring-boot-starter-security but I am not positive about this.
spring-boot-starter
spring-boot-starter-log4j2
spring-boot-starter-web
No, you definitely don't need spring-boot-starter-security to enable SSL/TLS in your Spring Boot application.
As described in the Spring Boot documentation, you can enable SSL declaratively by setting the various server.ssl.* properties, typically in application.properties or application.yml.
Refer to the Ssl class for details of all of the supported properties. You may also consider checking the Spring Boot common application properties (in special the server properties).
No.
Spring Boot does not need security for SSL, it's a Tomcat issue. I recommend you to read this tutorial

spring-security-oauth2 vs spring-security-oauth2-core in Spring

What is the difference between spring-security-oauth2 and spring-security-oauth2-core in spring?
Is spring-security-oauth2 substituted by spring-security-oauth2-core?
spring-security-oauth2 release link :
http://repo.spring.io/release/org/springframework/security/oauth/spring-security-oauth2/
spring-security-oauth2-core release link
http://repo.spring.io/release/org/springframework/security/spring-security-oauth2-core/
Yes there is a big difference. spring-security-oauth2 (Spring Security OAuth Project) is no longer being actively developed.
Moving forward, it will be implemented in Spring Security 5 (in spring-security-oauth2-core). It's pretty confusing because many tutorials use the previous Spring Security OAuth (#EnableResourceServer, #EnableAuthorizationServer, and #EnableOAuth2Sso annotations usually give it away).
The first link is related to Spring 4 and it's matching Spring Security versions. You can verify this in the pom.xml files.
The second link is related to Spring 5 and Spring Security 5. Not only is this directly apparent from the version you see mentioned in that link but you can find the dependency directly named in the Spring Security 5 documentation.
The difference is described in the spring git repository
https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide
it is the old library: security/oauth/spring-security-oauth2/
As you see, the library is in the 'oauth' group of spring-security.
I don't recommend using the old library as a client because there are many unresolved issues including the issue about the storing of clientContext (the library use proxy instead of the plain entity for that reason you will have issues when you use MA with distributed cache ). Also, it doesn't allow to use several OAuth2.0 providers simultaneously (only one).
At the same time, that library provides a significant advantage, to use Authorization Server that doesn't implement in the new library.

spring-security-oauth2 vs spring-cloud-starter-oauth2

I am working on building an oAuth2 application using spring boot. However, there are various sample projects in Github using spring-security-oauth2 and spring-cloud-starter-oauth2.
Do we have specific scenarios where we can use a specific jar among both for an application?
Though Spring cloud is mainly used for distributed systems. There are a lot of implementations on Github using spring-cloud-starter-oauth2 for even non-distributed applications. Thanks.
To resolve complex dependency management, Spring Boot starters were introduced. Starter POMs are a set of dependency descriptors (combines multiple commonly used dependencies into one POM) which otherwise you could also manually include in your application individually. Starters are available for web, test, data jpa, security, mailing and more. If it is not starter, it is a module: a simple artifact.
If you want to work with web, you could include tomcat, mvc and jackson all by yourself (manually) - a lot of dependencies for a single simple application. Instead, you just introduce one starter dependency:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
Coming to your question:
spring-security-oauth2 is an artifact of group org.springframework.security.oauth which supports oAuth2 (only) for Spring Security (not cloud), whereas spring-cloud-starter-oauth2 is a set of multiple dependencies like a starter web dependency above. This is OAuth2 starter for Spring Cloud that is only if you are working with Spring cloud. This starter comes with bundle of out-of-the-box dependencies underneath the OAuth2 framework for Spring Cloud like SSO, OAuth2 client.
Spring initially moved oauth2 to spring cloud started but as of version 2.4.0.M1 it was moved to spring security. You will be able to verify on start.spring.io that oauth2 cloud dependency is only in version >=2.0.0.RELEASE and <2.4.0.M1

Spring Boot and dependency for spring-security-jwt

I'm migrating a Spring Boot project from boot 1.5.x to 2.0.x.
In the 1.5.x project I see that the following dependency is being used:
dependencies {
...
compile("org.springframework.security:spring-security-jwt")
...
}
The version of the spring-security-jwt is managed by Spring and I can verify that here. Namely:
<spring-security-jwt.version>1.0.9.RELEASE</spring-security-jwt.version>
The same dependency fails to resolve when I move to Boot 2 because it is no longer managed by Spring. I can verify that here...
Is this a bug or it is removed and included in another lib? Somehow I can't find clues in the docs... Shall I manage the version manually now?
The spring-security-jwt (and OAuth as well I guess) are now obsolete. Spring Security 5 added that support to the core library instead of an extension of the framework.
See here for a list of tickets related to the core JWT and OAuth support.
So in short you don't need that dependency anymore, although if you have custom filters and functionality build around that it would require using different classes/packages and features.

What are the differences between spring security providers? (Spring Roo 2 M3)

Well i'm building some personal project to learn spring roo 2. Now i'm struggling with spring security. There is little information about spring roo 2 in google and many relatively useful information on spring boot relating to spring roo.
with the command "security setup" you got the "--provider" option.
This is the description that the help gives you:
optional --provider: The Spring Security provider to install. Possible values are: DEFAULT (default Spring Security configuration provided by Spring Boot will be used), and SPRINGLETS_JPA (advanced Spring Security configuration will be included using Springlets JPA Authentication).; default: 'DEFAULT'
I couldn't find the difference between these two options, even on the spring roo M3 reference documentation. Even searching for "Springlets JPA Authentication" gives no information about it.
Anyone has any clue about this?
Thanks
These are the main differences between this two providers:
DEFAULT: Is the default Spring Security auto-configuration provided by Spring Boot when you include the spring-boot-starter-security in your project classpath. This is the default option because Spring Roo always tries to generate applications that use the auto-configuration provided by Spring Boot.
Selecting this provided the following changes will be applied to your project:
spring-boot-starter-security dependency will be included to your pom.xml file
If you want to know more information about this configuration you should check the spring boot reference guide
SPRINGLETS_JPA: If you select this provider, the default Spring Security auto-configuration provided by Spring Boot will be used. In addition, this provider will include the Springlets library to your classpath that provides you some extra starters to auto-configure advanced Spring Security properties. Also, configures the security authentication to use and user from the database instead of the default in-memory authentication provided by Spring Boot auto-configuration. You will be able to manage these configuration using the application.properties file and including the properties springlets.security.auth.in-memory.enabled and springlets.security.auth.in-memory.erase-credentials.
Selecting this provided the following changes will be applied to your project:
springlets-boot-starter-authentication dependency will be included to your pom.xml file
security.enable-csrf=true property will be included to enable CSRF. Know more about CSRF and Spring Security here
To know more about the Springlets Security project check the Springlets project page
Hope it helps,

Resources