So far I've seen 2 ways of using OAuth in Spring security, one is the filter approach, as in https://spring.io/guides/tutorials/spring-boot-oauth2/ and the other one is through configuring HttpSecurity, as in http://www.baeldung.com/spring-security-5-oauth2-login
I wonder what's the difference/relation between these 2 methods?
Thanks in advance
Related
i m new with spring security.
I want to know if it's possible to have jwt authentication server separate from resource server,
If possible i need a working example.
Thanks!
You could find an example with Oauth2 and Spring Boot 2.1.9.RELEASE here:
https://github.com/buddhiprab/springboot-oauth2-separating-authorization_server-and-resource_server
All the explanation of this example is here: https://medium.com/#buddhiprabhath/spring-boot-oauth-2-0-separating-authorization-service-and-resource-service-1641ebced1f0
This is doing with the client-credentials flow from OAuth2.
Here is another example using password flow:
https://www.javainuse.com/spring/springboot-oauth2-password-grant
Here's an example that shows a separate auth and resource server. This is from Joe Grandja, who is one of the primary authors of Spring Security:
Old way; Spring Security version 5.1 or earlier with separate spring-security-oauth library: https://github.com/jgrandja/spring-security-oauth-2-4-migrate
New way; Spring Security 5.2+: https://github.com/jgrandja/spring-security-oauth-5-2-migrate
Thank`s everyone! i start to understand how it works! i want to integrate jwt now!
I'm just wrapping my head on Oauth2. I have a Spring boot app with its own users and roles system handled by Spring Security 5. Internally I use email to identify users, I want people who registered with their gmail addresses to be able to log in through Oauth2. Or, more generally, how do I make one of my users log in to my app using Oauth2? If you need code or more information just ask. Thanks in advance.
As far as I understood your question, you are looking for a general approach to authenticate users for using your Spring Boot application with the help of OAuth2 protocol.
In your case you will probably use Google as an authentication provider and your application as resource server, according to the OAuth2 standard wording. First at all to answer your general question, there are different ways of using OAuth2 to authenticate users. A good starting points are these links:
https://www.rfc-editor.org/rfc/rfc6749
https://auth0.com
To find the proper way of implementing OAuth2 for your usecase I recommend using this decision tree: https://auth0.com/docs/api-auth/which-oauth-flow-to-use
For starting to implement OAuth2 in Spring Boot you can use several Spring Security projects with further documentation:
https://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-security.html#boot-features-security-oauth2
https://docs.spring.io/spring-security-oauth2-boot/docs/current-SNAPSHOT/reference/htmlsingle/
i have my web app builded with Angular 4/5 and Spring Boot. Now i want to add user-accounts to my app and there i have some problems. I would like have my Auth serwer (in Spring Boot) and also i want use providers like Facebook and Google. There is my first question, when user will choose Facebook to auth, then how my resource server will know who is asking for resource. When i use my own Auth serwer i am doing it like this:
#GetMapping("/user/name")
public ResponseEntity<String>(Principle principle) {
return new ResponseEntity<String>(principle.getName(), HttpStatus.OK);
}
and this is working, but how to get user username when user is using Facebook or Google auth?
My second questions is how to properly handle expire Tokens time in Angular 4.
My third and last questions. Some resources from my server will be availible for
not logged user(annonymous) so how can i protect my resources to prevent other's than my clients using my API?
If you have some advices or examples, please help!
Don't worry about the rude comment on your question, Single Sign-On (SSO) can be pretty complicated.
If your using Facebook and Google as optional SSO providers then what you have to realize is that those providers are going to give you some sort of unique identifier along side the user information when you request it.
Spring Security and the corresponding Spring Boot auto configuration has some pretty good support for linking SSO user information to a Principal. Ill add some good references below to help understand Springs solution for this. I'm going to assume Spring Boot 2 and Spring Security 5 since your versions aren't listed.
Spring Boot 2 OAuth2.0 Client Configuration
Spring Security 5 Custom OIDC User Service
[VIDEO] Next Generation OAuth Support with Spring Security 5.0 - Joe Grandja
You can also look into Spring Social if your looking to do more than just SSO.
I need to add a workflow engine on my web application.
I use Form-Based Authentication for my login.
I tried to use Spring Webflow, but as I was searching, I realised that every link I have found, refers also to Spring Security.
Therefor, I would like to know, if I can use Spring Webflow without Spring Security.
Does Spring Webflow work without Spring Security or not?
In case you know the answer, please leave a comment below.
Thank you in advance.
Developed Rest API using Java/Spring MVC
Can we provide authentication for RestAPI? If yes, How?
Now I am struggling with authentication for RestApi. Can anyone send some examples regarding the same.
Accessing rest API through AJAX request.
Since you are already using Spring, you can use Spring security to provide security related functionality. This can give you one stop solution for your security needs. Common security mechanisms for Rest API's (basic, digest) and features are supported out of box and it's very easy to add your custom security too. For a start tutorial you can have a look here