1. Overview
The Spring Cloud Security module provides features related to token-based security in Spring Boot applications.
Specifically, it makes OAuth2-based SSO easier – with support for relaying tokens between Resource Servers, as well as configuring downstream authentication using an embedded Zuul proxy.
In this quick article, we’ll have a look at how we can configure these features using a Spring Boot client application, an Authorization Server and a REST API working as a Resource Server.
Note that for this example, we only have one Client application that uses SSO to demonstrate the cloud security features – but in a typical scenario, we would have at least two client applications to justify the need for Single Sign-On.
2. Quick Start a Cloud Security App
Let’s start by configuring SSO in a Spring Boot application.
First, we need to add the spring-cloud-starter-oauth2 dependency:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
<version>2.2.2.RELEASE</version>
</dependency>
This will also bring in the spring-cloud-starter-security dependency.
We can configure any social site as an Auth Server for our site or we can use our own server. In our case, we’ve chosen the latter option and configured an application that acts as an Authorization Server – which is deployed locally at http://localhost:7070/authserver.
Our authorization server uses JWT tokens.
Additionally, for any Client to be able to retrieve the credentials of a user, we need to configure our Resource Server, running on port 9000, with an endpoint which can serve these credentials.
Here, we’ve configured a /user endpoint that is available at http://localhost:9000/user.
For more details on how to set up an Authorization Server and a Resource Server, check out our previous article here.
We can now add the annotation in a configuration class in our Client application:
@Configuration
public class SiteSecurityConfigurer {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// ...
http.oauth2Login();
// ...
}
}
Any requests that require authentication will be redirected to the Authorization Server. For this to work we also have to define the server properties:
spring:
security:
oauth2:
client:
registration:
baeldung:
client-id: authserver
client-secret: passwordforauthserver
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
provider:
baeldung:
token-uri: http://localhost:7070/authserver/oauth/token
authorization-uri: http://localhost:7070/authserver/oauth/authorize
user-info-uri: http://localhost:9000/user
Note that we need to have spring-boot-starter-security in our classpath to find the above configuration working.
3. Relaying Access Tokens
While relaying a token, an OAuth2 Client forwards the OAuth2 token received by it to an outgoing resource request.
Spring Security exposes an OAuth2AuthorizedClientService, which is useful for creating RestTemplate interceptors Based on this, we can create our own RestTemplate in our client application:
@Bean
public RestOperations restTemplate(OAuth2AuthorizedClientService clientService) {
return new RestTemplateBuilder().interceptors((ClientHttpRequestInterceptor)
(httpRequest, bytes, execution) -> {
OAuth2AuthenticationToken token =
OAuth2AuthenticationToken.class.cast(SecurityContextHolder.getContext()
.getAuthentication());
OAuth2AuthorizedClient client =
clientService.loadAuthorizedClient(token.getAuthorizedClientRegistrationId(),
token.getName());
httpRequest.getHeaders()
.add(HttpHeaders.AUTHORIZATION, "Bearer " + client.getAccessToken()
.getTokenValue());
return execution.execute(httpRequest, bytes);
}).build();
}
Once we’ve configured the bean*,* the context will forward the access token to the requested services and will also refresh the token if it expires.
4. Relaying an OAuth Token Using the RestTemplate
We previously defined a restOperations bean of type RestTemplate in our Client application. As a result, we can use the getForObject() method of RestTemplate to send a request with the necessary tokens to a protected Resource server from our client.
First, let’s define an endpoint which requires authentication in our Resource Server:
@GetMapping("/person")
@PreAuthorize("hasAnyRole('ADMIN', 'USER')")
public @ResponseBody Person personInfo(){
return new Person("abir", "Dhaka", "Bangladesh", 29, "Male");
}
This is a simple REST endpoint that returns a JSON representation of a Person object.
Now, we can send a request from the Client application using the getForObject() method which will relay the token to the Resource Server:
@Autowired
private RestOperations restOperations;
@GetMapping("/personInfo")
public ModelAndView person() {
ModelAndView mav = new ModelAndView("personinfo");
String personResourceUrl = "http://localhost:9000/person";
mav.addObject("person",
restOperations.getForObject(personResourceUrl, String.class));
return mav;
}
5. Configuring Zuul for Token Relay
If we’d like to relay a token downstream to the proxy services, we can use Spring Cloud Zuul Embedded Reverse Proxy.
First, we need to add the Maven dependency for working with Zuul:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-zuul</artifactId>
</dependency>
Next, we need to add the @EnableZuulProxy annotation on to our configuration class in the Client application:
@EnableZuulProxy
@Configuration
public class SiteSecurityConfigurer {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// ...
http.oauth2Login();
// ...
}
}
All that’s left to do is add the Zuul configuration properties to our application.yml file:
zuul:
sensitiveHeaders: Cookie,Set-Cookie
routes:
resource:
path: /api/**
url: http://localhost:9000
user:
path: /user/**
url: http://localhost:9000/user
Any request coming to the /api endpoint of the Client application will be redirected to the Resource Server URL. We also need to provide the URL of the user credentials endpoint.