Using Spring Security OAuth for secure authorization in Java API development
Jun 18, 2023 am 08:01 AM
A common requirement in Java API development is to implement user authentication and authorization functions. In order to provide more secure and reliable API services, the authorization function has become particularly important. Spring Security OAuth is an excellent open source framework that can help us implement authorization functions in Java APIs. This article will introduce how to use Spring Security OAuth for secure authorization.
- What is Spring Security OAuth?
Spring Security OAuth is an extension of the Spring Security framework, which can help us implement OAuth authentication and authorization functions.
OAuth is an open standard for authorizing third-party applications to access resources. It can help us achieve business logic decoupling and secure applications. The OAuth authorization process usually includes the following roles:
- User: the owner of the resource;
- Client: the application that applies to access user resources;
- Authorization server: Server that handles user authorization;
- Resource server: Server that stores user resources;
- Authorization process
Spring Security OAuth implements OAuth Four endpoints in the authorization process:
- /oauth/authorize: the authorization endpoint of the authorization server;
- /oauth/token: the token endpoint of the authorization server;
- /oauth/confirm_access: The endpoint for the client to confirm the authorization;
- /oauth/error: The endpoint for the authorization server error message;
Spring Security OAuth implements the four aspects of OAuth 2.0 Large authorization mode:
- Authorization code mode: The usage scenario is that user authorization is required when the application is started;
- Password mode: The usage scenario is that the client manages user credentials independently;
- Simplified mode: The usage scenario is that the client runs in the browser, and the client does not need to protect user credentials;
- Client mode: The usage scenario is that the client does not require user authorization, and the requested access token Only represents the client itself;
- Add Spring Security OAuth dependency
Add Spring Security OAuth dependency in the project. Configure the following in pom.xml:
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.3.4.RELEASE</version>
</dependency>- Configure the authorization server
We need to define the authorization server for authorization. In Spring Security OAuth, you can define an authorization server by enabling an OAuth2 authentication server and implementing the AuthorizationServerConfigurer interface.
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
TokenStore tokenStore;
@Autowired
AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("client")
.secret("{noop}secret")
.authorizedGrantTypes("client_credentials", "password")
.scopes("read", "write")
.accessTokenValiditySeconds(3600)
.refreshTokenValiditySeconds(7200);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore)
.authenticationManager(authenticationManager);
}
}In the above code, we define a memory-based client details service, configure the authorization type as client_credentials and password, and also specify the validity period of the access token and the validity period of the refresh token. Additionally, we define the endpoints and their required tokenStore and authenticationManager.
- Configure the resource server
To use Spring Security OAuth security authorization, we also need to configure the resource server. In Spring Security OAuth, we can define resource servers by implementing the ResourceServerConfigurer interface.
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/api/**").authenticated()
.anyRequest().permitAll();
}
@Override
public void configure(ResourceServerSecurityConfigurer config) throws Exception {
config.resourceId("my_resource_id");
}
}In the above code, we defined /api/** to give authentication while other requests allow anonymous access. We also configure the resource ID "my_resource_id" for use in subsequent authorization processes.
- Configuring Web Security
In order to use Spring Security OAuth security authorization, we also need to configure Web security. In Spring Security OAuth, security can be defined by implementing the SecurityConfigurer interface.
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user")
.password("{noop}password")
.roles("USER");
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/oauth/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.permitAll();
}
}In the above code, we define a memory-based user details service and declare requests that require authentication (that is, all paths following /oauth/** require authentication, and other paths can be accessed anonymously). We also configured a simple form login for users to log into the application.
- Implement UserDetailsService
We need to implement the UserDetailsService interface for use in security authorization. Here we directly use memory to save user accounts and passwords, and do not involve database operations.
@Service
public class UserDetailsServiceImpl implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
if ("user".equals(username)) {
return new User("user", "{noop}password",
AuthorityUtils.createAuthorityList("ROLE_USER"));
} else {
throw new UsernameNotFoundException("username not found");
}
}
}- Implementing API
Next we need to implement a simple API. We added a getGreeting() API under the /api/** path to return a greeting to the client.
@RestController
@RequestMapping("/api")
public class ApiController {
@GetMapping("/greeting")
public String getGreeting() {
return "Hello, World!";
}
}- Testing the authorization process
Finally, we need to test whether the authorization process is running as expected. First, we use the authorization code mode to obtain the authorization code:
http://localhost:8080/oauth/authorize?response_type=code&client_id=client&redirect_uri=http://localhost:8080&scope=read
Visit the above URL in your browser, you will be asked to enter your username and password for authorization. Enter the username user and password password and click Authorize, you will be redirected to http://localhost:8080/?code=xxx, where xxx is the authorization code.
Next, we use the password pattern to obtain the access token:
curl -X POST http://localhost:8080/oauth/token -H 'content-type: application/x-www-form-urlencoded' -d 'grant_type=password&username=user&password=password&client_id=client&client_secret=secret'
You will receive a JSON response containing the access token and refresh token:
{
"access_token":"...",
"token_type":"bearer",
"refresh_token":"...",
"expires_in":3600,
"scope":"read"
}Now you can use this access token to access the API service:
curl -X GET http://localhost:8080/api/greeting -H 'authorization: Bearer xxx'
where xxx is your access token. You will receive a JSON response containing the greeting "Hello, World!".
In this article, we introduce how to use Spring Security OAuth for secure authorization. Spring Security OAuth is a very powerful framework that can help us implement all roles in the OAuth authorization process. In practical applications, we can choose different authorization modes and service configurations according to different security requirements.
The above is the detailed content of Using Spring Security OAuth for secure authorization in Java API development. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
What is a Singleton design pattern in Java?
Jul 09, 2025 am 01:32 AM
Singleton design pattern in Java ensures that a class has only one instance and provides a global access point through private constructors and static methods, which is suitable for controlling access to shared resources. Implementation methods include: 1. Lazy loading, that is, the instance is created only when the first request is requested, which is suitable for situations where resource consumption is high and not necessarily required; 2. Thread-safe processing, ensuring that only one instance is created in a multi-threaded environment through synchronization methods or double check locking, and reducing performance impact; 3. Hungry loading, which directly initializes the instance during class loading, is suitable for lightweight objects or scenarios that can be initialized in advance; 4. Enumeration implementation, using Java enumeration to naturally support serialization, thread safety and prevent reflective attacks, is a recommended concise and reliable method. Different implementation methods can be selected according to specific needs
How to analyze a Java heap dump?
Jul 09, 2025 am 01:25 AM
Analyzing Java heap dumps is a key means to troubleshoot memory problems, especially for identifying memory leaks and performance bottlenecks. 1. Use EclipseMAT or VisualVM to open the .hprof file. MAT provides Histogram and DominatorTree views to display the object distribution from different angles; 2. sort in Histogram by number of instances or space occupied to find classes with abnormally large or large size, such as byte[], char[] or business classes; 3. View the reference chain through "ListObjects>withincoming/outgoingreferences" to determine whether it is accidentally held; 4. Use "Pathto
What is a ThreadLocal in Java?
Jul 09, 2025 am 02:25 AM
ThreadLocal is used in Java to create thread-private variables, each thread has an independent copy to avoid concurrency problems. It stores values ??through ThreadLocalMap inside the thread. Pay attention to timely cleaning when using it to prevent memory leakage. Common uses include user session management, database connections, transaction context, and log tracking. Best practices include: 1. Call remove() to clean up after use; 2. Avoid overuse; 3. InheritableThreadLocal is required for child thread inheritance; 4. Do not store large objects. The initial value can be set through initialValue() or withInitial(), and the initialization is delayed until the first get() call.
Java Optional example
Jul 12, 2025 am 02:55 AM
Optional can clearly express intentions and reduce code noise for null judgments. 1. Optional.ofNullable is a common way to deal with null objects. For example, when taking values ??from maps, orElse can be used to provide default values, so that the logic is clearer and concise; 2. Use chain calls maps to achieve nested values ??to safely avoid NPE, and automatically terminate if any link is null and return the default value; 3. Filter can be used for conditional filtering, and subsequent operations will continue to be performed only if the conditions are met, otherwise it will jump directly to orElse, which is suitable for lightweight business judgment; 4. It is not recommended to overuse Optional, such as basic types or simple logic, which will increase complexity, and some scenarios will directly return to nu.
How to iterate over a Map in Java?
Jul 13, 2025 am 02:54 AM
There are three common methods to traverse Map in Java: 1. Use entrySet to obtain keys and values at the same time, which is suitable for most scenarios; 2. Use keySet or values to traverse keys or values respectively; 3. Use Java8's forEach to simplify the code structure. entrySet returns a Set set containing all key-value pairs, and each loop gets the Map.Entry object, suitable for frequent access to keys and values; if only keys or values are required, you can call keySet() or values() respectively, or you can get the value through map.get(key) when traversing the keys; Java 8 can use forEach((key,value)->
How to fix java.io.NotSerializableException?
Jul 12, 2025 am 03:07 AM
The core workaround for encountering java.io.NotSerializableException is to ensure that all classes that need to be serialized implement the Serializable interface and check the serialization support of nested objects. 1. Add implementsSerializable to the main class; 2. Ensure that the corresponding classes of custom fields in the class also implement Serializable; 3. Use transient to mark fields that do not need to be serialized; 4. Check the non-serialized types in collections or nested objects; 5. Check which class does not implement the interface; 6. Consider replacement design for classes that cannot be modified, such as saving key data or using serializable intermediate structures; 7. Consider modifying
Python web scraping dynamic content
Jul 10, 2025 pm 12:18 PM
Dynamic web crawling can be achieved through an analysis interface or a simulated browser. 1. Use browser developer tools to view XHR/Fetch requests in the Network, find the interface that returns JSON data, and use requests to get it; 2. If the page is rendered by the front-end framework and has no independent interface, you can start the browser with Selenium and wait for the elements to be loaded and extracted; 3. In the face of the anti-crawling mechanism, headers should be added, frequency control, proxy IP should be used, and verification codes or JS rendering detection should be carried out according to the situation. Mastering these methods can effectively deal with most dynamic web crawling scenarios.
Comparable vs Comparator in Java
Jul 13, 2025 am 02:31 AM
In Java, Comparable is used to define default sorting rules internally, and Comparator is used to define multiple sorting logic externally. 1.Comparable is an interface implemented by the class itself. It defines the natural order by rewriting the compareTo() method. It is suitable for classes with fixed and most commonly used sorting methods, such as String or Integer. 2. Comparator is an externally defined functional interface, implemented through the compare() method, suitable for situations where multiple sorting methods are required for the same class, the class source code cannot be modified, or the sorting logic is often changed. The difference between the two is that Comparable can only define a sorting logic and needs to modify the class itself, while Compar
