Using Spring Security OAuth for secure authorization in Java API development
Jun 18, 2023 am 08:01 AM
A common requirement in Java API development is to implement user authentication and authorization functions. In order to provide more secure and reliable API services, the authorization function has become particularly important. Spring Security OAuth is an excellent open source framework that can help us implement authorization functions in Java APIs. This article will introduce how to use Spring Security OAuth for secure authorization.
- What is Spring Security OAuth?
Spring Security OAuth is an extension of the Spring Security framework, which can help us implement OAuth authentication and authorization functions.
OAuth is an open standard for authorizing third-party applications to access resources. It can help us achieve business logic decoupling and secure applications. The OAuth authorization process usually includes the following roles:
- User: the owner of the resource;
- Client: the application that applies to access user resources;
- Authorization server: Server that handles user authorization;
- Resource server: Server that stores user resources;
- Authorization process
Spring Security OAuth implements OAuth Four endpoints in the authorization process:
- /oauth/authorize: the authorization endpoint of the authorization server;
- /oauth/token: the token endpoint of the authorization server;
- /oauth/confirm_access: The endpoint for the client to confirm the authorization;
- /oauth/error: The endpoint for the authorization server error message;
Spring Security OAuth implements the four aspects of OAuth 2.0 Large authorization mode:
- Authorization code mode: The usage scenario is that user authorization is required when the application is started;
- Password mode: The usage scenario is that the client manages user credentials independently;
- Simplified mode: The usage scenario is that the client runs in the browser, and the client does not need to protect user credentials;
- Client mode: The usage scenario is that the client does not require user authorization, and the requested access token Only represents the client itself;
- Add Spring Security OAuth dependency
Add Spring Security OAuth dependency in the project. Configure the following in pom.xml:
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.3.4.RELEASE</version>
</dependency>- Configure the authorization server
We need to define the authorization server for authorization. In Spring Security OAuth, you can define an authorization server by enabling an OAuth2 authentication server and implementing the AuthorizationServerConfigurer interface.
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
TokenStore tokenStore;
@Autowired
AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("client")
.secret("{noop}secret")
.authorizedGrantTypes("client_credentials", "password")
.scopes("read", "write")
.accessTokenValiditySeconds(3600)
.refreshTokenValiditySeconds(7200);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore)
.authenticationManager(authenticationManager);
}
}In the above code, we define a memory-based client details service, configure the authorization type as client_credentials and password, and also specify the validity period of the access token and the validity period of the refresh token. Additionally, we define the endpoints and their required tokenStore and authenticationManager.
- Configure the resource server
To use Spring Security OAuth security authorization, we also need to configure the resource server. In Spring Security OAuth, we can define resource servers by implementing the ResourceServerConfigurer interface.
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/api/**").authenticated()
.anyRequest().permitAll();
}
@Override
public void configure(ResourceServerSecurityConfigurer config) throws Exception {
config.resourceId("my_resource_id");
}
}In the above code, we defined /api/** to give authentication while other requests allow anonymous access. We also configure the resource ID "my_resource_id" for use in subsequent authorization processes.
- Configuring Web Security
In order to use Spring Security OAuth security authorization, we also need to configure Web security. In Spring Security OAuth, security can be defined by implementing the SecurityConfigurer interface.
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user")
.password("{noop}password")
.roles("USER");
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/oauth/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.permitAll();
}
}In the above code, we define a memory-based user details service and declare requests that require authentication (that is, all paths following /oauth/** require authentication, and other paths can be accessed anonymously). We also configured a simple form login for users to log into the application.
- Implement UserDetailsService
We need to implement the UserDetailsService interface for use in security authorization. Here we directly use memory to save user accounts and passwords, and do not involve database operations.
@Service
public class UserDetailsServiceImpl implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
if ("user".equals(username)) {
return new User("user", "{noop}password",
AuthorityUtils.createAuthorityList("ROLE_USER"));
} else {
throw new UsernameNotFoundException("username not found");
}
}
}- Implementing API
Next we need to implement a simple API. We added a getGreeting() API under the /api/** path to return a greeting to the client.
@RestController
@RequestMapping("/api")
public class ApiController {
@GetMapping("/greeting")
public String getGreeting() {
return "Hello, World!";
}
}- Testing the authorization process
Finally, we need to test whether the authorization process is running as expected. First, we use the authorization code mode to obtain the authorization code:
http://localhost:8080/oauth/authorize?response_type=code&client_id=client&redirect_uri=http://localhost:8080&scope=read
Visit the above URL in your browser, you will be asked to enter your username and password for authorization. Enter the username user and password password and click Authorize, you will be redirected to http://localhost:8080/?code=xxx, where xxx is the authorization code.
Next, we use the password pattern to obtain the access token:
curl -X POST http://localhost:8080/oauth/token -H 'content-type: application/x-www-form-urlencoded' -d 'grant_type=password&username=user&password=password&client_id=client&client_secret=secret'
You will receive a JSON response containing the access token and refresh token:
{
"access_token":"...",
"token_type":"bearer",
"refresh_token":"...",
"expires_in":3600,
"scope":"read"
}Now you can use this access token to access the API service:
curl -X GET http://localhost:8080/api/greeting -H 'authorization: Bearer xxx'
where xxx is your access token. You will receive a JSON response containing the greeting "Hello, World!".
In this article, we introduce how to use Spring Security OAuth for secure authorization. Spring Security OAuth is a very powerful framework that can help us implement all roles in the OAuth authorization process. In practical applications, we can choose different authorization modes and service configurations according to different security requirements.
The above is the detailed content of Using Spring Security OAuth for secure authorization in Java API development. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to iterate over a Map in Java?
Jul 13, 2025 am 02:54 AM
There are three common methods to traverse Map in Java: 1. Use entrySet to obtain keys and values at the same time, which is suitable for most scenarios; 2. Use keySet or values to traverse keys or values respectively; 3. Use Java8's forEach to simplify the code structure. entrySet returns a Set set containing all key-value pairs, and each loop gets the Map.Entry object, suitable for frequent access to keys and values; if only keys or values are required, you can call keySet() or values() respectively, or you can get the value through map.get(key) when traversing the keys; Java 8 can use forEach((key,value)->
Java Optional example
Jul 12, 2025 am 02:55 AM
Optional can clearly express intentions and reduce code noise for null judgments. 1. Optional.ofNullable is a common way to deal with null objects. For example, when taking values ??from maps, orElse can be used to provide default values, so that the logic is clearer and concise; 2. Use chain calls maps to achieve nested values ??to safely avoid NPE, and automatically terminate if any link is null and return the default value; 3. Filter can be used for conditional filtering, and subsequent operations will continue to be performed only if the conditions are met, otherwise it will jump directly to orElse, which is suitable for lightweight business judgment; 4. It is not recommended to overuse Optional, such as basic types or simple logic, which will increase complexity, and some scenarios will directly return to nu.
Comparable vs Comparator in Java
Jul 13, 2025 am 02:31 AM
In Java, Comparable is used to define default sorting rules internally, and Comparator is used to define multiple sorting logic externally. 1.Comparable is an interface implemented by the class itself. It defines the natural order by rewriting the compareTo() method. It is suitable for classes with fixed and most commonly used sorting methods, such as String or Integer. 2. Comparator is an externally defined functional interface, implemented through the compare() method, suitable for situations where multiple sorting methods are required for the same class, the class source code cannot be modified, or the sorting logic is often changed. The difference between the two is that Comparable can only define a sorting logic and needs to modify the class itself, while Compar
How to fix java.io.NotSerializableException?
Jul 12, 2025 am 03:07 AM
The core workaround for encountering java.io.NotSerializableException is to ensure that all classes that need to be serialized implement the Serializable interface and check the serialization support of nested objects. 1. Add implementsSerializable to the main class; 2. Ensure that the corresponding classes of custom fields in the class also implement Serializable; 3. Use transient to mark fields that do not need to be serialized; 4. Check the non-serialized types in collections or nested objects; 5. Check which class does not implement the interface; 6. Consider replacement design for classes that cannot be modified, such as saving key data or using serializable intermediate structures; 7. Consider modifying
How to handle character encoding issues in Java?
Jul 13, 2025 am 02:46 AM
To deal with character encoding problems in Java, the key is to clearly specify the encoding used at each step. 1. Always specify encoding when reading and writing text, use InputStreamReader and OutputStreamWriter and pass in an explicit character set to avoid relying on system default encoding. 2. Make sure both ends are consistent when processing strings on the network boundary, set the correct Content-Type header and explicitly specify the encoding with the library. 3. Use String.getBytes() and newString(byte[]) with caution, and always manually specify StandardCharsets.UTF_8 to avoid data corruption caused by platform differences. In short, by
JavaScript Data Types: Primitive vs Reference
Jul 13, 2025 am 02:43 AM
JavaScript data types are divided into primitive types and reference types. Primitive types include string, number, boolean, null, undefined, and symbol. The values are immutable and copies are copied when assigning values, so they do not affect each other; reference types such as objects, arrays and functions store memory addresses, and variables pointing to the same object will affect each other. Typeof and instanceof can be used to determine types, but pay attention to the historical issues of typeofnull. Understanding these two types of differences can help write more stable and reliable code.
Java method references explained
Jul 12, 2025 am 02:59 AM
Method reference is a way to simplify the writing of Lambda expressions in Java, making the code more concise. It is not a new syntax, but a shortcut to Lambda expressions introduced by Java 8, suitable for the context of functional interfaces. The core is to use existing methods directly as implementations of functional interfaces. For example, System.out::println is equivalent to s->System.out.println(s). There are four main forms of method reference: 1. Static method reference (ClassName::staticMethodName); 2. Instance method reference (binding to a specific object, instance::methodName); 3.
What is the 'static' keyword in Java?
Jul 13, 2025 am 02:51 AM
InJava,thestatickeywordmeansamemberbelongstotheclassitself,nottoinstances.Staticvariablesaresharedacrossallinstancesandaccessedwithoutobjectcreation,usefulforglobaltrackingorconstants.Staticmethodsoperateattheclasslevel,cannotaccessnon-staticmembers,
