Search code examples
spring-securityoauth-2.0spring-oauth2openid-connect

Spring OAuth2 XML configuration for Client and Resource Server


Can any one help me with a very basic configuration in XML to act my spring application as OAuth2/OIDC Resource serer and as well as cilent.

What I have?

A Spring Web MVC application with Spring Secuirity LDAP authentication.

What I want to achieve?

  1. If user tries to access any resource(e.g. index.html) in my application, he should be asked for his credentials(can be popup or can be a redirect to login page).
  2. Application should connect with a third party Authorization server and get the OAuth2 access token and refresh token.
  3. Once the access token is received, application should create the session and serve the required resource asked in first step.
  4. When user clicks on logout or the session is expired, flow starts from first step.

What I have tried so far?

I have tried this with Spring boot and OIDC. But I am looking for some good reference to achieve the above with XML configuration. Please note that I can not use Spring Boot or any java configuration.

Any ideas or suggestions on how to start all this?

Thanks.


Solution

  • First, I must say that you can find good examples in Spring's oAuth Samples section.

    Anyhow, I have created an oAuth-sample-project (GitHub) when I played with it a while back, so here are the interesting parts. Take into account that you have to learn a bit from the docs, and drill in the code... but I think it is good for a starting point.

    The client XML:

    <sec:http authentication-manager-ref="authenticationManager">
        <sec:intercept-url pattern="/secure/**" access="ROLE_USER" />
        <sec:anonymous/>
    
        <!-- sec:form-login/-->
    
        <sec:form-login 
            login-page="/login/login.htm" 
            authentication-failure-url="/login/login.htm?login_error=1" />
    
    
        <sec:custom-filter ref="oauth2ClientFilter" after="EXCEPTION_TRANSLATION_FILTER" />
    </sec:http>
    
    
    <sec:authentication-manager alias="authenticationManager">
        <sec:authentication-provider user-service-ref="userDetailsService"/>
    </sec:authentication-manager>
    
    <sec:user-service id="userDetailsService">
        <sec:user name="admin"  password="admin"  authorities="ROLE_USER,ROLE_ADMIN" />
    </sec:user-service>
    
    
    
    <!--apply the oauth client context-->
    <oauth:client   id="oauth2ClientFilter" />
    
    
    <oauth:resource id="butkecResource"
                    type="authorization_code"
                    client-id="${oauth2.client.id}"
                    client-secret="${oauth2.client.secret}"
                    access-token-uri="${oauth2.client.accessTokenUri}"
                    user-authorization-uri="${oauth2.client.userAuthorizationUri}"
                    scope="read"/>
    
    <!--define an oauth2 resource for facebook. according to the facebook docs, the 'client-id' is the App ID, and the 'client-secret' 
        is the App Secret -->
    <oauth:resource id="facebook" 
        type="authorization_code" 
        client-id="233668646673605" 
        client-secret="33b17e044ee6a4fa383f46ec6e28ea1d"
        authentication-scheme="query" 
        access-token-uri="https://graph.facebook.com/oauth/access_token" 
        user-authorization-uri="https://www.facebook.com/dialog/oauth"
        token-name="oauth_token" 
        client-authentication-scheme="form" />
    

    full snippet is here.

    the resource server XML:

    <security:http pattern="/index.html" security="none"/>
    <security:http pattern="/browse" security="none"/>
    <!-- security:http pattern="/welcome" security="none"/-->
    <security:http pattern="/js/**" security="none"/>
    
    <security:http  entry-point-ref="oauthAuthenticationEntryPoint"     
                    access-decision-manager-ref="accessDecisionManager">
        <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
        <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
        <security:access-denied-handler ref="oauthAccessDeniedHandler" />
        <security:anonymous />
    </security:http>
    ...
    ...
    <oauth:resource-server id="resourceServerFilter" 
                        token-services-ref="tokenServices" />
    
    
    <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices" >
        <property name="tokenStore" ref="tokenStore" />
    </bean>
    
    
    <bean id="tokenStore" class="com.ohadr.oauth.resource_server.token.MyTokenStore" />
    
    
    <bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
        <property name="realmName" value="butkec" />
    </bean>
    

    file can be found here.

    I think here is not a good place to explain every bit and byte, but again - in Spring docs you can find great explanations (I managed to learn all from there...)