Course – LSS – NPI (cat=Spring Security)
announcement - icon

If you're working on a Spring Security (and especially an OAuth) implementation, definitely have a look at the Learn Spring Security course:


1. Overview

The Spring Cloud Security module provides features related to token-based security in Spring Boot applications.

Specifically, it makes OAuth2-based SSO easier – with support for relaying tokens between Resource Servers, as well as configuring downstream authentication using an embedded Zuul proxy.

In this quick article, we’ll have a look at how we can configure these features using a Spring Boot client application, an Authorization Server and a REST API working as a Resource Server.

Note that for this example, we only have one Client application that uses SSO to demonstrate the cloud security features – but in a typical scenario, we would have at least two client applications to justify the need for Single Sign-On.

2. Quick Start a Cloud Security App

Let’s start by configuring SSO in a Spring Boot application.

First, we need to add the spring-cloud-starter-oauth2 dependency:


This will also bring in the spring-cloud-starter-security dependency.

We can configure any social site as an Auth Server for our site or we can use our own server. In our case, we’ve chosen the latter option and configured an application that acts as an Authorization Server – which is deployed locally at http://localhost:7070/authserver.

Our authorization server uses JWT tokens.

Additionally, for any Client to be able to retrieve the credentials of a user, we need to configure our Resource Server, running on port 9000, with an endpoint which can serve these credentials.

Here, we’ve configured a /user endpoint that is available at http://localhost:9000/user.

For more details on how to set up an Authorization Server and a Resource Server, check out our previous article here.

We can now add the annotation in a configuration class in our Client application:

public class SiteSecurityConfigurer {
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        // ...   
        // ... 

Any requests that require authentication will be redirected to the Authorization Server. For this to work we also have to define the server properties:

            client-id: authserver
            client-secret: passwordforauthserver
            authorization-grant-type: authorization_code
            redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
            token-uri: http://localhost:7070/authserver/oauth/token
            authorization-uri: http://localhost:7070/authserver/oauth/authorize
            user-info-uri: http://localhost:9000/user

Note that we need to have spring-boot-starter-security in our classpath to find the above configuration working.

3. Relaying Access Tokens

While relaying a token, an OAuth2 Client forwards the OAuth2 token received by it to an outgoing resource request.

Spring Security exposes an OAuth2AuthorizedClientService, which is useful for creating RestTemplate interceptors  Based on this, we can create our own RestTemplate in our client application:

public RestOperations restTemplate(OAuth2AuthorizedClientService clientService) {
    return new RestTemplateBuilder().interceptors((ClientHttpRequestInterceptor) 
        (httpRequest, bytes, execution) -> {
        OAuth2AuthenticationToken token = 
        OAuth2AuthorizedClient client = 
                .add(HttpHeaders.AUTHORIZATION, "Bearer " + client.getAccessToken()
        return execution.execute(httpRequest, bytes);

Once we’ve configured the bean, the context will forward the access token to the requested services and will also refresh the token if it expires.

4. Relaying an OAuth Token Using the RestTemplate

We previously defined a restOperations bean of type RestTemplate in our Client application. As a result, we can use the getForObject() method of RestTemplate to send a request with the necessary tokens to a protected Resource server from our client.

First, let’s define an endpoint which requires authentication in our Resource Server:

@PreAuthorize("hasAnyRole('ADMIN', 'USER')")
public @ResponseBody Person personInfo(){        
    return new Person("abir", "Dhaka", "Bangladesh", 29, "Male");       

This is a simple REST endpoint that returns a JSON representation of a Person object.

Now, we can send a request from the Client application using the getForObject() method which will relay the token to the Resource Server:

private RestOperations restOperations;

public ModelAndView person() { 
    ModelAndView mav = new ModelAndView("personinfo");
    String personResourceUrl = "http://localhost:9000/person";
      restOperations.getForObject(personResourceUrl, String.class));       
    return mav;

5. Configuring Zuul for Token Relay

If we’d like to relay a token downstream to the proxy services, we can use Spring Cloud Zuul Embedded Reverse Proxy.

First, we need to add the Maven dependency for working with Zuul:


Next, we need to add the @EnableZuulProxy annotation on to our configuration class in the Client application:

public class SiteSecurityConfigurer {
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        // ...   
        // ... 

All that’s left to do is add the Zuul configuration properties to our application.yml file:

  sensitiveHeaders: Cookie,Set-Cookie  
      path: /api/**
      url: http://localhost:9000
      path: /user/**
      url: http://localhost:9000/user

Any request coming to the /api endpoint of the Client application will be redirected to the Resource Server URL. We also need to provide the URL of the user credentials endpoint.

6. Conclusion

In this quick article, we explored how to use Spring Cloud Security with OAuth2 and Zuul to configure secured authorization and resource servers, as well as how to relay OAuth2 tokens between servers using RestTemplate and Embedded Zuul Proxy.

As always, the code is available over on GitHub.

Course – LSS (cat=Security/Spring Security)

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:

res – Security (video) (cat=Security/Spring Security)
Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.