I just announced the newSpring Security 5 modules (primarily focused on OAuth2) in the course:

>> CHECK OUT LEARN SPRING SECURITY

1. Overview

The Spring Cloud Security module provides features related to token-based security in Spring Boot applications.

Specifically, it makes OAuth2-based SSO easier – with support for relaying tokens between Resource Servers, as well as configuring downstream authentication using an embedded Zuul proxy.

In this quick article, we’ll have a look at how we can configure these features using a Spring Boot client application, an Authorization Server and a REST API working as a Resource Server.

Note that for this example, we only have one Client application that uses SSO to demonstrate the cloud security features – but in a typical scenario, we would have at least two client applications to justify the need for Single Sign-On.

2. Quick Start a Cloud Security App

Let’s start by configuring SSO in a Spring Boot application.

First, we need to add the spring-cloud-starter-oauth2 dependency:

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-oauth2</artifactId>
    <version>1.2.2.RELEASE</version>
</dependency>

This will also bring in the spring-cloud-starter-security dependency.

We can configure any social site as an Auth Server for our site or we can use our own server. In our case, we’ve chosen the latter option and configured an application that acts as an Authorization Server – which is deployed locally at http://localhost:7070/authserver.

Our authorization server uses JWT tokens.

Additionally, for any Client to be able to retrieve the credentials of a user, we need to configure our Resource Server, running on port 9000, with an endpoint which can serve these credentials.

Here, we’ve configured a /user endpoint that is available at http://localhost:9000/user.

For more details on how to set up an Authorization Server and a Resource Server, check out our previous article here.

We can now add the annotation in a configuration class in our Client application:

@Configuration
@EnableOAuth2Sso
public class SiteSecurityConfigurer
  extends WebSecurityConfigurerAdapter {
 
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // ...    
    }
}

Any requests that require authentication will be redirected to the Authorization Server. For this to work we also have to define the server properties:

security:
  oauth2:
    client:
      accessTokenUri: http://localhost:7070/authserver/oauth/token
      userAuthorizationUri: http://localhost:7070/authserver/oauth/authorize
      clientId: authserver
      clientSecret: passwordforauthserver
    resource:
      userInfoUri: http://localhost:9000/user

Note that we need to have spring-boot-starter-security in our classpath to find the above configuration working.

3. Relaying Access Tokens

While relaying a token, an OAuth2 Client forwards the OAuth2 token received by it to an outgoing resource request.

Since we’ve declared the @EnableOauth2Sso annotation, Spring Boot adds an OAuth2ClientContext bean in the request scope. Based on this, we can create our own OAuth2RestTemplate in our client application:

@Bean
public OAuth2RestOperations restOperations(
  OAuth2ProtectedResourceDetails resource, OAuth2ClientContext context) {
    return new OAuth2RestTemplate(resource, context);
}

Once we’ve configured the bean, the context will forward the access token to the requested services and will also refresh the token if it expires.

4. Relaying an OAuth Token Using the RestTemplate

We previously defined a restOperations bean of type OAuth2RestTemplate in our Client application. As a result, we can use the getForObject() method of OAuth2RestTemplate to send a request with the necessary tokens to a protected Resource server from our client.

First, let’s define an endpoint which requires authentication in our Resource Server:

@GetMapping("/person")
@PreAuthorize("hasAnyRole('ADMIN', 'USER')")
public @ResponseBody Person personInfo(){        
    return new Person("abir", "Dhaka", "Bangladesh", 29, "Male");       
 }    

This is a simple REST endpoint that returns a JSON representation of a Person object.

Now, we can send a request from the Client application using the getForObject() method which will relay the token to the Resource Server:

@Autowired
private RestOperations restOperations;

@GetMapping("/personInfo")
public ModelAndView person() { 
    ModelAndView mav = new ModelAndView("personinfo");
    String personResourceUrl = "http://localhost:9000/person";
    mav.addObject("person", 
      restOperations.getForObject(personResourceUrl, String.class));       
    
    return mav;
}

5. Configuring Zuul for Token Relay

If we’d like to relay a token downstream to the proxy services, we can use Spring Cloud Zuul Embedded Reverse Proxy.

First, we need to add the Maven dependency for working with Zuul:

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-zuul</artifactId>
</dependency>

Next, we need to add the @EnableZuulProxy annotation on to our configuration class in the Client application:

@Configuration
@EnableOAuth2Sso
@EnableZuulProxy
public class SiteSecurityConfigurer
  extends WebSecurityConfigurerAdapter {
    //...
}

All that’s left to do is add the Zuul configuration properties to our application.yml file:

zuul:
  routes:
    resource:
      path: /api/**
      url: http://localhost:9000
    user: 
      path: /user/**
      url: http://localhost:9000/user

Any request coming to the /api endpoint of the Client application will be redirected to the Resource Server URL. We also need to provide the URL of the user credentials endpoint.

6. Conclusion

In this quick article, we explored how to use Spring Cloud Security with OAuth2 and Zuul to configure secured authorization and resource servers, as well as how to relay OAuth2 tokens between servers using Oauth2RestTemplate and Embedded Zuul Proxy.

As always, the code is available over on GitHub.

I just announced the new Spring Security 5 modules (primarily focused on OAuth2) in the course:

>> CHECK OUT LEARN SPRING SECURITY