[JAVA] SSO with GitHub OAuth in Spring Boot 1.5.x environment

Thing you want to do

I want to realize single sign-on (SSO) by OAuth 2.0 in Spring Boot 1.5.15 environment. I want to use GitHub OAuth as an authorization server.

environment

Spring Boot 1.5.15 + JDK 1.8 + Maven

About the technology used

Spring Security Web https://spring.io/projects/spring-security Provides a Security Filter Chain between the client and the web application. Each Filter allows filtering such as access denial for unauthenticated users. Security Filter Chain is managed by Filter Chain Proxy.

Spring Security settings inherit the default setting class called WebSecurityConfigurerAdapter and override the necessary ones.

Official reference https://docs.spring.io/spring-security/site/docs/4.2.5.RELEASE/apidocs/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.html

SecurityConfig.java

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration //Automatically load configuration class
@EnableWebSecurity //Enable Spring Security
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(WebSecurity web) throws Exception {
        //Describe the Filter Chain Proxy settings (≒ overall settings) in the WebSecurity method chain
        ...
    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //Describe Filter Chain settings (≒ detailed settings) in the HttpSecurity method chain
        ...
    }
}

To use user information in Thymeleaf, use thymeleaf-extras-spring security. https://github.com/thymeleaf/thymeleaf-extras-springsecurity

OAuth2.0 https://tools.ietf.org/html/rfc6749 https://openid-foundation-japan.github.io/rfc6749.ja.html

A framework for authorization (AuthZ). There are four characters in OAuth 2.0: ** user **, ** authorization server **, ** resource server **, and ** client **. The ** user ** authorizes the ** client ** to use the resources on the ** resource server ** through the ** authorization server **.

The following articles are summarized in a very easy-to-understand manner. https://qiita.com/busyoumono99/items/1092fdc64d5a64d021d5

SSO with OAuth 2.0

In OAuth2.0, authentication (Authentication, AuthN) can be realized by acquiring user information from the resource server and collating it. For SSO with GitHub OAuth

• ** User = Person **
• ** Authorization server = GitHub **
• ** Resource server = GitHub **
• ** Client = Web application **

It becomes.

To use with Spring Security, use Spring Security OAuth. ʻThe resource settings are described insecurity.oauth2.resource. *of application.properties, and the client settings are described in security.oauth2.client. * `. https://spring.io/projects/spring-security-oauth

Implementation

The resource URI is / demo.

pom.xml#dependencies

	<dependencies>
		<!-- Web application -->
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-thymeleaf</artifactId>
		</dependency>
		<!-- OAuth2.0 SSO -->
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-security</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.security.oauth</groupId>
			<artifactId>spring-security-oauth2</artifactId>
		</dependency>
		<dependency>
			<groupId>org.thymeleaf.extras</groupId>
			<artifactId>thymeleaf-extras-springsecurity4</artifactId>
		</dependency>
		<!-- Lombok -->
		<dependency>
			<groupId>org.projectlombok</groupId>
			<artifactId>lombok</artifactId>
			<optional>true</optional>
		</dependency>
	</dependencies>

DemoApplication.java

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class DemoApplication {
	public static void main(String[] args) {
		SpringApplication.run(DemoApplication.class, args);
	}
}

DemoController.java

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;

@Controller
public class DemoController {
    @GetMapping("/")
    public String home() {
        return "home";
    }
}

home.html

<html xmlns:th="http://www.thymeleaf.org"
  xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
<head>
<meta charset="utf-8"/>
<title>Home</title>
</head>
<body>
  <h1>Hello, <span sec:authentication="name"></span></h1>
</body>
</html>

SecurityConfig.java

import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
@EnableOAuth2Sso
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .anyRequest().authenticated(); //Login required to access all URIs
    }
}

application.properties

#Note that up to line breaks are considered values

server.port=8080
server.context-path=/demo

#OAuth2 client (this application) settings

#Client credentials
security.oauth2.client.client-id=${DEMO__GITHUB_OAUTH_CLIENT_ID}
security.oauth2.client.client-secret=${DEMO__GITHUB_OAUTH_CLIENT_SECRET}
#Access token acquisition URI
security.oauth2.client.access-token-uri=https://github.com/login/oauth/access_token
#Authorization URI
security.oauth2.client.user-authorization-uri=https://github.com/login/oauth/authorize
#Authentication schema
security.oauth2.client.client-authentication-scheme=form

#OAuth2 resource server (GitHub) settings

#User information acquisition URI
security.oauth2.resource.user-info-uri=https://api.github.com/user
#Get user information from resources instead of access tokens
security.oauth2.resource.prefer-token-info=false

#Setting up SSO with OAuth2

#SSO login URL (redirect URI when not authenticated)
security.oauth2.sso.login-path=/login

I was addicted to

• In application.properties, it is regarded as a comment line when the beginning of the line is # or !. It is not possible to write a comment after a value like key = value # comment.
• spring-security-oauth2-autoconfigure cannot be used in Spring Boot 1 system.