I want to realize single sign-on (SSO) by OAuth 2.0 in Spring Boot 1.5.15 environment. I want to use GitHub OAuth as an authorization server.
Spring Boot 1.5.15 + JDK 1.8 + Maven
Spring Security Web https://spring.io/projects/spring-security Provides a Security Filter Chain between the client and the web application. Each Filter allows filtering such as access denial for unauthenticated users. Security Filter Chain is managed by Filter Chain Proxy.
Spring Security settings inherit the default setting class called WebSecurityConfigurerAdapter and override the necessary ones.
Official reference https://docs.spring.io/spring-security/site/docs/4.2.5.RELEASE/apidocs/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.html
SecurityConfig.java
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration //Automatically load configuration class
@EnableWebSecurity //Enable Spring Security
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(WebSecurity web) throws Exception {
//Describe the Filter Chain Proxy settings (≒ overall settings) in the WebSecurity method chain
...
}
@Override
protected void configure(HttpSecurity http) throws Exception {
//Describe Filter Chain settings (≒ detailed settings) in the HttpSecurity method chain
...
}
}
To use user information in Thymeleaf, use thymeleaf-extras-spring security. https://github.com/thymeleaf/thymeleaf-extras-springsecurity
OAuth2.0 https://tools.ietf.org/html/rfc6749 https://openid-foundation-japan.github.io/rfc6749.ja.html
A framework for authorization (AuthZ). There are four characters in OAuth 2.0: ** user **, ** authorization server **, ** resource server **, and ** client **. The ** user ** authorizes the ** client ** to use the resources on the ** resource server ** through the ** authorization server **.
The following articles are summarized in a very easy-to-understand manner. https://qiita.com/busyoumono99/items/1092fdc64d5a64d021d5
In OAuth2.0, authentication (Authentication, AuthN) can be realized by acquiring user information from the resource server and collating it. For SSO with GitHub OAuth
It becomes.
To use with Spring Security, use Spring Security OAuth.
ʻThe resource settings are described insecurity.oauth2.resource. *
of application.properties, and the client settings are described in
security.oauth2.client. * `.
https://spring.io/projects/spring-security-oauth
The resource URI is / demo
.
pom.xml#dependencies
<dependencies>
<!-- Web application -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<!-- OAuth2.0 SSO -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId>
</dependency>
<!-- Lombok -->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
</dependencies>
DemoApplication.java
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
}
DemoController.java
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
@Controller
public class DemoController {
@GetMapping("/")
public String home() {
return "home";
}
}
home.html
<html xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
<head>
<meta charset="utf-8"/>
<title>Home</title>
</head>
<body>
<h1>Hello, <span sec:authentication="name"></span></h1>
</body>
</html>
SecurityConfig.java
import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
@EnableOAuth2Sso
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated(); //Login required to access all URIs
}
}
application.properties
#Note that up to line breaks are considered values
server.port=8080
server.context-path=/demo
#OAuth2 client (this application) settings
#Client credentials
security.oauth2.client.client-id=${DEMO__GITHUB_OAUTH_CLIENT_ID}
security.oauth2.client.client-secret=${DEMO__GITHUB_OAUTH_CLIENT_SECRET}
#Access token acquisition URI
security.oauth2.client.access-token-uri=https://github.com/login/oauth/access_token
#Authorization URI
security.oauth2.client.user-authorization-uri=https://github.com/login/oauth/authorize
#Authentication schema
security.oauth2.client.client-authentication-scheme=form
#OAuth2 resource server (GitHub) settings
#User information acquisition URI
security.oauth2.resource.user-info-uri=https://api.github.com/user
#Get user information from resources instead of access tokens
security.oauth2.resource.prefer-token-info=false
#Setting up SSO with OAuth2
#SSO login URL (redirect URI when not authenticated)
security.oauth2.sso.login-path=/login
#
or !
.
It is not possible to write a comment after a value like key = value # comment
.Recommended Posts