π announcement - icon
If you're working on a Spring Security (and especially an OAuth) implementation, definitely have a look at the Learn Spring Security course:
>> LEARN SPRING SECURITYeBook β Guide Spring Cloud β NPI EA (cat=Spring Cloud)
eBook β Mockito β NPI EA (tag = Mockito)
π announcement - icon
Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.
Get started with mocking and improve your application tests using our Mockito guide:
eBook β Java Concurrency β NPI EA (cat=Java Concurrency)
π announcement - icon
Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.
Get started with understanding multi-threaded applications with our Java Concurrency guide:
eBook β Reactive β NPI EA (cat=Reactive)
π announcement - icon
Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:
eBook β Java Streams β NPI EA (cat=Java Streams)
π announcement - icon
Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.
But these can also be overused and fall into some common pitfalls.
To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:
eBook β Jackson β NPI EA (cat=Jackson)
eBook β HTTP Client β NPI EA (cat=Http Client-Side)
eBook β Maven β NPI EA (cat = Maven)
eBook β Persistence β NPI EA (cat=Persistence)
eBook β RwS β NPI EA (cat=Spring MVC)
Course β LS β NPI EA (cat=Jackson)
π announcement - icon
Get started with Spring and Spring Boot, through the Learn Spring course:
>> LEARN SPRINGCourse β RWSB β NPI EA (cat=REST)
π announcement - icon
Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:
Course β LSS β NPI EA (cat=Spring Security)
π announcement - icon
Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.
I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.
You can explore the course here:
Course β LSD β NPI EA (tag=Spring Data JPA)
π announcement - icon
Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.
Get started with Spring Data JPA through the guided reference course:
Partner β Moderne β NPI EA (cat=Spring Boot)
π announcement - icon
Refactor Java code safely β and automatically β with OpenRewrite.
Refactoring big codebases by hand is slow, risky, and easy to put off. Thatβs where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.
Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions β one for newcomers and one for experienced users. Youβll see how recipes work, how to apply them across projects, and how to modernize code with confidence.
Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.
Course β LJB β NPI EA (cat = Core Java)
1. Overview
The Spring Cloud Security module provides features related to token-based security in Spring Boot applications.
Specifically, it makes OAuth2-based SSO easier β with support for relaying tokens between Resource Servers, as well as configuring downstream authentication using an embedded Zuul proxy.
In this quick article, weβll have a look at how we can configure these features using a Spring Boot client application, an Authorization Server and a REST API working as a Resource Server.
Note that for this example, we only have one Client application that uses SSO to demonstrate the cloud security features β but in a typical scenario, we would have at least two client applications to justify the need for Single Sign-On.
2. Quick Start a Cloud Security App
Letβs start by configuring SSO in a Spring Boot application.
First, we need to add the spring-cloud-starter-oauth2 dependency:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
<version>2.2.2.RELEASE</version>
</dependency>This will also bring in the spring-cloud-starter-security dependency.
We can configure any social site as an Auth Server for our site or we can use our own server. In our case, weβve chosen the latter option and configured an application that acts as an Authorization Server β which is deployed locally at http://localhost:7070/authserver.
Our authorization server uses JWT tokens.
Additionally, for any Client to be able to retrieve the credentials of a user, we need to configure our Resource Server, running on port 9000, with an endpoint which can serve these credentials.
Here, weβve configured a /user endpoint that is available at http://localhost:9000/user.
For more details on how to set up an Authorization Server and a Resource Server, check out our previous article here.
We can now add the annotation in a configuration class in our Client application:
@Configuration
public class SiteSecurityConfigurer {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// ...
http.oauth2Login();
// ...
}
}Any requests that require authentication will be redirected to the Authorization Server. For this to work we also have to define the server properties:
spring:
security:
oauth2:
client:
registration:
baeldung:
client-id: authserver
client-secret: passwordforauthserver
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
provider:
baeldung:
token-uri: http://localhost:7070/authserver/oauth/token
authorization-uri: http://localhost:7070/authserver/oauth/authorize
user-info-uri: http://localhost:9000/userNote that we need to have spring-boot-starter-security in our classpath to find the above configuration working.
3. Relaying Access Tokens
While relaying a token, an OAuth2 Client forwards the OAuth2 token received by it to an outgoing resource request.
Spring Security exposes an OAuth2AuthorizedClientService, which is useful for creating RestTemplate interceptors Based on this, we can create our own RestTemplate in our client application:
@Bean
public RestOperations restTemplate(OAuth2AuthorizedClientService clientService) {
return new RestTemplateBuilder().interceptors((ClientHttpRequestInterceptor)
(httpRequest, bytes, execution) -> {
OAuth2AuthenticationToken token =
OAuth2AuthenticationToken.class.cast(SecurityContextHolder.getContext()
.getAuthentication());
OAuth2AuthorizedClient client =
clientService.loadAuthorizedClient(token.getAuthorizedClientRegistrationId(),
token.getName());
httpRequest.getHeaders()
.add(HttpHeaders.AUTHORIZATION, "Bearer " + client.getAccessToken()
.getTokenValue());
return execution.execute(httpRequest, bytes);
}).build();
}Once weβve configured the bean, the context will forward the access token to the requested services and will also refresh the token if it expires.
4. Relaying an OAuth Token Using the RestTemplate
We previously defined a restOperations bean of type RestTemplate in our Client application. As a result, we can use the getForObject() method of RestTemplate to send a request with the necessary tokens to a protected Resource server from our client.
First, letβs define an endpoint which requires authentication in our Resource Server:
@GetMapping("/person")
@PreAuthorize("hasAnyRole('ADMIN', 'USER')")
public @ResponseBody Person personInfo(){
return new Person("abir", "Dhaka", "Bangladesh", 29, "Male");
}
This is a simple REST endpoint that returns a JSON representation of a Person object.
Now, we can send a request from the Client application using the getForObject() method which will relay the token to the Resource Server:
@Autowired
private RestOperations restOperations;
@GetMapping("/personInfo")
public ModelAndView person() {
ModelAndView mav = new ModelAndView("personinfo");
String personResourceUrl = "http://localhost:9000/person";
mav.addObject("person",
restOperations.getForObject(personResourceUrl, String.class));
return mav;
}5. Configuring Zuul for Token Relay
If weβd like to relay a token downstream to the proxy services, we can use Spring Cloud Zuul Embedded Reverse Proxy.
First, we need to add the Maven dependency for working with Zuul:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-zuul</artifactId>
</dependency>Next, we need to add the @EnableZuulProxy annotation on to our configuration class in the Client application:
@EnableZuulProxy
@Configuration
public class SiteSecurityConfigurer {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// ...
http.oauth2Login();
// ...
}
}All thatβs left to do is add the Zuul configuration properties to our application.yml file:
zuul:
sensitiveHeaders: Cookie,Set-Cookie
routes:
resource:
path: /api/**
url: http://localhost:9000
user:
path: /user/**
url: http://localhost:9000/userAny request coming to the /api endpoint of the Client application will be redirected to the Resource Server URL. We also need to provide the URL of the user credentials endpoint.
6. Conclusion
In this quick article, we explored how to use Spring Cloud Security with OAuth2 and Zuul to configure secured authorization and resource servers, as well as how to relay OAuth2 tokens between servers using RestTemplate and Embedded Zuul Proxy.
The code backing this article is available on GitHub. Once you're logged in as a Baeldung Pro Member, start learning and coding on the project.
