0

I am using Spring boot application and I have rest controllers. I just started using OAuth 2.0 in spring to secure my APIs. Here are the configuration classes that I have.

@Configuration
@EnableResourceServer
public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter  {

    private static final String HU_REST_RESOURCE_ID = "rest_api";

    @Autowired
    DataSource dataSource;

    @Bean
    public TokenStore tokenStore() {
        return new JdbcTokenStore(dataSource);
    }


    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources.resourceId(HU_REST_RESOURCE_ID).stateless(false);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {

    //define URL patterns to enable OAuth2 security 

        http.
        requestMatchers().antMatchers("/user/**").and().
        authorizeRequests().antMatchers("/user/**").access("#oauth2.hasScope('read') or (!#oauth2.isOAuth() and hasRole('ROLE_USER'))");
    }

}

@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter  {


    @Autowired
    DataSource dataSource;

    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {


    clients.inMemory()
              .withClient("my-trusted-client")
                .authorizedGrantTypes("password","refresh_token")
                .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
                .scopes("read", "write", "trust")
                .accessTokenValiditySeconds(60)
                .refreshTokenValiditySeconds(600)
        .and()
              .withClient("my-trusted-client-with-secret")
                .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
                .authorities("ROLE_USER")
                .scopes("read", "write", "trust")
                .accessTokenValiditySeconds(60)
                .refreshTokenValiditySeconds(600);
    }


    @Bean
    public TokenStore tokenStore() {
        return new JdbcTokenStore(dataSource); // access and refresh tokens will be maintain in database
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager);

    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.allowFormAuthenticationForClients();
    }

}


@Configuration
public class GlobalAuthenticationConfig extends GlobalAuthenticationConfigurerAdapter {

    @Override
    public void init(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user1").password("user1123").roles("USER");
         auth.inMemoryAuthentication().withUser("user2").password("user2123").roles("ADMIN");
    }
}

Now, When I hit the URL http://localhost:8080/oauth/token?grant_type=password&client_id=my-trusted-client-with-secret&username=user1&password=user1123 I get the following access tokens and refresh tokens,

{
    "access_token": "87379d65-6012-4484-ba6f-e4c61766ede3",
    "token_type": "bearer",
    "refresh_token": "8b0d0ae3-0855-4465-9d89-a1c31c031b8a",
    "expires_in": 59,
    "scope": "read write trust"
}

My question is why would anyone pass the credentials as a query parameter? Can we make a post request and send the required parameters in an object as POST request? If yes, how can I do it? My second question is, here I am using inmemory authentication, i.e two users are hard coded in the code. How can I make it check from the database for user credentials?

Suraj h k
  • 163
  • 3
  • 17

1 Answers1

0

When you use https (which you should) the complete query is encrypted before being sent through the network, as explained here: Are querystring parameters secure in HTTPS (HTTP + SSL)?

Regarding your second question, if you want Spring to check the authorized users from a database, you will have to create a class inheriting from UserDetailsManagerhttp://docs.spring.io/autorepo/docs/spring-security/4.0.3.RELEASE/apidocs/org/springframework/security/provisioning/UserDetailsManager.html

You can then implement its different methods, specially loadUserByUsername(String username) that it implements from UserDetailsService (which is used by the Spring authentication manager), with code which queries your database for the relevant data.

This other question describes how to add that manager to your Spring application How to make a UserDetailsManager available as a bean

Community
  • 1
  • 1
HaroldH
  • 533
  • 1
  • 4
  • 10