Understanding Spring Boot's Oauth2 starter

Question

I started off looking at the Oauth2 starter project and minimal configuration.

https://github.com/spring-projects/spring-security-oauth/blob/master/tests/annotation/jdbc/src/main/java/demo/Application.java

All the examples either use in memory configuration or jdbc configuration for storing client roles (e.g ClientDetailsServiceConfigurer) . In my case the details should come in LDAP. So I have two questions.

1. How do override the default to go to ldap instead of memory or jdbc.
2. In general , where how do I unravel the Spring Boot thread and read the starter source code and how to change default config ? All I see is a high level annotation.

org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer

This indirection in Spring Boot makes it extremely difficult to follow and scant documentation doesn't help. Or maybe I am missing something?

thanks !!! this has been bugging me for a while.

Answer 1

To implement Oauth2 with LDAP, you may follow this tutorial : https://raymondhlee.wordpress.com/2015/12/05/oauth2-authorization-server-with-spring-security. You may also take a look a this other question: spring-security-oauth2 2.0.7 refresh token UserDetailsService Configuration - UserDetailsService is required

---

As for your other question "I want to follow the request and see what components get invoked and when": I suggest you add logging.

(1) Add logging in every method

(2) Set log level for security package in application.properties:

logging.level.org.springframework.security=DEBUG

(3) Add CommonsRequestLoggingFilter:

@Bean
public CommonsRequestLoggingFilter requestLoggingFilter() {
    LOGGER.info("Creating CommonsRequestLoggingFilter");
    CommonsRequestLoggingFilter crlf = new CommonsRequestLoggingFilter();
    crlf.setIncludeClientInfo(true);
    crlf.setIncludeQueryString(true);
    crlf.setIncludePayload(true);
    return crlf;
}

(4) Add log level for CommonsRequestLoggingFilter (in application.properties):

logging.level.org.springframework.web.filter.CommonsRequestLoggingFilter=DEBUG

---

For the OAuth/LDAP tutorial, here's the notable parts (quoted from https://raymondhlee.wordpress.com/2015/12/05/oauth2-authorization-server-with-spring-security):

Authorization Server Configuration Below is my implementation of the AuthorizationServerConfigurerAdapter. The database schema for JDBC client details and token services can be found in here.

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
     @Autowired
     private AuthenticationManager authenticationManager;
     @Autowired
     private DataSource dataSource;
     @Override
     public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
          endpoints.tokenStore(new JdbcTokenStore(dataSource)).authenticationManager(authenticationManager);
     }
     @Override
     public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
          clients.jdbc(dataSource);
      }
 }

Login Security Configuration Below is the security configuration handling user authorization.

@Configuration
@Order(Ordered.HIGHEST_PRECEDENCE) // note 1
public class LoginConfig extends WebSecurityConfigurerAdapter {

      @Value("${ldap.domain}")
      private String DOMAIN;

      @Value("${ldap.url}")
      private String URL;

      @Override
      protected void configure(HttpSecurity http) throws Exception {
           http.requiresChannel().anyRequest().requiresSecure();

           // Only requests matching regex are handled by this security configurer
           http.requestMatchers().regexMatchers("/login", "/login.+", "/oauth/.+", "/j_spring_security_check", "/logout"); //

           AuthenticationEntryPoint entryPoint = entryPoint();
           http.exceptionHandling().authenticationEntryPoint(entryPoint);
           http.formLogin(); // note 3i
           http.addFilter(usernamePasswordAuthenticationFilter());
           http.authorizeRequests().antMatchers("/login").permitAll();
           http.authorizeRequests().antMatchers("/oauth/**").authenticated();
           http.authorizeRequests().antMatchers("/j_spring_security_check").anonymous().and().csrf().disable();

      }

      @Override
      protected void configure(AuthenticationManagerBuilder authManagerBuilder) throws Exception { // note 4
           authManagerBuilder.parentAuthenticationManager(authenticationManager());
      }

      protected AuthenticationManager authenticationManager() {
           return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider()));
      }

      public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
           ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider(DOMAIN, URL);
           provider.setConvertSubErrorCodesToExceptions(true);
           provider.setUseAuthenticationRequestCredentials(true);
           return provider;
      }

      private AuthenticationEntryPoint entryPoint() {
           return new LoginUrlAuthenticationEntryPoint("/login"); 
      }

      private UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter() {
           UsernamePasswordAuthenticationFilter filter = new UsernamePasswordAuthenticationFilter();
           filter.setAuthenticationManager(authenticationManager();
           AuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler("/login?login_error=true");
           filter.setAuthenticationFailureHandler(failureHandler);
           return filter;
      }
}