Securing resources using Spring Security with OAuth

1. Introduction

In this tutorial, we will check out how we can use Spring Security with OAuth to secure the admin resources on the server based on the path pattern (/api/**). Another path pattern (/oauth/token) we have configured which will help configured authorization server generate the access token. Note that we will be using Password Grant Type in this demo application.

Before we move on with the implementation, let’s recap on the events involved with this grant type.

2. Resource Owner Password Credentials Grant Type

OAuth - Password Grant Type


  • Used between trusted applications.
  • The user (Resource Owner) shares the credentials directly with the client application, which requests the Authorization Server to return the access token after successfully authenticating the user credentials and further authorizing the user to access limited resources on the server.

Useful Links

3. Implementation

Make sure the required pom entries are properly added to the pom.xml file.

pom.xml

web.xml

Update the web.xml file to load the context files and configure the Spring Security filter, which will redirect the request for authentication and authorization before processing it.

mvc-dispatcher-servlet.xml

Since we will are using admin JSP files, we have configured the corresponding view resolver for it.

Now let’s configure the Spring Security OAuth in its context file.

spring-security.xml

We have configured /oauth/token URL for issuing access and refresh tokens and /api/** maps to the actual protected resources on the server. Hence to access any URL matching the pattern /api/**, a valid token needs to be passed along with the request.

Authentication Manager is the container where the authentication happens. In our case, the authentication manager checks –

  • If the user is authenticated.
  • If the user has requested for the correct client-id.
  • If the client-id is fine, is the user authorized to use it to access the admin profile on the server.

Refer to the below snippet –

Once the user is authenticated, the authorization server calls the tokenServices and issues the access token.

While specifying the clients, note the grant type we have specified, which is password.

Once the access token has been issued, we can access the protected resources on the server passing it along with every request. Let’s finally take a look at the Spring Controller we have written –

DemoController.java

4. Running the application

To run the application, let’s start with requesting the access token from the authorization server –

http://localhost:8080/SpringSecurityOAuth/oauth/token?grant_type=password&client_id=fbApp&client_secret=fbApp&username=admin&password=123

Once the access token is generated, we are ready to pass it along with every subsequent requests for the protected resources on the server.

http://localhost:8080/SpringSecurityOAuth/api/admin?access_token=5c0c1a28-9603-4818-9ebb-6014600c3de9

OAuth - Request with Access Token

5. Download the code

Receive our updates to your inbox

Get more stuff like this
in your inbox

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.