Secure REST Service with OAuth2 Tokens

1. Introduction

In this tutorial, we will check out how we can use Spring Security with OAuth to secure REST Service. In the demo application, the secured REST resources on the server are accessible with the path pattern (/api/**), such that the request URLs based on this path are mapped to different controller methods. This means that –

  • Any REST request URL without ‘/api‘ in the path will stay invalid, as these won’t match to any of the controller mappings.
  • After the required OAuth2 configurations are done, any REST request URL without a token as parameter will be unauthorized.

Another path pattern (/oauth/token) we have configured which will help configured authorization server generate the access token. Note that we will be using Password Grant Type in this demo application.

Before we move on with the implementation, let’s recap on the events involved with this grant type.


2. Resource Owner Password Credentials Grant Type

OAuth - Password Grant Type

  • Used between trusted applications.
  • The user (Resource Owner) shares the credentials directly with the client application, which requests the Authorization Server to return the access token after successfully authenticating the user credentials and further authorizing the user to access limited resources on the server.

Useful Links

3. Implementation

Make sure the required pom entries are properly added to the pom.xml file.

pom.xml

web.xml

Update the web.xml file to load the context files and configure the Spring Security filter, which will redirect the request for authentication and authorization before processing it.

mvc-dispatcher-servlet.xml

Since we will are using admin JSP files, we have configured the corresponding view resolver for it.

Now let’s configure the Spring Security OAuth in its context file.

spring-security.xml

We have configured /oauth/token URL for issuing access and refresh tokens and /api/** maps to the actual protected resources on the server. Hence to access any URL matching the pattern /api/**, a valid token needs to be passed along with the request.

Authentication Manager is the container where the authentication happens. In our case, the authentication manager checks –

  • If the user is authenticated.
  • If the user has requested for the correct client-id.
  • If the client-id is fine, is the user authorized to use it to access the admin profile on the server.

Refer to the below snippet –

Once the user is authenticated, the authorization server calls the tokenServices and issues the access token.

While specifying the clients, note the grant type we have specified, which is password.

Once the access token has been issued, we can access the protected resources on the server passing it along with every request. Let’s finally take a look at the Spring Controller we have written –

EmployeeController.java

4. Running the application

To run the application, let’s start with requesting the access token from the authorization server –

http://localhost:8080/SecureRESTWithOAuth/oauth/token?grant_type=password&client_id=fbApp&client_secret=fbApp&username=admin&password=123

Once the access token is generated, we are ready to pass it along with every subsequent requests for the protected resources on the server.

http://localhost:8080/SecureRESTWithOAuth/api/Employee/abhimanyu?access_token=7792b077-7ae0-427e-8170-8b1440e5fefd

Secure REST with OAuth2

5. Download the code

Receive our updates to your inbox

Get more stuff like this
in your inbox

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.