task #6118
closedevaluate spring-security-auth2 and spring-cloud-security as a framework for OAuth2
100%
Description
spring-security-oauth & Spring-Cloud-Security & bring OAuth2 for spring applications.
- OAuth2 in general is provided by spring-security-oauth
- For full details, see the Spring Security OAuth 2 Developers Guide
- The oauth2-authorization-server feature as supported by spring-boot: http://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#boot-features-security-oauth2-authorization-server
- spring-cloud-security provides the client side authentication feature for a distributed environment with support for proxying the requests.
OAuth2¶
OAuth2 security threads and consideration¶
- rfc6819 - OAuth 2.0 Threat Model and Security Considerations
- http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html
Specification details¶
The OAuth2 specification (rfc6749) defines four (six) grant types:
rfc6749 section | grant_type | implemented and tested in cdmlib |
---|---|---|
4.1. Authorization Code Grant | grant_type=authorization_code |
OK |
4.2. Implicit Grant | grant_type=implicit |
OK |
4.3. Resource Owner Password Credentials Grant | grant_type=password |
undesirable |
4.4. Client Credentials Grant | grant_type=client_credentials |
see #6248 |
4.5. Extension Grants - (extensibility mechanism for defining additional types) | not needed | |
6. Refreshing an Access Token | grant_type=refresh_token |
TODO |
When using implicit
or password
it is strongly required that the communication secured by TSL/SSL. TSL/SSL can be enforced in spring-security-oauth
. --> #6232
Test Requests for testing various grant types during development are found in OAuth2-test.sh
Example implementations¶
The reference implementation is found at github: spring-projects/spring-security-oauth whereas the samples/oauth2/sparklr
project is most relevant for us. This is an example for the password grant type: http://blog.e-zest.net/rest-authentication-using-oauth-2-0-resource-owner-password-flow-protocol/
Usage scenarios¶
Dataportal as OAuth2 Client using grant_type=authorization_code
¶
Dataportal as OAuth2 Client using grant_type=implicit
¶
Notes¶
spring-security-oauth¶
The following endpoints are required in the Spring Security filter chain in order to implement OAuth 2.0 Authorization Server:
-
AuthorizationEndpoint
is used to service requests for authorization. Default URL:/oauth/authorize
. This enpoint should be protected using Spring Security so that it is only accessible to authenticated users. For instance using a standard Spring Security WebSecurityConfigurer:
@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests().antMatchers("/login").permitAll().and() // default protection for all resources (including /oauth/authorize) .authorizeRequests() .anyRequest().hasRole("USER") // ... more configuration, e.g. for form login }
Note: if your Authorization Server is also a Resource Server then there is another security filter chain with lower priority controlling the API resources. Fo those requests to be protected by access tokens you need their paths not to be matched by the ones in the main user-facing filter chain, so be sure to include a request matcher that picks out only non-API resources in the WebSecurityConfigurer above. (see configuring-the-endpoint-urls)
-
TokenEndpoint
is used to service requests for access tokens. Default URL:/oauth/token
.
The following filter is required to implement an OAuth 2.0 Resource Server:
- The
OAuth2AuthenticationProcessingFilter
is used to load the Authentication for the request given an authenticated access token.
Anonymous Authentication¶
Is useful in cases when you don't want to skip authentication for pages which should behave differently for authenticated and not authenticated users (see spring-security 4.1.3.RELEASE #anonymous
Is configured automatically when using the WebSecurityConfigurerAdapter. By default anonymous users will be represented with token containing the role "ROLE_ANONYMOUS".
Files
Related issues
Updated by Andreas Kohlbecker over 7 years ago
- Status changed from New to In Progress
Updated by Andreas Kohlbecker over 7 years ago
- Subject changed from evaluate spring-cloud-security as a framework for OAuth2 to evaluate spring-security-auth2 and spring-cloud-security as a framework for OAuth2
- Description updated (diff)
Updated by Andreas Kohlbecker over 7 years ago
- File OAuth2-test.sh added
Adding shell script to test different authentication modes.
Updated by Andreas Kohlbecker over 7 years ago
- File OAuth2-test.sh OAuth2-test.sh added
- Assignee changed from Andreas Müller to Andreas Kohlbecker
updating development test script to latest implementation
Updated by Andreas Kohlbecker over 7 years ago
- File OAuth2-sequence-diagram-DataPortal.png added
- Description updated (diff)
Updated by Andreas Kohlbecker over 7 years ago
- File OAuth2-sequence-diagram-DataPortal.png OAuth2-sequence-diagram-DataPortal.png added
- Description updated (diff)
Updated by Andreas Kohlbecker over 7 years ago
- File deleted (
OAuth2-sequence-diagram-DataPortal.png)
Updated by Andreas Müller over 7 years ago
- Target version changed from Release 4.4 to Release 4.5
Updated by Andreas Kohlbecker over 7 years ago
- Copied to task #6125: Implement tests for OAuth2 in cdmlib-remote added
Updated by Andreas Kohlbecker over 7 years ago
- Status changed from In Progress to Closed
- Target version changed from Release 4.5 to Release 4.4
- % Done changed from 0 to 100
Updated by Andreas Kohlbecker over 7 years ago
- Copied to feature request #6232: secure OAuth2 grant types 'implicit' or 'password' by TSL/SSL. added
Updated by Andreas Kohlbecker over 7 years ago
- Related to bug #6248: allow machine clients to access /manage/* OAuth2 protected web services added
Updated by Andreas Kohlbecker about 7 years ago
- Related to feature request #6332: cdm-dataportal as oauth2 client of cdm-remote instances added
Updated by Andreas Kohlbecker about 3 years ago
- Tags changed from security to security, OAuth2