Project

General

Profile

task #6118

evaluate spring-security-auth2 and spring-cloud-security as a framework for OAuth2

Added by Andreas Kohlbecker almost 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
New
Category:
cdmlib
Target version:
Start date:
10/11/2016
Due date:
% Done:

100%

Severity:
normal
Tags:

Description

spring-security-oauth & Spring-Cloud-Security & bring OAuth2 for spring applications.

OAuth2

OAuth2 security threads and consideration

Specification details

The OAuth2 specification (rfc6749) defines four (six) grant types:

rfc6749 section grant_type implemented and tested in cdmlib
4.1. Authorization Code Grant grant_type=authorization_code OK
4.2. Implicit Grant grant_type=implicit OK
4.3. Resource Owner Password Credentials Grant grant_type=password undesirable
4.4. Client Credentials Grant grant_type=client_credentials see #6248
4.5. Extension Grants - (extensibility mechanism for defining additional types) not needed
6. Refreshing an Access Token grant_type=refresh_token TODO

When using implicit or password it is strongly required that the communication secured by TSL/SSL. TSL/SSL can be enforced in spring-security-oauth. --> #6232

Test Requests for testing various grant types during development are found in OAuth2-test.sh

Example implementations

The reference implementation is found at github: spring-projects/spring-security-oauth whereas the samples/oauth2/sparklr project is most relevant for us. This is an example for the password grant type: http://blog.e-zest.net/rest-authentication-using-oauth-2-0-resource-owner-password-flow-protocol/

Usage scenarios

Dataportal as OAuth2 Client using grant_type=authorization_code

Dataportal as OAuth2 Client using grant_type=implicit

Notes

spring-security-oauth

The following endpoints are required in the Spring Security filter chain in order to implement OAuth 2.0 Authorization Server:

  • AuthorizationEndpoint is used to service requests for authorization. Default URL: /oauth/authorize. This enpoint should be protected using Spring Security so that it is only accessible to authenticated users. For instance using a standard Spring Security WebSecurityConfigurer:
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests().antMatchers("/login").permitAll().and()
        // default protection for all resources (including /oauth/authorize)
            .authorizeRequests()
                .anyRequest().hasRole("USER")
        // ... more configuration, e.g. for form login
    }

Note: if your Authorization Server is also a Resource Server then there is another security filter chain with lower priority controlling the API resources. Fo those requests to be protected by access tokens you need their paths not to be matched by the ones in the main user-facing filter chain, so be sure to include a request matcher that picks out only non-API resources in the WebSecurityConfigurer above. (see configuring-the-endpoint-urls)

  • TokenEndpoint is used to service requests for access tokens. Default URL: /oauth/token.

The following filter is required to implement an OAuth 2.0 Resource Server:

  • The OAuth2AuthenticationProcessingFilter is used to load the Authentication for the request given an authenticated access token.

Anonymous Authentication

Is useful in cases when you don't want to skip authentication for pages which should behave differently for authenticated and not authenticated users (see spring-security 4.1.3.RELEASE #anonymous

Is configured automatically when using the WebSecurityConfigurerAdapter. By default anonymous users will be represented with token containing the role "ROLE_ANONYMOUS".

OAuth2-test.sh View (2.29 KB) Andreas Kohlbecker, 10/11/2016 10:03 AM

OAuth2-sequence-diagram-DataPortal.png View (44.7 KB) Andreas Kohlbecker, 10/11/2016 02:50 PM


Related issues

Related to Edit - bug #6248: allow machine clients to access /manage/* OAuth2 protected web services Closed 12/06/2016
Related to Edit - feature request #6332: cdm-dataportal as oauth2 client of cdm-remote instances New 01/16/2017
Copied to Edit - task #6125: Implement tests for OAuth2 in cdmlib-remote New 10/11/2016
Copied to Edit - feature request #6232: secure OAuth2 grant types 'implicit' or 'password' by TSL/SSL. New 12/01/2016

Associated revisions

Revision 01fe562b (diff)
Added by Andreas Kohlbecker almost 3 years ago

ref #6118 OAuth2 AuthorizationServer implemented

Revision 9872d2b2 (diff)
Added by Andreas Kohlbecker almost 3 years ago

ref #6118 working test implementation of OAuth2
- grant types 'implicite', 'authorization_code' tested and working
- /manage/ service protected (OK for production)
- /classification/ endpoint restricted for testing only

Revision 638f3be5 (diff)
Added by Andreas Kohlbecker almost 3 years ago

ref #6118 OAuth2 ready for production
- removing development setup
- UserController to return details on the authenticated principal

Revision bb7b4f60 (diff)
Added by Andreas Kohlbecker almost 3 years ago

ref #6118 catching exception during checkConnection

Revision b7d5770a (diff)
Added by Andreas Kohlbecker over 2 years ago

ref #6118 enabling missing httpbasic authentication for oauth secured endpoints

History

#1 Updated by Andreas Kohlbecker almost 3 years ago

  • Status changed from New to In Progress

#2 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#3 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#4 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#5 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#6 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#7 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#8 Updated by Andreas Kohlbecker almost 3 years ago

  • Subject changed from evaluate spring-cloud-security as a framework for OAuth2 to evaluate spring-security-auth2 and spring-cloud-security as a framework for OAuth2
  • Description updated (diff)

#9 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#10 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#11 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#12 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#13 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#14 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#15 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#16 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#17 Updated by Andreas Kohlbecker almost 3 years ago

  • File OAuth2-test.sh added

Adding shell script to test different authentication modes.

#18 Updated by Andreas Kohlbecker almost 3 years ago

  • File OAuth2-test.sh View added
  • Assignee changed from Andreas Müller to Andreas Kohlbecker

updating development test script to latest implementation

#19 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#20 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#21 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#22 Updated by Andreas Kohlbecker almost 3 years ago

  • File OAuth2-sequence-diagram-DataPortal.png added
  • Description updated (diff)

#23 Updated by Andreas Kohlbecker almost 3 years ago

  • File deleted (OAuth2-test.sh)

#24 Updated by Andreas Kohlbecker almost 3 years ago

#25 Updated by Andreas Kohlbecker almost 3 years ago

  • File deleted (OAuth2-sequence-diagram-DataPortal.png)

#26 Updated by Andreas Kohlbecker almost 3 years ago

  • Description updated (diff)

#27 Updated by Andreas Müller over 2 years ago

  • Target version changed from Release 4.4 to Release 4.5

#28 Updated by Andreas Kohlbecker over 2 years ago

  • Copied to task #6125: Implement tests for OAuth2 in cdmlib-remote added

#29 Updated by Andreas Kohlbecker over 2 years ago

  • Status changed from In Progress to Closed
  • Target version changed from Release 4.5 to Release 4.4
  • % Done changed from 0 to 100

#30 Updated by Andreas Kohlbecker over 2 years ago

#31 Updated by Andreas Kohlbecker over 2 years ago

  • Description updated (diff)

#32 Updated by Andreas Kohlbecker over 2 years ago

  • Related to bug #6248: allow machine clients to access /manage/* OAuth2 protected web services added

#33 Updated by Andreas Kohlbecker over 2 years ago

  • Description updated (diff)

#34 Updated by Andreas Kohlbecker over 2 years ago

  • Description updated (diff)

#35 Updated by Andreas Kohlbecker over 2 years ago

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 40 MB)