EDIT

spring-security-oauth & Spring-Cloud-Security & bring OAuth2 for spring applications.

• OAuth2 in general is provided by spring-security-oauth
  • For full details, see the Spring Security OAuth 2 Developers Guide
• The oauth2-authorization-server feature as supported by spring-boot: http://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#boot-features-security-oauth2-authorization-server
• spring-cloud-security provides the client side authentication feature for a distributed environment with support for proxying the requests.
  • http://cloud.spring.io/spring-cloud-security/spring-cloud-security.html
  • https://github.com/spring-cloud/spring-cloud-security

OAuth2¶

• rfc6749
• https://entwickler.de/online/agile/so-funktioniert-oauth2-134316.html

OAuth2 security threads and consideration¶

• rfc6819 - OAuth 2.0 Threat Model and Security Considerations
• http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html

Specification details¶

The OAuth2 specification (rfc6749) defines four (six) grant types:

When using implicit or password it is strongly required that the communication secured by TSL/SSL. TSL/SSL can be enforced in spring-security-oauth. --> #6232

Test Requests for testing various grant types during development are found in OAuth2-test.sh

Example implementations¶

The reference implementation is found at github: spring-projects/spring-security-oauth whereas the samples/oauth2/sparklr project is most relevant for us. This is an example for the password grant type: http://blog.e-zest.net/rest-authentication-using-oauth-2-0-resource-owner-password-flow-protocol/

Usage scenarios¶

Dataportal as OAuth2 Client using grant_type=authorization_code¶

Dataportal as OAuth2 Client using grant_type=implicit¶

Notes¶

spring-security-oauth¶

The following endpoints are required in the Spring Security filter chain in order to implement OAuth 2.0 Authorization Server:

• AuthorizationEndpoint is used to service requests for authorization. Default URL: /oauth/authorize. This enpoint should be protected using Spring Security so that it is only accessible to authenticated users. For instance using a standard Spring Security WebSecurityConfigurer:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests().antMatchers("/login").permitAll().and()
        // default protection for all resources (including /oauth/authorize)
            .authorizeRequests()
                .anyRequest().hasRole("USER")
        // ... more configuration, e.g. for form login
    }

Note: if your Authorization Server is also a Resource Server then there is another security filter chain with lower priority controlling the API resources. Fo those requests to be protected by access tokens you need their paths not to be matched by the ones in the main user-facing filter chain, so be sure to include a request matcher that picks out only non-API resources in the WebSecurityConfigurer above. (see configuring-the-endpoint-urls)

• TokenEndpoint is used to service requests for access tokens. Default URL: /oauth/token.

The following filter is required to implement an OAuth 2.0 Resource Server:

• The OAuth2AuthenticationProcessingFilter is used to load the Authentication for the request given an authenticated access token.

Anonymous Authentication¶

Is useful in cases when you don't want to skip authentication for pages which should behave differently for authenticated and not authenticated users (see spring-security 4.1.3.RELEASE #anonymous

Is configured automatically when using the WebSecurityConfigurerAdapter. By default anonymous users will be represented with token containing the role "ROLE_ANONYMOUS".