Home > Net >  Spring OAuth shows default username / password form
Spring OAuth shows default username / password form

Time:08-01

I had following two classes:

@SpringBootApplication
public class OauthDemo {
    public static void main(String[] args) {
        SpringApplication.run(OauthDemo.class, args);
    }
}


@RestController
@RequestMapping("/api")
public class RestDemo {
    
    @GetMapping("/protected")
    public String protectedAccess() {
        return "Hello world!!";     
    }
}

I first added following dependency:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

After running the app, it auto generated password for default user User and logged it to the console. After entering these credentials, I was successfully able to retrieve "Hello World" response from above REST endpoint.

Then I replaced above dependency with OAuth dependency:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>

But I did not configure any OAuth client information viz. the client ID and client secret. I thought it will give me error, but the output stayed the same as in case of spring-boot-starter-security dependency: it auto generated password for default user User and logged it to the console.

Why is it so? Is it the fallback of OAuth dependency because it could not find OAuth client information?

CodePudding user response:

Login for comes from client libs. You should not depend on spring-boot-starter-oauth2-client when writing a resource-server.

Have a look at this tutorial for configuring a resource server with JWT security. You can also have look at that one to depend on spring-boot-starter-oauth2-resource-server only, but this requires quite some more Java conf.

With this conf, you'll get 401 when user is not authenticated (or has invalid token) and 403 when authentication is valid but access is denied:

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
        </dependency>
        <dependency>
            <groupId>com.c4-soft.springaddons</groupId>
            <!-- use spring-security-oauth2-webflux-addons instead for reactive apps -->
            <artifactId>spring-security-oauth2-webmvc-addons</artifactId>
            <version>4.5.1</version>
        </dependency>
        <dependency>
            <groupId>com.c4-soft.springaddons</groupId>
            <!-- use spring-security-oauth2-test-webflux-addons instead for reactive apps -->
            <artifactId>spring-security-oauth2-test-webmvc-addons</artifactId>
            <version>4.5.1</version>
            <scope>test</scope>
        </dependency>

@EnableGlobalMethodSecurity(prePostEnabled = true)
public static class WebSecurityConfig {
}

# shoud be set to where your authorization-server is
com.c4-soft.springaddons.security.token-issuers[0].location=https://localhost:9443/realms/master

# shoud be configured with a list of private-claims this authorization-server puts user roles into
# below is default Keycloak conf for a `spring-addons` client with client roles mapper enabled
com.c4-soft.springaddons.security.token-issuers[0].authorities.claims=realm_access.roles,resource_access.spring-addons.roles

# use IDE auto-completion or see SpringAddonsSecurityProperties javadoc for complete configuration properties list

CodePudding user response:

If you check closely the POM of spring-boot-starter-security-<version>.pom It has below dependencies.

<dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-config</artifactId>
      <version>5.7.2</version>
      <scope>compile</scope>
    </dependency>

Now If you check the POM of spring-boot-starter-oauth2-client-<version>.pom You will find the security dependency included in POM.

<dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-config</artifactId>
      <version>5.7.2</version>
      <scope>compile</scope>
    </dependency>

Now if you check the class

@AutoConfiguration(before = SecurityAutoConfiguration.class)
@ConditionalOnClass({ EnableWebSecurity.class, ClientRegistration.class })
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
@Import({ OAuth2ClientRegistrationRepositoryConfiguration.class, OAuth2WebSecurityConfiguration.class })
public class OAuth2ClientAutoConfiguration {

}

Which basically uses the security libraries and enabled them, So internally its using the org.springframework.security which is showing you the default username and password form.

Page link:https//www.codepudding.com/net/494940.html

Prev:Finding the name of the column in which duplicate value was inserted
Next:Why does isFinishing() behaves differently in entry point Activity (with android.intent.action.MAIN)
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding