I had following two classes:
@SpringBootApplication
public class OauthDemo {
public static void main(String[] args) {
SpringApplication.run(OauthDemo.class, args);
}
}
@RestController
@RequestMapping("/api")
public class RestDemo {
@GetMapping("/protected")
public String protectedAccess() {
return "Hello world!!";
}
}
I first added following dependency:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
After running the app, it auto generated password for default user User
and logged it to the console. After entering these credentials, I was successfully able to retrieve "Hello World" response from above REST endpoint.
Then I replaced above dependency with OAuth dependency:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
But I did not configure any OAuth client information viz. the client ID and client secret. I thought it will give me error, but the output stayed the same as in case of spring-boot-starter-security
dependency: it auto generated password for default user User
and logged it to the console.
Why is it so? Is it the fallback of OAuth dependency because it could not find OAuth client information?
CodePudding user response:
Login for comes from client libs. You should not depend on spring-boot-starter-oauth2-client
when writing a resource-server.
Have a look at this tutorial for configuring a resource server with JWT security. You can also have look at that one to depend on spring-boot-starter-oauth2-resource-server
only, but this requires quite some more Java conf.
With this conf, you'll get 401 when user is not authenticated (or has invalid token) and 403 when authentication is valid but access is denied:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
<groupId>com.c4-soft.springaddons</groupId>
<!-- use spring-security-oauth2-webflux-addons instead for reactive apps -->
<artifactId>spring-security-oauth2-webmvc-addons</artifactId>
<version>4.5.1</version>
</dependency>
<dependency>
<groupId>com.c4-soft.springaddons</groupId>
<!-- use spring-security-oauth2-test-webflux-addons instead for reactive apps -->
<artifactId>spring-security-oauth2-test-webmvc-addons</artifactId>
<version>4.5.1</version>
<scope>test</scope>
</dependency>
@EnableGlobalMethodSecurity(prePostEnabled = true)
public static class WebSecurityConfig {
}
# shoud be set to where your authorization-server is
com.c4-soft.springaddons.security.token-issuers[0].location=https://localhost:9443/realms/master
# shoud be configured with a list of private-claims this authorization-server puts user roles into
# below is default Keycloak conf for a `spring-addons` client with client roles mapper enabled
com.c4-soft.springaddons.security.token-issuers[0].authorities.claims=realm_access.roles,resource_access.spring-addons.roles
# use IDE auto-completion or see SpringAddonsSecurityProperties javadoc for complete configuration properties list
CodePudding user response:
If you check closely the POM of spring-boot-starter-security-<version>.pom
It has below dependencies.
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.7.2</version>
<scope>compile</scope>
</dependency>
Now If you check the POM of spring-boot-starter-oauth2-client-<version>.pom
You will find the security dependency included in POM.
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.7.2</version>
<scope>compile</scope>
</dependency>
Now if you check the class
@AutoConfiguration(before = SecurityAutoConfiguration.class)
@ConditionalOnClass({ EnableWebSecurity.class, ClientRegistration.class })
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
@Import({ OAuth2ClientRegistrationRepositoryConfiguration.class, OAuth2WebSecurityConfiguration.class })
public class OAuth2ClientAutoConfiguration {
}
Which basically uses the security libraries and enabled them, So internally its using the org.springframework.security
which is showing you the default username and password form.