This project is a oAuth2 POC, consists of all 3 oAuth parties: the authentication server, a resource server, and a client app. Each party is represented by its own WAR.
On 23-02-2016, Spring versions were updated:
- Spring: 4.2.4.RELEASE
- Spring Security: 4.0.3.RELEASE
- Spring Security oAuth: 2.0.9.RELEASE
On 02-2020, Spring versions were updated:
- Spring: 5.2.3.RELEASE
- Spring Security: 5.2.2.RELEASE
- Spring Security oAuth: 2.0.16.RELEASE
Mechanism of password encoder was changed in Spring-Security 5. I had to adjust configuration.
https://www.baeldung.com/spring-security-session https://docs.spring.io/spring-security/site/docs/current/reference/html5/#ns-session-fixation.
After successful login I hit NoSuchMethodError: javax.servlet.http.HttpServletRequest.changeSessionId()
. It happens because Spring's session-fixation-protection calls (see stack below) to servlet API to 3.1's HttpServletRequest.changeSessionId
.
One option is to upgrade to servlet API to 3.1, but then I will have to upgrade to tomcat-8 (http://tomcat.apache.org/whichversion.html). Thus the components should be deployed on tomcat-8. More simple solution is to disable the session-fixation-protection for this demo.
Trying to migrate tomcat7-maven-plugin to tomcat8-maven-plugin is another story.
- Deploy all 3 WARs on a servlet container, e.g. Tomcat.
- Browse http://localhost:8080/oauth2-client/hello. The client needs a login by itself: admin/admin (Spring Security expects your client web-app to have its own credentials).
- client app tries to call the resource-server url http://localhost:8080/oauth2-resource-server/welcome
- This will redirect to oauth2.0 authentication server. Login to authentication-server, currently it is from mem: demo@ohadr.com/demo. it can be configured to read from a DB.
- client should access the resource server using the access-token, and print a message.
- NOTE that you will have to change the ports' configurations to 8080 in oauth2-client/.../client.properties.
from command line, use the following command:
mvn clean tomcat7:run
each component is configured to use a different port:
-
resource-server on port 8094,
-
auth-server 8091,
-
client 8092.
-
Browse http://localhost:8092/oauth2-client/hello. The client needs a login by itself: admin/admin (Spring Security expects your client web-app to have its own credentials).
-
client app tries to call the resource-server url http://localhost:8094/oauth2-resource-server/welcome
-
This will redirect to oauth2.0 authentication server. Login to authentication-server, for simplicity it is in-mem: demo@ohadr.com/demo.
-
client should access the resource server using the access-token, and print a message.
Since each component is configured to use a different port (see above), it is easy to run all 3 components from eclipse. Below is the configuration (note the 3 configs):
for more info, See this README: https://gitlab.com/OhadR/activemq-spring-sandbox#debug-within-eclipse
common code for authentication. You can find it also in this project, and also it is available in Maven repository:
<dependency>
<groupId>com.ohadr</groupId>
<artifactId>auth-common</artifactId>
<version>1.1.3</version>
</dependency>
Note the version - make sure you use the latest.
- a keystore may be created, both for SSL and for signing the tokens. If, for simplicity, the user wants to skip fighting keystore, he should set the flag
com.ohadr.oauth2.token.cryptoEnabled=false
- its alias and password should be updated in the prop file as well as in the tomcat's server.xml
- algorithm should be DSA (because in the access-token signature my code expects it to be "SHA1withDSA"
- if you want to work with "localhost", you should make the name "localhost":
- http://stackoverflow.com/questions/6908948/java-sun-security-provider-certpath-suncertpathbuilderexception-unable-to-find/12146838#12146838
creating a token using Java's keytool: keytool.exe -genkeypair -alias -keypass -keyalg DSA -keystore -storepass -storetype JCEKS -v
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
SecretKeySpec secretKey = new SecretKeySpec(key, "AES");
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
String encryptedString = Base64.encodeBase64String(cipher.doFinal(strToEncrypt.getBytes()));
return encryptedString;
http://techie-experience.blogspot.co.il/2012/10/encryption-and-decryption-using-aes.html http://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html#init(int, java.security.Key)