CODEWITHSUNDEEP
mongodbspring-security-oauth2
Shreekant N
Shreekant N

Reputation: 868

OAuth with Spring Security in RESTful web service WITHOUT hard-coded username and password (should use MongoDB database)

I just implemented OAuth with Spring Security in RESTful web service WITH hard-coded username and password,for that i just added,one spring-security file,

spring-security.xml

<beans:beans xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns:context="http://www.springframework.org/schema/context"
  xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
   xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
 http://www.springframework.org/schema/security/oauth2
   http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
   http://www.springframework.org/schema/context
   http://www.springframework.org/schema/context/spring-context-4.1.6.xsd">

<!-- Definition of the Authentication Service -->
<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
      xmlns="http://www.springframework.org/schema/security">
     <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
    <anonymous enabled="false"/>
    <http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
    <!-- include this only if you need to authenticate clients via request parameters -->
    <custom-filter ref="clientCredentialsTokenEndpointFilter"   after="BASIC_AUTH_FILTER"/>
   <access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>

 <!-- Protected resources -->
<http pattern="/admin/**"
      create-session="never"
      entry-point-ref="oauthAuthenticationEntryPoint"
      access-decision-manager-ref="accessDecisionManager"
          xmlns="http://www.springframework.org/schema/security">
    <anonymous enabled="false"/>
    <intercept-url pattern="/admin/**"
               access="ROLE_USER"/>
<custom-filter ref="resourceServerFilter"
               before="PRE_AUTH_FILTER"/>
<access-denied-handler
            ref="oauthAccessDeniedHandler"/>
 </http>

 <beans:bean id="oauthAuthenticationEntryPoint"
        class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<beans:property name="realmName" value="dstest"/>
</beans:bean>

<beans:bean id="clientAuthenticationEntryPoint"
  class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<beans:property name="realmName" value="dstest/client"/>
    <beans:property name="typeName" value="Basic"/>
</beans:bean>

<beans:bean id="oauthAccessDeniedHandler"
      class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>

 <beans:bean id="clientCredentialsTokenEndpointFilter"
    class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
     <beans:property name="authenticationManager"      ref="clientAuthenticationManager"/>
</beans:bean>

 <bean id="accessDecisionManager"   class="org.springframework.security.access.vote.UnanimousBased"
      xmlns="http://www.springframework.org/schema/beans">
    <constructor-arg>
        <list>
          <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/>
          <bean class="org.springframework.security.access.vote.RoleVoter"/>
            <bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
        </list>
    </constructor-arg>
 </bean>

<!-- Authentication in config file -->
<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
    <authentication-provider user-service-ref="clientDetailsUserService"/>
</authentication-manager>

<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
    <authentication-provider>
        <user-service id="userDetailsService">
            <user name="shree" password="pass" authorities="ROLE_USER"/>
        </user-service>
    </authentication-provider>
 </authentication-manager>

<beans:bean id="clientDetailsUserService"
    class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <beans:constructor-arg ref="clientDetails"/>
</beans:bean>

<!-- Token Store  -->
<beans:bean id="tokenStore"   class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore"/>

<beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
    <beans:property name="tokenStore" ref="tokenStore"/>
    <beans:property name="supportRefreshToken" value="true"/>
    <beans:property name="clientDetailsService" ref="clientDetails"/>
    <!-- VIV -->
    <beans:property name="accessTokenValiditySeconds" value="10"/>
</beans:bean>

<beans:bean id="userApprovalHandler"
  class="org.springframework.security.oauth2.provider.approval.TokenServicesUserApprovalHandler">
    <beans:property name="tokenServices" ref="tokenServices"/>
</beans:bean>

<!-- Token management -->
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices"
                        user-approval-handler-ref="userApprovalHandler">
    <oauth:authorization-code/>
    <oauth:implicit/>
    <oauth:refresh-token/>
    <oauth:client-credentials/>
    <oauth:password/>
 </oauth:authorization-server>

 <oauth:resource-server id="resourceServerFilter"
                        resource-id="dstest"
                        token-services-ref="tokenServices"/>

<!-- Client Definition -->
<oauth:client-details-service id="clientDetails">

    <oauth:client client-id="my-trusted-client"
              authorized-grant-types="password,authorization_code,refresh_token,implicit,redirect"
              authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT"
              redirect-uri="/web"
              scope="read,write,trust"
              access-token-validity="10"
              refresh-token-validity="30"/>

</oauth:client-details-service>


<sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
     <sec:expression-handler ref="oauthExpressionHandler"/>
</sec:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler"/>
 <oauth:web-expression-handler id="oauthWebExpressionHandler"/>

</beans:beans>

means we no need to goto .java file currently,but now I want to check username and password from MongoDB database.I tried searching for this but either I am not understanding because code is different or their different database confuse me,I am not getting some website which really explain flow & use of code.

So my question is How to simply make above code accessible to MongoDB database and check username,password from their.

Upvotes: 0

Views: 933

Answers (1)

Maxi Wu
Maxi Wu

Reputation: 1494

are you asking about authentication? spring security oauth use spring security for authentication. that means you could configure this with WebSecurityConfigurerAdapter. like this

@Configuration
@EnableWebSecurity
public class SecurityCfg extends WebSecurityConfigurerAdapter {
@Autowired
public vodie globalUserDetails(AuthenticationManagerBuilder auth)
 {
    auth.mongoDBAuthentication().dataSource(dataSource)
                .passwordEncoder(passwordEncoder());
 }
}

you've to look for or implement mongoDBAuthentication class which implements UserDetailsManager. and setup a datasource bean. would be much easier to use jdbcAuthentication with MySQL or postgresQL. maybe this would help https://github.com/caelwinner/spring-security-mongo

Upvotes: 1

Related Questions