Reputation: 25
Spring. Implementation Oauth.2.0 for REST API
How can I combine basic authorization (login + password) with authorization of other services (google, github, facebook) using Spring Boot and Spring Security? There is a lot of information and I don’t understand how to solve this problem correctly. I would be grateful for the tutorial or link to the material.
Upvotes: 2
Views: 305
Answers (1)
Reputation: 8213
- Spring security is implemented using filter chain and each responsibility is allocated to particular type.
- For an example, the diagram below shows the components involved in username password authentication.
- But Spring security framework allows you to have multiple implementations for each type in the same application.
- If you want multiple authentication mechanisms, you provide list of concrete implementations for each stage for that mechanism. For example, in your case, in the
AuthenticationFilteryou will have aUsernamePasswordAuthenticationFilterfor username/password authentication mechanism and aOAuth2LoginAuthenticationFilterfor Oauth2 Login mechanism. And then forAuthenticationTokens, you will haveUsernamePasswordAuthenticationTokenandOAuth2LoginAuthenticationToken. And so on for each stage. - Now When an http request reaches the server, at each stage, spring will iterate through your list for that stage until one of them satisfies or the list is complete. For example, if the request is coming with a
passwordparam (or you know it is always come from/loginurl), at theAuthenticationFilter,OAuth2LoginAuthenticationFilterwill satisfy it and it will create theUsernamePasswordAuthenticationTokenand pass it to third stage . But if the request comes with token, it will satisfyOAuth2LoginAuthenticationFilterand it will createOAuth2LoginAuthenticationTokenand pass it to 3rd stage.
I hope this gives you a high level picture, just implement an sample app with username and password only, put breakpoints in the source code spring security classes I mentioned and see how it is iterating at each stage.
Once you are confident how these filters are chained, then try to add something like ldap authentication as the second authentication mechanism for your app.
Once you are confident implementing these 2, then go for adding OAuth2 by following https://spring.io/guides/tutorials/spring-boot-oauth2/
Reference Diagram: https://springbootdev.com/2017/08/23/spring-security-authentication-architecture/
Upvotes: 1
Related Questions
- Spring Boot 2.0.0 + OAuth2
- Issue in securing Spring REST service With OAuth2 in Spring Boot
- Spring boot Client to invoke REST API secured by OAuth2
- Spring Security and Oauth2 misunderstanding
- Authentication with Spring oAuth2.0
- Authorization Server
- Java Spring (Maven) REST API using OAuth2
- Getting oauth2 to work with spring-boot and rest
- Configuring OAuth 2 in Java Spring Boot
- OAuth2 with Spring MVC rest APIs