Security integrated in Web Spring Boot applications

Owned by DevPortal Editor (Unlicensed)
Last updated: 28/09/22 by Onesait Platform
4 min read

EN | ES

To facilitate the integration of the Spring Boot web applications developed on the OpenPlatform, with authentication and platform Realms, we provide the onesaitplatform-web-security-client library, which has the following dependency:


<dependency>
  	<groupId>com.minsait.onesait.platform</groupId>
  	<artifactId>onesaitplatform-web-security-client</artifactId>
	<version>1.4.0-RELEASE</version>
</dependency>



and is available for download from the platform nexus: http://nexus.onesaitplatform.com/nexus/content/repositories/releases/

 

 

This library allows you to authenticate applications with the Realm they have defined in the Platform, and to secure REST services by using authorities and roles defined in the REALM..



We will explain this with an example:


We create the Realm TEST_SSO with the authorities auth1, auth2, auth3 and the Roles ROLE_USER, ROLE_ADMINISTRATOR. Remember that authorities and roles are very similar concepts, but the authorities provide a finer grain in permit management while the Roles group together different permits. It is the application's task to differentiate between them and manage them. At the OAUTH server level they are differentiated by the ROLE_ prefix that the Roles have:



Once the authorities and Roles have been defined, we assign them to the users. In this case, we assign the user jfgpimpollo the ROL_USER and the auth1 authority:


With this, we already have the role management and its assignment to users in the OAUTH2 platform server through the REALM of the application. Next we use it from our application:

To do this, we add the dependency of the platform web security library to the pom.xml of our Spring boot application:


<dependency>
	<groupId>com.minsait.onesait.platform</groupId>
    <artifactId>onesaitplatform-web-security-client</artifactId>
	<version>1.4.0-RELEASE</version>
</dependency>


And we add the nexus repository from which to download it:

<repositories>
	<repository>
        <id>onesait</id>
    	<url>https://nexus.onesaitplatform.com/nexus/content/repositories/releases/</url>
	</repository>
</repositories>



Next, if we have not yet enabled Spring security in our application's pom.xml, we add the dependency:

<dependency>
	<groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>



The next step is adding the properties that the security library needs, which are basically the configuration parameters to connect to the OAUTH2 server that manages the application's Realm, to the application.properties or application.yml. Specifically, these are the following properties (in .yml format):

openplatform.api:
   baseurl: https://development.onesaitplatform.com
   auth:
    login.path: /oauth-server/oauth/token
    token:
      verify.path: /oauth-server/openplatform-oauth/check_token
      grant_type: password
      scope: openid
      clientId: TEST_SSO
      password: onesaitplatform
      vertical: onesaitplatform #only change this parameter if using multitenant platform and different vertical



where we will have to adapt the properties:

  • baseurl: It is the url of the OpenPlatform instance used by the application.
  • clientId: Application's Realm's identifier.



Bear in mind that, once Spring Security is enabled in our Spring Boot application, the later has been secured by the self-configuration that Spring Boot does, so we will have to decide which urls we escape (at least the login one), also indicating that we are securing resources through OAUTH2 (We extend from ResourceServerConfigurerAdapter instead of WebSecurityConfigurerAdapter). We will add something of this style to our application:


WARNING: In recent versions, you should delete .anyRequest().authenticated() in order to make the test.

Next, we must program the authentication against the platform with the user/password of the users added to the application's REALM. For this, the onesaitplatform-web-security-client library provides a Spring Bean that allows you to login against the OAUTH2 server. This Bean can be injected by adding our component:


@Autowired
private LoginService loginService;

    


and is used as follows to recover the OAUTH2 Token returned by platform::


String token=loginService.login(user, password).getToken();


For example, to illustrate it, we will create a REST service to authenticate and retrieve the token::



We can invoke it easily from the browser, thus recovering the Token::





Then we can use that token by sending it as an Authorization header to all the REST requests, and we can secure the methods with Spring annotations:



For example, we will see a few secure methods::

With response:




With response:



With response:







With response: