Skip to content

OhadR/oAuth2-sample

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

198 Commits
auth-common
auth-common
 
 
oauth2-auth-server
oauth2-auth-server
 
 
oauth2-client
oauth2-client
 
 
oauth2-resource-server
oauth2-resource-server
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
README.md
README.md
 
 
eclipse-debug-config.jpg
eclipse-debug-config.jpg
 
 
noSuchMethodErrorChangeSessionId.jpg
noSuchMethodErrorChangeSessionId.jpg
 
 
pom.xml
pom.xml
 
 
tomcat-versions-supports.jpg
tomcat-versions-supports.jpg
 
 

Repository files navigation

oAuth2-sample Build Status

This project is a oAuth2 POC, consists of all 3 oAuth parties: the authentication server, a resource server, and a client app. Each party is represented by its own WAR.

23-02-2016: Spring Versions Updated

On 23-02-2016, Spring versions were updated:

  • Spring: 4.2.4.RELEASE
  • Spring Security: 4.0.3.RELEASE
  • Spring Security oAuth: 2.0.9.RELEASE

02-2020: Spring Versions Updated

On 02-2020, Spring versions were updated:

  • Spring: 5.2.3.RELEASE
  • Spring Security: 5.2.2.RELEASE
  • Spring Security oAuth: 2.0.16.RELEASE

Spring security 5: PasswordEncoder

Mechanism of password encoder was changed in Spring-Security 5. I had to adjust configuration.

Spring security and Session Fixation Protection

https://www.baeldung.com/spring-security-session https://docs.spring.io/spring-security/site/docs/current/reference/html5/#ns-session-fixation.

After successful login I hit NoSuchMethodError: javax.servlet.http.HttpServletRequest.changeSessionId(). It happens because Spring's session-fixation-protection calls (see stack below) to servlet API to 3.1's HttpServletRequest.changeSessionId. One option is to upgrade to servlet API to 3.1, but then I will have to upgrade to tomcat-8 (http://tomcat.apache.org/whichversion.html). Thus the components should be deployed on tomcat-8. More simple solution is to disable the session-fixation-protection for this demo.

noSuchMethodErrorChangeSessionId.jpg

tomcat-versions-supports.jpg

Trying to migrate tomcat7-maven-plugin to tomcat8-maven-plugin is another story.

How to Run 1: Deploy all components on the same Tomcat

  • Deploy all 3 WARs on a servlet container, e.g. Tomcat.
  • Browse http://localhost:8080/oauth2-client/hello. The client needs a login by itself: admin/admin (Spring Security expects your client web-app to have its own credentials).
  • client app tries to call the resource-server url http://localhost:8080/oauth2-resource-server/welcome
  • This will redirect to oauth2.0 authentication server. Login to authentication-server, currently it is from mem: demo@ohadr.com/demo. it can be configured to read from a DB.
  • client should access the resource server using the access-token, and print a message.
  • NOTE that you will have to change the ports' configurations to 8080 in oauth2-client/.../client.properties.

How to Run 2: tomcat7-maven-plugin

from command line, use the following command:

mvn clean tomcat7:run

each component is configured to use a different port:

  • resource-server on port 8094,

  • auth-server 8091,

  • client 8092.

  • Browse http://localhost:8092/oauth2-client/hello. The client needs a login by itself: admin/admin (Spring Security expects your client web-app to have its own credentials).

  • client app tries to call the resource-server url http://localhost:8094/oauth2-resource-server/welcome

  • This will redirect to oauth2.0 authentication server. Login to authentication-server, for simplicity it is in-mem: demo@ohadr.com/demo.

  • client should access the resource server using the access-token, and print a message.

How to Run 3: debug from eclipse

Since each component is configured to use a different port (see above), it is easy to run all 3 components from eclipse. Below is the configuration (note the 3 configs):

debug_within_eclipse

for more info, See this README: https://gitlab.com/OhadR/activemq-spring-sandbox#debug-within-eclipse

Project Components

JAR: auth-common

common code for authentication. You can find it also in this project, and also it is available in Maven repository:

<dependency>
  <groupId>com.ohadr</groupId>
  <artifactId>auth-common</artifactId>
  <version>1.1.3</version>
</dependency>

Note the version - make sure you use the latest.

KeyStore things to know:

  1. a keystore may be created, both for SSL and for signing the tokens. If, for simplicity, the user wants to skip fighting keystore, he should set the flag com.ohadr.oauth2.token.cryptoEnabled=false
  2. its alias and password should be updated in the prop file as well as in the tomcat's server.xml
  3. algorithm should be DSA (because in the access-token signature my code expects it to be "SHA1withDSA"
  4. if you want to work with "localhost", you should make the name "localhost":
  5. http://stackoverflow.com/questions/6908948/java-sun-security-provider-certpath-suncertpathbuilderexception-unable-to-find/12146838#12146838

creating a token using Java's keytool: keytool.exe -genkeypair -alias -keypass -keyalg DSA -keystore -storepass -storetype JCEKS -v

Java Encryption:

Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
SecretKeySpec secretKey = new SecretKeySpec(key, "AES"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); String encryptedString = Base64.encodeBase64String(cipher.doFinal(strToEncrypt.getBytes())); return encryptedString;

http://techie-experience.blogspot.co.il/2012/10/encryption-and-decryption-using-aes.html http://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html#init(int, java.security.Key)

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

13 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases

23 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages