update application project

dimMaryanto@win10 · dimMaryanto@win10 · commit b4987f16a652 · 2018-08-30T17:11:29.000+07:00
diff --git a/README.md b/README.md
@@ -1,9 +1,31 @@
-# Security Oauth2 with LDAP
+# Spring Security - Oauth2 SSO example
 
-## Request token
+Belajar Web Security dengan fitur single sign on (SSO)
 
-```bash
-curl -X POST \
-  'http://localhost:8080/oauth/token?grant_type=password&username=user&password=password&client_id=mandiri_mits' \
-  -H 'Authorization: Basic bWFuZGlyaV9taXRzOjEyMzQ1Ng=='
-```
+- Fitur Grant type Authorization code
+    
+    - request code : [klick disini](http://localhost:8080/oauth/authorize?grant_type=authorization_code&client_id=client-code&client_secret=123456&redirectUrl=http://localhost:8080/&response_type=code)
+    
+        ```bash
+        http://localhost:8080/oauth/authorize?grant_type=authorization_code&client_id=client-code&client_secret=123456&redirectUrl=http://localhost:8080/&response_type=code
+        ```
+    
+    - request token : 
+    
+        ```bash 
+        curl -X POST \
+          http://localhost:8080/oauth/token \
+          -H 'Authorization: Basic Y2xpZW50LWNvZGU6MTIzNDU2' \
+          -H 'Cache-Control: no-cache' \
+          -H 'Content-Type: application/x-www-form-urlencoded' \
+          -d 'grant_type=authorization_code&code=1HQ2Gh'
+        ```
+
+- Fitur Grant type Password
+
+    ```bash
+    curl -X POST \
+      'http://localhost:8080/oauth/token?grant_type=password&client_id=client-code&username=user&password=password' \
+      -H 'Authorization: Basic Y2xpZW50LWNvZGU6MTIzNDU2' \
+      -H 'Postman-Token: f2b78553-073a-46c7-8a3e-dca6ccdc1fef'
+    ```
diff --git a/pom.xml b/pom.xml
@@ -25,10 +25,6 @@
     </properties>
 
     <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-data-ldap</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-security</artifactId>
@@ -37,10 +33,6 @@
             <groupId>org.springframework.security.oauth</groupId>
             <artifactId>spring-security-oauth2</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-jwt</artifactId>
-        </dependency>
         <dependency>
             <groupId>net.sourceforge.collections</groupId>
             <artifactId>collections-generic</artifactId>
diff --git a/src/main/java/com/maryanto/dimas/example/config/OauthAuthorizationServer.java b/src/main/java/com/maryanto/dimas/example/config/OauthAuthorizationServer.java
@@ -1,7 +1,6 @@
-package com.maryanto.dimas.example.configurations;
+package com.maryanto.dimas.example.config;
 
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
 import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
@@ -11,22 +10,17 @@
 
 @EnableResourceServer
 @Configuration
-public class OauthResourceServerConfiguration extends ResourceServerConfigurerAdapter {
-
+public class OauthAuthorizationServer extends ResourceServerConfigurerAdapter {
 
     @Autowired
     private OAuth2AccessDeniedHandler handler;
 
     @Autowired
     private TokenStore tokenStore;
 
-    @Value("${oauth2.resource_id}")
-    private String RESOURCE_ID;
-
     @Override
     public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
-//        super.configure(resources);
-        resources.resourceId(RESOURCE_ID)
+        resources.resourceId("client-code")
                 .tokenStore(tokenStore)
                 .accessDeniedHandler(handler)
                 .stateless(false);
diff --git a/src/main/java/com/maryanto/dimas/example/config/OauthResourceServer.java b/src/main/java/com/maryanto/dimas/example/config/OauthResourceServer.java
@@ -1,8 +1,7 @@
-package com.maryanto.dimas.example.configurations;
+package com.maryanto.dimas.example.config;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AuthenticationManager;
@@ -16,14 +15,7 @@
 
 @Configuration
 @EnableAuthorizationServer
-public class OauthServerConfiguration extends AuthorizationServerConfigurerAdapter {
-
-    @Value("${oauth2.resource_id}")
-    private String RESOURCE_ID;
-    @Value("${oauth2.client_id}")
-    private String CLIENT_ID;
-    @Value("${oauth2.client_secret}")
-    private String CLIENT_SECRET;
+public class OauthResourceServer extends AuthorizationServerConfigurerAdapter {
 
     @Autowired
     private TokenStore tokenStore;
@@ -37,7 +29,6 @@ public OAuth2AccessDeniedHandler oauthAccessDeniedHandler() {
         return new OAuth2AccessDeniedHandler();
     }
 
-
     @Override
     public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
         oauthServer.checkTokenAccess("permitAll()");
@@ -46,12 +37,13 @@ public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws
     @Override
     public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
         clients.inMemory()
-                .withClient(CLIENT_ID)
-                .secret(CLIENT_SECRET)
+                .withClient("client-code")
+                .resourceIds("resource-example")
+                .secret("123456")
                 .scopes("read", "write", "trust")
                 .authorizedGrantTypes("password", "authorization_code", "refresh_token")
-                .authorities("CLIENT_APP")
-                .resourceIds(RESOURCE_ID)
+                .authorities("module-users-management")
+                .redirectUris("http://localhost:8080/")
                 .autoApprove(true);
     }
 
diff --git a/src/main/java/com/maryanto/dimas/example/config/WebSecurityConfiguration.java b/src/main/java/com/maryanto/dimas/example/config/WebSecurityConfiguration.java
@@ -1,68 +1,97 @@
-package com.maryanto.dimas.example.configurations;
+package com.maryanto.dimas.example.config;
 
-import com.google.common.collect.ImmutableList;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.oauth2.provider.ClientDetailsService;
 import org.springframework.security.oauth2.provider.approval.ApprovalStore;
 import org.springframework.security.oauth2.provider.approval.TokenApprovalStore;
 import org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler;
 import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory;
 import org.springframework.security.oauth2.provider.token.TokenStore;
 import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import org.springframework.web.cors.CorsConfiguration;
-import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.filter.CorsFilter;
 
 @Configuration
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(securedEnabled = true)
 @EnableGlobalAuthentication
-@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
-public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
-
+public class WebSecurityConfiguration {
 
     @Autowired
     private ClientDetailsService clientDetailsService;
 
     @Bean
-    @Override
-    public AuthenticationManager authenticationManagerBean() throws Exception {
-        return super.authenticationManagerBean();
+    public UserDetailsService userDetailsService() {
+        InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
+        UserDetails user = User.withUsername("user").password("password").roles("USER").build();
+        UserDetails admin = User.withUsername("admin").password("password").roles("USER", "ADMIN").build();
+        manager.createUser(user);
+        manager.createUser(admin);
+        return manager;
     }
 
-    @Override
-    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
-//        super.configure(auth);
-        auth.inMemoryAuthentication()
-                .withUser("user").password("password").roles("USER").and()
-                .withUser("admin").password("password").roles("ADMIN", "USER");
+    @Configuration
+    @Order(1)
+    public static class ApiAuthenticationServer extends WebSecurityConfigurerAdapter {
+
+        @Bean
+        @Override
+        public AuthenticationManager authenticationManagerBean() throws Exception {
+            return super.authenticationManagerBean();
+        }
+
+        @Override
+        protected void configure(HttpSecurity http) throws Exception {
+//        super.configure(http);
+            http.cors().disable()
+                    .csrf().disable();
+            http.antMatcher("/api/**")
+                    .authorizeRequests()
+                    .antMatchers("/oauth/**", "/login").permitAll()
+                    .anyRequest().authenticated()
+                    .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+        }
+
     }
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
+    @Configuration
+    public static class WebFormAuthenticationServer extends WebSecurityConfigurerAdapter {
+
+        @Bean
+        @Override
+        public AuthenticationManager authenticationManagerBean() throws Exception {
+            return super.authenticationManagerBean();
+        }
+
+        @Override
+        protected void configure(HttpSecurity http) throws Exception {
 //        super.configure(http);
-        http
-                .csrf().disable()
-                .cors().disable()
-                .authorizeRequests()
-                .antMatchers("/oauth/**").permitAll()
-                .anyRequest().authenticated()
-                .and().httpBasic()
-                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+            http.cors().disable()
+                    .csrf().disable();
+            http.authorizeRequests()
+                    .antMatchers("/oauth/**").permitAll()
+                    .anyRequest().authenticated()
+                    .and().formLogin().permitAll()
+                .and().httpBasic();
+        }
+
     }
 
 
@@ -99,21 +128,6 @@ public FilterRegistrationBean corsFilter() {
         return bean;
     }
 
-
-    @Bean
-    public CorsConfigurationSource corsConfigurationSource() {
-        final CorsConfiguration configuration = new CorsConfiguration();
-        configuration.setAllowedMethods(ImmutableList.of("HEAD",
-                "GET", "POST", "PUT", "DELETE", "PATCH"));
-        configuration.setAllowedOrigins(ImmutableList.of("*"));
-        configuration.setAllowCredentials(true);
-        configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
-        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
-        source.registerCorsConfiguration("/**", configuration);
-        return source;
-    }
-
-
     @Bean
     public TokenStore tokenStore() {
         return new InMemoryTokenStore();
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
@@ -1,5 +0,0 @@
-# oauth
-oauth2.client_id=mandiri_mits
-oauth2.client_secret=123456
-oauth2.resource_id=MANDIRI_RESOURCE
-oauth2.check_token.uri=http://localhost:8080/oauth/check_token
