In this article, we will be securing REST APIs with role based OAUTH2 implementation. To do so, we will be creating two custom roles as ADMIN and USER and we will use @secured annotation provided by spring security to secure our controller methods based on role. To some of the endpoints, we will provide access to ADMIN role and others will be accesible to user having ADMIN and USER role. All the user details, credentials and associated roles will be saved into MySQL DB and we will be using spring data to perform our DB operations. We will use spring boot to take care of our most of the configurations.

For a 3rd party authorization server such as Google, you can visit this - Spring Boot OAuth2 with Google.

We will be using Postman to perform all of our CRUD operation and test all the APIs. You can visit my another article for an angular implementation with spring security and OAUTH2. Also, we will be using JwtTokenStore to translate access tokens to and from authentications. For an InMemoryTokenStore ou can visit here - here.

Technologies Used

Maven

Spring Boot 2.1.1.RELEASE

OAUTH 2.1.0.RELEASE

MySQL

JWT

Intellij

Project Structure

Head over to start.spring.io and download a sample spring boot app. Below is the snapshot of mine.

In this article, we will not be discussing much about the basics of OAUTH2 as we have discussed alot in our previous articles. For a complete list of articles on spring security, you can visit here - Spring Security Tutorials

Authorization Server Configuration in OAUTH2

Below is the implementation of our authorization server configuration that is responsible for generating authorization tokens. We have configuration of JWT token store along with the common code of OAUTH2 protocol to configure client id, client-secret and grant types.

package com.devglan.rolebasedoauth2.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer; import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer; import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer; import org.springframework.security.oauth2.provider.token.TokenStore; import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter; import org.springframework.security.oauth2.provider.token.store.JwtTokenStore; @Configuration @EnableAuthorizationServer public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter { private static final String CLIEN_ID = "devglan-client" ; private static final String CLIENT_SECRET = "$2a$04$1VGGg98BkCSvSLs4RDSyUu8MrYf0jkY3dgCLAy8GHJe6QA4VAM/X2" ; private static final String GRANT_TYPE_PASSWORD = "password" ; private static final String AUTHORIZATION_CODE = "authorization_code" ; private static final String REFRESH_TOKEN = "refresh_token" ; private static final String IMPLICIT = "implicit" ; private static final String SCOPE_READ = "read" ; private static final String SCOPE_WRITE = "write" ; private static final String TRUST = "trust" ; @Autowired private AuthenticationManager authenticationManager; @Bean public JwtAccessTokenConverter accessTokenConverter() { JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); converter.setSigningKey( "as466gf" ); return converter; } @Bean public TokenStore tokenStore() { return new JwtTokenStore(accessTokenConverter()); } @Override public void configure(ClientDetailsServiceConfigurer configurer) throws Exception { configurer .inMemory() .withClient(CLIEN_ID) .secret(CLIENT_SECRET) .authorizedGrantTypes(GRANT_TYPE_PASSWORD, AUTHORIZATION_CODE, REFRESH_TOKEN, IMPLICIT ) .scopes(SCOPE_READ, SCOPE_WRITE, TRUST); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) { endpoints .authenticationManager(authenticationManager) .accessTokenConverter(accessTokenConverter()); } }

Resource Server Configuration

Resource in our context is the REST API which we have exposed for the crud operation. To access these resources, the client must be authenticated. We have not made any configurations here to make our endpoints secured as we will using method level security with annotation @Secured .

There is no exception handling done in resource server config. You can visit my another article for exception handling in spring security

package com.devglan.rolebasedoauth2.config; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer; import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler; @Configuration @EnableResourceServer public class ResourceServerConfig extends ResourceServerConfigurerAdapter { private static final String RESOURCE_ID = "resource_id" ; @Override public void configure(ResourceServerSecurityConfigurer resources) { resources.resourceId(RESOURCE_ID).stateless(false); } @Override public void configure(HttpSecurity http) throws Exception { http. anonymous().disable() .authorizeRequests() .antMatchers( "/admin/**" ).access( "hasRole('ADMIN')" ) .and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler()); } }

Now, to bootstrap the authorization server and resource server configuration, we have WebSecurityConfiguration. The parameter securedEnabled = true enables support for annotation @Secured . We will be using Bcypt password encoder for password encryption.

package com.devglan.rolebasedoauth2.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import javax.annotation.Resource; @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity (securedEnabled = true ) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Resource (name = "userService" ) private UserDetailsService userDetailsService; @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super .authenticationManagerBean(); } @Autowired public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService) .passwordEncoder(encoder()); } @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .anonymous().disable() .authorizeRequests() .antMatchers( "/api-docs/**" ).permitAll(); } @Bean public BCryptPasswordEncoder encoder(){ return new BCryptPasswordEncoder(); } }

Controller Implementation

Below is the controller to expose the REST APIs for CRUD operations. Any user having a role USER can access the method getUser() and rest of the APIs is only accessible to user having ADMIN role.

package com.devglan.rolebasedoauth2.controller; import com.devglan.rolebasedoauth2.dto.ApiResponse; import com.devglan.rolebasedoauth2.dto.UserDto; import com.devglan.rolebasedoauth2.service.AuthenticationFacadeService; import com.devglan.rolebasedoauth2.service.UserService; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpStatus; import org.springframework.security.access.annotation.Secured; import org.springframework.web.bind.annotation.*; @RestController @RequestMapping ( "/users" ) public class UserController { private static final Logger log = LoggerFactory.getLogger(UserController.class); public static final String SUCCESS = "success" ; public static final String ROLE_ADMIN = "ROLE_ADMIN" ; public static final String ROLE_USER = "ROLE_USER" ; @Autowired private UserService userService; @Autowired private AuthenticationFacadeService authenticationFacadeService; @Secured ({ROLE_ADMIN}) @GetMapping public ApiResponse listUser(){ log.info(String.format("received request to list user %s", authenticationFacadeService.getAuthentication().getPrincipal())); return new ApiResponse(HttpStatus.OK, SUCCESS, userService.findAll()); } @Secured ({ROLE_ADMIN}) @PostMapping public ApiResponse create(@RequestBody UserDto user){ log.info(String.format("received request to create user %s", authenticationFacadeService.getAuthentication().getPrincipal())); return new ApiResponse(HttpStatus.OK, SUCCESS, userService.save(user)); } @Secured ({ROLE_ADMIN, ROLE_USER}) @GetMapping (value = "/{id}") public ApiResponse update(@PathVariable long id){ log.info(String.format("received request to update user %s", authenticationFacadeService.getAuthentication().getPrincipal())); return new ApiResponse(HttpStatus.OK, SUCCESS, userService.findOne(id)); } @Secured ({ROLE_ADMIN}) @DeleteMapping (value = "/{id}") public void delete( @PathVariable (value = "id") Long id){ log.info(String.format("received request to delete user %s", authenticationFacadeService.getAuthentication().getPrincipal())); userService.delete(id); } }

Service Implementation

The service implementation has common implementation for CRUD operation. The method loadUserByUsername() is important here which is an overriden method. This method is responsible for validating user and it's roles from DB.

package com.devglan.rolebasedoauth2.service.impl; import com.devglan.rolebasedoauth2.dao.RoleDao; import com.devglan.rolebasedoauth2.dao.UserDao; import com.devglan.rolebasedoauth2.dto.UserDto; import com.devglan.rolebasedoauth2.model.Role; import com.devglan.rolebasedoauth2.model.RoleType; import com.devglan.rolebasedoauth2.model.User; import com.devglan.rolebasedoauth2.service.UserService; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.stereotype.Service; import org.springframework.transaction.annotation.Transactional; import java.util.ArrayList; import java.util.List; import java.util.Set; import java.util.stream.Collectors; @Transactional @Service (value = "userService") public class UserServiceImpl implements UserDetailsService, UserService { private static final Logger log = LoggerFactory.getLogger(UserServiceImpl.class); @Autowired private UserDao userDao; @Autowired private RoleDao roleDao; @Autowired private BCryptPasswordEncoder passwordEncoder; public UserDetails loadUserByUsername(String userId) throws UsernameNotFoundException { User user = userDao.findByUsername(userId); if (user == null ){ log.error("Invalid username or password."); throw new UsernameNotFoundException("Invalid username or password."); } Set grantedAuthorities = getAuthorities(user); return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), grantedAuthorities); } private Set getAuthorities(User user) { Set roleByUserId = user.getRoles(); final Set authorities = roleByUserId.stream().map(role -> new SimpleGrantedAuthority("ROLE_" + role.getName().toString().toUpperCase())).collect(Collectors.toSet()); return authorities; } public List findAll() { List users = new ArrayList<>(); userDao.findAll().iterator().forEachRemaining(user -> users.add(user.toUserDto())); return users; } @Override public User findOne(long id) { return userDao.findById(id).get(); } @Override public void delete(long id) { userDao.deleteById(id); } @Override public UserDto save(UserDto userDto) { User userWithDuplicateUsername = userDao.findByUsername(userDto.getUsername()); if (userWithDuplicateUsername != null && userDto.getId() != userWithDuplicateUsername.getId()) { log.error(String.format( "Duplicate username %" , userDto.getUsername())); throw new RuntimeException("Duplicate username."); } User userWithDuplicateEmail = userDao.findByEmail(userDto.getEmail()); if (userWithDuplicateEmail != null && userDto.getId() != userWithDuplicateEmail.getId()) { log.error(String.format("Duplicate email %", userDto.getEmail())); throw new RuntimeException("Duplicate email."); } User user = new User(); user.setEmail(userDto.getEmail()); user.setFirstName(userDto.getFirstName()); user.setLastName(userDto.getLastName()); user.setUsername(userDto.getUsername()); user.setPassword(passwordEncoder.encode(userDto.getPassword())); List roleTypes = new ArrayList<>(); userDto.getRole().stream().map(role -> roleTypes.add(RoleType.valueOf(role))); user.setRoles(roleDao.find(userDto.getRole())); userDao.save(user); return userDto; } }

Now, let us define our model classes. Below is our User and Role class.

@Entity @Table (name = "Users" ) public class User { @Id @GeneratedValue (strategy= GenerationType.IDENTITY) @Column (name = "ID" ) private long id; @Column (name = "FIRST_NAME" ) private String firstName; @Column (name = "LAST_NAME" ) private String lastName; @Column (name = "USERNAME" ) private String username; @Column (name = "PASSWORD" ) private String password; @Column (name = "EMAIL" ) private String email; @ManyToMany (fetch = FetchType.EAGER) @JoinTable (name = "User_ROLES" , joinColumns = @JoinColumn (name = "USER_ID" ),inverseJoinColumns= @JoinColumn (name= "ROLE_ID" )) private Set roles;

@Entity @Table (name = "ROLES" ) public class Role { @Id @GeneratedValue (strategy= GenerationType.IDENTITY) @Column (name = "ID" ) private long id; @Enumerated (EnumType.STRING) @Column(name = "NAME" ) private RoleType name; @Column(name = "DESCRIPTION" ) private String description; @Column (name = "CREATED_ON" ) private Long createdOn; @Column (name = "MODIFIED_ON" ) private Long modifiedOn;

public class UserDto { private long id; private String firstName; private String lastName; private String username; private String password; private String email; private List role; }

public class ApiResponse { private int status; private String message; private Object result; public ApiResponse(HttpStatus status, String message, Object result){ this .status = status.value(); this .message = message; this .result = result; } }

spring.datasource.url = jdbc:mysql://localhost:3306/test spring.datasource.username = root spring.datasource.password = root spring.jpa.hibernate.ddl-auto = create-drop spring.jpa.show-sql = true spring.user.datasource.driver-class-name = com.mysql.jdbc.Driver

Below is the default script that can be executed. The username/password is admin/admin

create table roles (id bigint not null auto_increment, created_on bigint, description varchar(255), modified_on bigint, name varchar(255), primary key (id)) engine=MyISAM; create table user_roles (user_id bigint not null, role_id bigint not null, primary key (user_id, role_id)) engine=MyISAM; create table users (id bigint not null auto_increment, email varchar(255), first_name varchar(255), last_name varchar(255), password varchar(255), username varchar(255), primary key (id)) engine=MyISAM alter table user_roles add constraint FKh8ciramu9cc9q3qcqiv4ue8a6 foreign key (role_id) references roles (id); alter table user_roles add constraint FKhfh9dx7w3ubf1co1vdev94g3f foreign key (user_id) references users (id); INSERT INTO roles(description,name) values ('Admin', 'ADMIN'); INSERT INTO roles(description,name) values ('User', 'USER'); INSERT INTO users (email,first_name, last_name,password,username) values ('admin@gmail.com','admin', 'admin','$2a$04$EZzbSqieYfe/nFWfBWt2KeCdyq0UuDEM1ycFF8HzmlVR6sbsOnw7u','admin'); insert into USER_ROLES(USER_ID,ROLE_ID) values (1,1);

Testing the Application

First of all let us generate admin token.

Method : Post URL : http://localhost:8080/oauth/token Headers: Content-Type: application/x-www-form-urlencoded Body: username : admin password: admin grant_type: password

Now, let us create user. Remember, only ADMIN role has access to create user. Below is the Postman screenshot.

Now you can generate token for user using above defined POST method. Below is the screenshot.

Now we can access getUser() endpoint to fetch user with access token having USER role.

Conclusion

In this article, we discussed about role based OAUTH2 authorization with spring security. You can download the source from github - here.