跳至主要内容

Secures your applications with Spring Security 5 and Keycloak

Spring Security 5 brought new OAuth2/OIDC client instead of the legacy client support in the old Spring Security OAuth sub project. The new OAuth2 umbrella modules in the core project will replace the old Spring Security OAuth, Spring Social etc. In the further 5.1, OAuth2 authorization server and resource server are planned to implement, check the OAuth2 related issues on Github .
Spring Security 5 OAuth2 client has built-in supports for facebook, github, okta, Google etc, unlike Spring Social, in this new client, Spring Security 5 provides a generic solution for client registration, thus you can configure any OAuth2/OIDC providers without codes.
A new oauth2login sample is added in Spring Security source codes to demonstrate the newest OAuth2 client.
In this post, we will fork this sample, and try to start up a local keycloak server and configure it as a custom OAuth2/OIDC provider in our project.

Setup local keycloak server

To simplify the work, I prepared a docker-compose.yml file to start keycloak server in a single command.
version: '3.3' 

services:    
     
  keycloak:
    image: jboss/keycloak
    ports:
      - "8000:8080"
    environment:
      - KEYCLOAK_LOGLEVEL=DEBUG
      - PROXY_ADDRESS_FORWARDING=true
      - KEYCLOAK_USER=keycloak 
      - KEYCLOAK_PASSWORD=keycloak
    depends_on:
      - mysql
      
  mysql:
    image: mysql
    environment:
      - MYSQL_ROOT_PASSWORD=root
      - MYSQL_DATABASE=keycloak
      - MYSQL_USER=keycloak
      - MYSQL_PASSWORD=password
    volumes:
      - ./data/mysql:/var/lib/mysql
Start up keycloak by docker-compose command.
docker-compose up

Register client app in keycloak

When keycloak is started, open your browser and navigate to http://localhost:8000 or http://<docker-machine ip>:8000 if you are using a docker machine.
  1. Create a new schema: demo.
  2. Switch to the new demo schema in the dropdown menu.
  3. Create a client app: demoapp.
  4. Create a new user for test purpose.

Configure keycloak in our application

Generate a new project via Spring Initializr or fork the official oauth2login sample as start point.
Add a new keycloak node under the spring/security/oauth2/client node in the application.yml file.
spring:
  security:
    oauth2:
      client:
        registration:
          keycloak:
            client-id: demoapp
            client-secret: demoapp
            clientName: Keycloak
            authorization-grant-type: authorization_code
            redirectUriTemplate: '{baseUrl}/login/oauth2/code/{registrationId}'
            scope:
              - openid
              - profile
              - email
        provider:
          keycloak:
            authorization-uri: http://localhost:8000/auth/realms/demo/protocol/openid-connect/auth
            token-uri: http://localhost:8000/auth/realms/demo/protocol/openid-connect/token
            user-info-uri: http://localhost:8000/auth/realms/demo/protocol/openid-connect/userinfo
            jwk-set-uri: http://localhost:8000/auth/realms/demo/protocol/openid-connect/certs
            user-name-attribute: preferred_username

For custom OAuth2 provider, you have to configure the details of the OAuth2 provider, and provides the details of client registration for OAuth client support.
Bootstrap the application by mvn spring-boot:run or run it in IDE directly, then navigate to http://localhost:8080 in your browser.
You will find a new Keycloak link added in our application login page.
  1. Click the Keycloak link, it will guide you to redirect to keycloak login page.
    keycloak
  2. Use the user/password we have created in the last step to login.
  3. if it is successful, it will return back to our application home page.
    logged
  4. Click the Display User Info link, it will show all user attributes from /userinfo endpiont exposed by keycloak.
    userinfo
Check out the source codes from my github account.

评论

Blog27999说…
此评论已被博客管理员删除。

此博客中的热门博文

Activating CDI in JSF 2.3

Activating CDI in JSF 2.3 When I upgraded my Java EE 7 sample to the newest Java EE 8, the first thing confused me is the CDI beans are not recoganized in Facelects template in a JSF 2.3 based web applicaiton, which is working in the development version, but in the final release version, they are always resolved as null. I filed an issue on Mojarra and discussed it with the developers from communities and the JSF experts.
According to the content of README, In a JSF 2.3 application, to activate CDI support, declaring a 2.3 versioned faces-config.xml and adding javax.faces.ENABLE_CDI_RESOLVER_CHAIN in web.xml is not enough, you have to declare @FacesConfig annotated class to enable CDI.
Here is the steps I created a workable JSF 2.3 applicatoin in Java EE 8.
Create a Java web application, this can be done easily by NetBeans IDE, or generated by Maven archetype, for exmaple.
$ mvn archetype:generate -DgroupId=com.example -DartifactId=demo -DarchetypeArtifactId=maven-archetype-we…

JSF 2.3:Websocket support

Websocket support One of the most attractive features is JSF 2.3 added native websocket support, it means you can write real-time applications with JSF and no need extra effort.
To enable websocket support, you have to add javax.faces.ENABLE_WEBSOCKET_ENDPOINT in web.xml.
<context-param> <param-name>javax.faces.ENABLE_WEBSOCKET_ENDPOINT</param-name> <param-value>true</param-value> </context-param> Hello Websocket Let's start with a simple example.
@ViewScoped@Named("helloBean") publicclassHelloBeanimplementsSerializable { privatestaticfinalLoggerLOG=Logger.getLogger(HelloBean.class.getName()); @Inject@PushPushContext helloChannel; String message; publicvoidsendMessage() { LOG.log(Level.INFO, "send push message"); this.sendPushMessage("hello"); } privatevoidsendPushMessage(Objectmessage) { helloChannel.send(""+ message +" at &…

Build a Reactive application with Angular 5 and Spring Boot 2.0

I have created a post to describe Reactive programming supports in Spring 5 and its subprojects, all codes of this article are updated the latest Spring 5 RELEASE, check spring-reactive-sample under my Github account.
In this post, I will create a simple blog system, including:
A user can sign in and sign out.An authenticated user can create a post.An authenticated user can update a post.Only the user who has ADMIN role can delete a post.All users(including anonymous users) can view post list and post details.An authenticated user can add his comments to a certain post. The backend will be built with the latest Spring 5 reactive stack, including:
Spring Boot 2.0, at the moment the latest version is 2.0.0.M7Spring Data MongoDB supports reactive operations for MongoDBSpring Session adds reactive support for WebSessionSpring Security 5 aligns with Spring 5 reactive stack The frontend is an Angular based SPA and it will be generated by Angular CLI.
The source code is hosted on Github, …