Let's continue add security features for the basic application we have built. As you can see, we have used the basic inbuild features of the spring security where default username=user and with generated password.
So let's start configuring.
1. we will create class "SecurityConfig" and let's put that inside "config" package
2. Annotate with @Configuration and @EnableWebSecurity
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
3. create new bean with "SecurityFilterChain" with "HttpSecurity"
below is the sample
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http.build();
}
So up to now, the full continue code of the "SecurityConfig" class would looks like below.
Note: we need to add Exception
package com.example.danwega.outh2.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http.build();
}
}
4. Now let's start adding security features or configure Spring security environment. We will start modifying bean we created "SecurityFilterChain"
let's authorize http requests.
- we use authorizeHttpRequests
- with this we use matchers requestMatchers
- For home anybody can go -> auth.requestMatchers("/").permitAll()
- For any other request use authentication --> auth.anyRequest().authenticated()
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(auth -> {
auth.requestMatchers("/").permitAll();
auth.anyRequest().authenticated();
})
.build();
}
5. Now how are you going to login. So for now, let's give a formLogin with defaults
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(auth -> {
auth.requestMatchers("/").permitAll();
auth.anyRequest().authenticated();
})
.formLogin(Customizer.withDefaults())
.build();
}
let's change the code to static import for "withDefaults"
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(auth -> {
auth.requestMatchers("/").permitAll();
auth.anyRequest().authenticated();
})
.formLogin(withDefaults())
.build();
}
Now user have to log with user name and password to login
6. without just providing a formLogin, we need to provide a oauth2 login as we are using oauth2.
we add auth2Login with defaults for now.
.oauth2Login(withDefaults())
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(auth -> {
auth.requestMatchers("/").permitAll();
auth.anyRequest().authenticated();
})
.oauth2Login(withDefaults())
.formLogin(withDefaults())
.build();
}
That's it for now
7. configure properties to say what oauth2 client, providers we provide.
let's use log level just to what's happening inside when we running the code
logging:
level:
org:
springframework:
security: TRACE
here we will try to configure for GitHub and Google.
let's first try with GitHub
Github
click your top right corner icon showing you --> go to "settings" --> left side go to "developer settings" in left bottom corner --> select "OAuth2 app" in left panel
8. Let's Register new application. you can give your details as needed, below is sample set
Application name: Spring Security OAuth2 client
Homepage url : localhost:8210
Application description : optional for now
Authorization callback url : localhost:8210/login/oauth2/code/github
call back url is set according to documentation. when it is google final part will be "google", instead of "github"
localhost:8210/login/oauth2/code/google
Click Register Application to finish the process. This will go to page and show you "client secret" and some other information
9.
No comments:
Post a Comment