1

Im working on a spring boot 2 micro services . now im planning to secure to my rest calls using the OAUTH2 .

I found lot of articles reg that Spring 2 + OAUTH2 integration but does not match with my requirement , all of them use tables and secure calls using the roles ,

My application login works on Single Sign on using the SAML (SSO) , my requirement is to only authorize the each request . what are the best way to do that .

  1. do i really need table to store the token for the user , since login is already happened using SSO ?
  2. only thing here is to authorize request irrespective of the roles of the user .

Any suggestions or github link to match the simple requirement will be appreciated .

PremKumarR
  • 461
  • 1
  • 6
  • 19
  • are you looking for `websecurityconfigureradapter` for authorization [check here](https://spring.io/blog/2013/07/03/spring-security-java-config-preview-web-security)? – Amit Naik Apr 15 '19 at 04:54
  • Thanks for the link ! .. which is better to use inmemory or the Table one ? Still confused – PremKumarR Apr 15 '19 at 05:43
  • Ever heard about Okta? You can use it. https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Github-com.html – Kunal Vohra Apr 15 '19 at 05:52
  • @KunalVohra , Not aware of that .. let me check . Thanks for the info . – PremKumarR Apr 15 '19 at 07:03

2 Answers2

0

@premKumarR

For your comments on which is better in-memory v/s JDBC. For Spring Docs,

Here's a description with some discussion of each of them

The default InMemoryTokenStore is perfectly fine for a single server (i.e. low traffic and no hot swap to a backup server in the case of failure). Most projects can start here, and maybe operate this way in development mode, to make it easy to start a server with no dependencies.

The JdbcTokenStore is the JDBC version of the same thing, which stores token data in a relational database. Use the JDBC version if you can share a database between servers, either scaled up instances of the same server if there is only one, or the Authorization and Resources Servers if there are multiple components. To use the JdbcTokenStore you need "spring-jdbc" on the classpath.

Docs Link: https://projects.spring.io/spring-security-oauth/docs/oauth2.html

Community
  • 1
  • 1
Anant Goswami
  • 318
  • 3
  • 14
0

OAuth2 has different implementations of creating Tokens for authentication. By default it creates tokens via random value and handles everything except for the persistence of the tokens which it delegates to a TokenStore. The default store is an in-memory implementation, but there are some other implementations available.

The JdbcTokenStore is the JDBC version of the same thing, which stores token data in a relational database.

The JSON Web Token (JWT) version of the store but does not persist data.

So to answer your questions

  • do i really need table to store the token for the user , since login is already happened using SSO ?

    Not necessary. As i understand you only intend to authenticate not to generate the tokens.

  • only thing here is to authorize request irrespective of the roles of the user .

    You can use WebSecurityConfigurerAdapter to vaildate incoming request. e.g. as below

    public class Configuration extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception { 
        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/authorization-server-1/**",
              "/login").permitAll()
            .anyRequest().authenticated();
    }
}
Amit Naik
  • 983
  • 1
  • 5
  • 16
  • Thanks for the detail . Yes implanning to use In memory approach since our application has not much traffic . may be latter if required ill move this to DB approach . Thanks – PremKumarR Apr 15 '19 at 07:04