The latest articles on DEV Community by Jannarong Wadthong (@toojannarong). https://dev.to/toojannarong https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F101285%2F4b77bc86-1730-4711-b755-a9440adaab5a.jpg https://dev.to/toojannarong en Jannarong Wadthong Wed, 15 Apr 2020 17:48:46 +0000 https://dev.to/toojannarong/spring-security-with-jwt-the-easiest-way-2i43 https://dev.to/toojannarong/spring-security-with-jwt-the-easiest-way-2i43 <p>Since version 5.2, Spring has introduced a new library, <a href="https://github.com/spring-projects/spring-security/tree/master/oauth2/oauth2-resource-server" rel="noopener noreferrer">OAuth 2.0 Resource Sever</a>, handling JWT so that we no longer need to manually add a Filter to extract claims from JWT token and verify the token.</p> <h2> What is a Resource server? </h2> <p>Resource server provides protected resources. It communicates with its Authorization server to validate a request to access a protected resource. Typically the endpoints of a resource server are protected based on the Oauth2 scopes and user roles.<br> Please refer to <a href="https://www.oauth.com/oauth2-servers/the-resource-server/" rel="noopener noreferrer">this</a> for more details.</p> <h2> Example Token </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbXkubWljcm9zZXJ2aWNlLmNvbS8iLCJzdWIiOiJzdWJqZWN0Iiwic2NvcGUiOlsicmVhZCJdLCJleHAiOjQ3NDA1NDczODcsImp0aSI6ImM4YWEyZjc3LTY2NjYtNDdmNy1iNTZlLTQyNGUxYzFlMThjYiIsImlhdCI6MTU4Njk0NzM4N30.PmHnPwf7M1vTPxskfzPgVvJhhJ9azLgoqTA6C4EsTSU </code></pre> </div> <p>When you decode it from <a href="https://jwt.io/" rel="noopener noreferrer">jwt.io</a>, you find that the JWT structure consists of 3 parts: Header, Payload, Signature. </p> <h3> Header </h3> <p>It usually contains two fields:</p> <ol> <li>A type of token, <strong>type</strong>, JWT</li> <li>The signing algorithm, <strong>alg</strong>, HS256</li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"JWT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"alg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HS256"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Payload </h3> <p>The payload contains a set of <a href="https://tools.ietf.org/html/rfc7519#section-4.1" rel="noopener noreferrer">claims</a>. e.g. <strong>iss</strong> (issuer), <strong>exp</strong> (expiration time), <strong>sub</strong> (subject) </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://my.microservice.com/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"subject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"read"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">4740547387</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"c8aa2f77-6666-47f7-b56e-424e1c1e18cb"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1586947387</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>And the claim that is going be used to authorise our endpoints is <strong>scope</strong>: <strong>read</strong>.</p> <blockquote> <p>According to <a href="https://github.com/spring-projects/spring-security/blob/146d9ba0bfa97d748e0e5fbbff3c1c187a6f22ab/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtGrantedAuthoritiesConverter.java#L42" rel="noopener noreferrer">this</a>, Spring OAuth 2 Resource Server, by default, looks for the clam names: <strong>scope</strong> and <strong>scp</strong>, as they are well-known claims for authorisation. If you are going use a custom claim name, you can see the example at the end of this post.</p> </blockquote> <h1> Example Project </h1> <p>We're going to use <a href="https://start.spring.io/" rel="noopener noreferrer">Spring Initializr</a> to generate Spring Boot project from scratch.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fres.cloudinary.com%2Ftoojannarong%2Fimage%2Fupload%2Fc_scale%2Cw_896%2Fv1586692846%2Fblog%2Fspring-resource-sever%2Fspring_init.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fres.cloudinary.com%2Ftoojannarong%2Fimage%2Fupload%2Fc_scale%2Cw_896%2Fv1586692846%2Fblog%2Fspring-resource-sever%2Fspring_init.png"></a></p> <p>Here is the dependencies inside build.gradle file:</p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="n">plugins</span> <span class="o">{</span> <span class="n">id</span> <span class="err">'</span><span class="n">org</span><span class="o">.</span><span class="na">springframework</span><span class="o">.</span><span class="na">boot</span><span class="err">'</span> <span class="n">version</span> <span class="err">'</span><span class="mf">2.2</span><span class="o">.</span><span class="mi">6</span><span class="o">.</span><span class="na">RELEASE</span><span class="err">'</span> <span class="n">id</span> <span class="err">'</span><span class="n">io</span><span class="o">.</span><span class="na">spring</span><span class="o">.</span><span class="na">dependency</span><span class="o">-</span><span class="n">management</span><span class="err">'</span> <span class="n">version</span> <span class="err">'</span><span class="mf">1.0</span><span class="o">.</span><span class="mi">9</span><span class="o">.</span><span class="na">RELEASE</span><span class="err">'</span> <span class="n">id</span> <span class="err">'</span><span class="n">java</span><span class="err">'</span> <span class="o">}</span> <span class="n">group</span> <span class="o">=</span> <span class="err">'</span><span class="n">com</span><span class="o">.</span><span class="na">example</span><span class="err">'</span> <span class="n">version</span> <span class="o">=</span> <span class="err">'</span><span class="mf">0.0</span><span class="o">.</span><span class="mi">1</span><span class="o">-</span><span class="no">SNAPSHOT</span><span class="err">'</span> <span class="n">sourceCompatibility</span> <span class="o">=</span> <span class="err">'</span><span class="mf">1.8</span><span class="err">'</span> <span class="n">repositories</span> <span class="o">{</span> <span class="n">mavenCentral</span><span class="o">()</span> <span class="o">}</span> <span class="n">dependencies</span> <span class="o">{</span> <span class="n">implementation</span> <span class="err">'</span><span class="n">org</span><span class="o">.</span><span class="na">springframework</span><span class="o">.</span><span class="na">boot</span><span class="o">:</span><span class="n">spring</span><span class="o">-</span><span class="n">boot</span><span class="o">-</span><span class="n">starter</span><span class="o">-</span><span class="n">oauth2</span><span class="o">-</span><span class="n">resource</span><span class="o">-</span><span class="n">server</span><span class="err">'</span> <span class="n">implementation</span> <span class="err">'</span><span class="n">org</span><span class="o">.</span><span class="na">springframework</span><span class="o">.</span><span class="na">boot</span><span class="o">:</span><span class="n">spring</span><span class="o">-</span><span class="n">boot</span><span class="o">-</span><span class="n">starter</span><span class="o">-</span><span class="n">web</span><span class="err">'</span> <span class="n">testImplementation</span><span class="o">(</span><span class="err">'</span><span class="n">org</span><span class="o">.</span><span class="na">springframework</span><span class="o">.</span><span class="na">boot</span><span class="o">:</span><span class="n">spring</span><span class="o">-</span><span class="n">boot</span><span class="o">-</span><span class="n">starter</span><span class="o">-</span><span class="n">test</span><span class="err">'</span><span class="o">)</span> <span class="o">{</span> <span class="n">exclude</span> <span class="nl">group:</span> <span class="err">'</span><span class="n">org</span><span class="o">.</span><span class="na">junit</span><span class="o">.</span><span class="na">vintage</span><span class="err">'</span><span class="o">,</span> <span class="nl">module:</span> <span class="err">'</span><span class="n">junit</span><span class="o">-</span><span class="n">vintage</span><span class="o">-</span><span class="n">engine</span><span class="err">'</span> <span class="o">}</span> <span class="o">}</span> <span class="n">test</span> <span class="o">{</span> <span class="n">useJUnitPlatform</span><span class="o">()</span> <span class="o">}</span> </code></pre> </div> <p>As you can see, we use Spring Boot version 2.2.6.RELEASE. The spring-boot-starter-oauth2-resource-server includes spring-security-oauth2-jose version 5.2.5.RELEASE containing nimbus-jose-jwt library to support JWT decoding. </p> <h1> Controller </h1> <p>We have created 2 endpoints:</p> <ol> <li>"/" endpoint - accepts HTTP GET method and expects HTTP Header with 'Authorization: Bearer (JWT Token)'</li> <li>"/message" endpoints accepts 2 HTTP methods: GET and POST</li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="kn">import</span> <span class="nn">org.springframework.security.core.annotation.AuthenticationPrincipal</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.jwt.Jwt</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.GetMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.PostMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RequestBody</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RestController</span><span class="o">;</span> <span class="nd">@RestController</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">Controller</span> <span class="o">{</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">index</span><span class="o">(</span><span class="nd">@AuthenticationPrincipal</span> <span class="nc">Jwt</span> <span class="n">jwt</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"Hello, %s!"</span><span class="o">,</span> <span class="n">jwt</span><span class="o">.</span><span class="na">getSubject</span><span class="o">());</span> <span class="o">}</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/message"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">message</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="s">"secret message"</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@PostMapping</span><span class="o">(</span><span class="s">"/message"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">createMessage</span><span class="o">(</span><span class="nd">@RequestBody</span> <span class="nc">String</span> <span class="n">message</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"Message was created. Content: %s"</span><span class="o">,</span> <span class="n">message</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h1> Configuration </h1> <ol> <li> <p>We define the security rules to the /message endpoint. The message endpoint will check if</p> <ul> <li>the request has the authority <strong>read</strong> for GET method</li> <li>the request has the authority <strong>write</strong> for POST method</li> </ul> </li> <li><p>We also tell Spring that we are going use OAuth2 Resource Sever with JSON Web Token (JWT).</p></li> <li> <p>We disable </p> <ul> <li>Session Management – this will prevent the creation of session cookies</li> <li>HTTP Basic Authentication</li> <li>Default Spring login page</li> <li>CSRF .</li> </ul> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="kn">import</span> <span class="nn">org.springframework.http.HttpMethod</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.builders.HttpSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.EnableWebSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer</span><span class="o">;</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">OAuth2ResourceServerSecurityConfiguration</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">httpBasic</span><span class="o">().</span><span class="na">disable</span><span class="o">()</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="nl">AbstractHttpConfigurer:</span><span class="o">:</span><span class="n">disable</span><span class="o">)</span> <span class="o">.</span><span class="na">csrf</span><span class="o">(</span><span class="nl">AbstractHttpConfigurer:</span><span class="o">:</span><span class="n">disable</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">(</span><span class="n">authorize</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">mvcMatchers</span><span class="o">(</span><span class="nc">HttpMethod</span><span class="o">.</span><span class="na">GET</span><span class="o">,</span> <span class="s">"/messages/**"</span><span class="o">).</span><span class="na">hasAuthority</span><span class="o">(</span><span class="s">"SCOPE_read"</span><span class="o">)</span> <span class="o">.</span><span class="na">mvcMatchers</span><span class="o">(</span><span class="nc">HttpMethod</span><span class="o">.</span><span class="na">POST</span><span class="o">,</span> <span class="s">"/messages/**"</span><span class="o">).</span><span class="na">hasAuthority</span><span class="o">(</span><span class="s">"SCOPE_write"</span><span class="o">)</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">oauth2ResourceServer</span><span class="o">(</span><span class="nl">OAuth2ResourceServerConfigurer:</span><span class="o">:</span><span class="n">jwt</span><span class="o">)</span> <span class="o">.</span><span class="na">sessionManagement</span><span class="o">(</span><span class="n">sessionManagement</span> <span class="o">-&gt;</span> <span class="n">sessionManagement</span><span class="o">.</span><span class="na">sessionCreationPolicy</span><span class="o">(</span><span class="nc">SessionCreationPolicy</span><span class="o">.</span><span class="na">STATELESS</span><span class="o">))</span> <span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <blockquote> <p>Note that this configuration file is expressed as <a href="https://en.wikipedia.org/wiki/Domain-specific_language" rel="noopener noreferrer">DSL</a>. Unlike the traditional approach with builder chaining, we can use Java 8 lamda to express the configurations.</p> </blockquote> <h1> application.yml </h1> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">spring</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="na">oauth2</span><span class="pi">:</span> <span class="na">resourceserver</span><span class="pi">:</span> <span class="na">jwt</span><span class="pi">:</span> <span class="na">jwk-set-uri</span><span class="pi">:</span> <span class="s">https://login.domain.com/xxx/keys</span> <span class="c1"># JSON Web Key URI to use to verify the JWT token.</span> </code></pre> </div> <h1> Expected Results </h1> <p>You’ll get HTTP 403 message when you call secured endpoint with an invalid claims. For example, you sent a token with read <strong>scope</strong> but the endpoints expect <strong>write</strong> scope. </p> <p>You’ll get HTTP 401 message when the JWT authorisation fails. For example,</p> <ol> <li>the token is not recognised by the issuer.</li> <li>the token has expired.</li> <li>the token is invalid structure.</li> <li>etc.</li> </ol> <h1> Testing </h1> <p>Request message endpoint using HTTP <strong>GET</strong>. The token contains <strong>read</strong> scope</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> GET http://localhost:8080/message Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbXkubWljcm9zZXJ2aWNlLmNvbS8iLCJzdWIiOiJzdWJqZWN0Iiwic2NvcGUiOlsicmVhZCJdLCJleHAiOjQ3NDA1NDczODcsImp0aSI6ImM4YWEyZjc3LTY2NjYtNDdmNy1iNTZlLTQyNGUxYzFlMThjYiIsImlhdCI6MTU4Njk0NzM4N30.PmHnPwf7M1vTPxskfzPgVvJhhJ9azLgoqTA6C4EsTSU </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> HTTP/1.1 200 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Type: text/plain;charset=UTF-8 Content-Length: 33 Date: Wed, 15 Apr 2020 16:12:03 GMT secret message Response code: 200; Time: 1261ms; Content length: 337bytes </code></pre> </div> <p>Request message endpoint using HTTP <strong>POST</strong>. The token contains <strong>read</strong> scope. But it expects <strong>write</strong> scope.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> POST http://localhost:8080/message Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbXkubWljcm9zZXJ2aWNlLmNvbS8iLCJzdWIiOiJzdWJqZWN0Iiwic2NvcGUiOlsicmVhZCJdLCJleHAiOjQ3NDA1NDczODcsImp0aSI6ImM4YWEyZjc3LTY2NjYtNDdmNy1iNTZlLTQyNGUxYzFlMThjYiIsImlhdCI6MTU4Njk0NzM4N30.PmHnPwf7M1vTPxskfzPgVvJhhJ9azLgoqTA6C4EsTSU </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> HTTP/1.1 403 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Wed, 15 Apr 2020 20:12:00 GMT { "timestamp": "2019-04-15T12:27:25.020+0000", "status": 403, "error": "Forbidden", "message": "Access Denied", "path": "/message" } Response code: 403; Time: 28ms; Content length: 125 byte </code></pre> </div> <h1> Custom claim </h1> <p>What if our JWT does not contain the well-known claims(<strong>scope</strong>, <strong>scp</strong>) for authorisation?</p> <p>We'll use claim name: <strong>roles</strong> as example. </p> <h3> Token with claim: <strong>roles</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbXkubWljcm9zZXJ2aWNlLmNvbS8iLCJzdWIiOiJzdWJqZWN0Iiwicm9sZXMiOlsic3R1ZGVudCJdLCJleHAiOjQ3NDA1NzAxMjMsImp0aSI6IjM3OWVhNzYxLTNlNTAtNDM2Mi04ZTEyLWQwNzIzNDZhN2JlMSIsImlhdCI6MTU4Njk3MDEyM30.qJCgYrMb17D6Y6MWKrpsaTLBmWKZXvc4wTGsZg2YGGY </code></pre> </div> <h3> Payload </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://my.microservice.com/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"subject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"student"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">4740570123</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"379ea761-3e50-4362-8e12-d072346a7be1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1586970123</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This section is going to illustrate on how to modify a the <a href="https://github.com/spring-projects/spring-security/blob/146d9ba0bfa97d748e0e5fbbff3c1c187a6f22ab/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtGrantedAuthoritiesConverter.java#L42" rel="noopener noreferrer">Default JWT Converter</a>.</p> <p>We'll modify our existing configuration file as follows:</p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="kn">package</span> <span class="nn">com.example.resourcesever</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.core.convert.converter.Converter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.http.HttpMethod</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.authentication.AbstractAuthenticationToken</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.builders.HttpSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.EnableWebSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.http.SessionCreationPolicy</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.GrantedAuthority</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.jwt.Jwt</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Collection</span><span class="o">;</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">OAuth2ResourceServerSecurityCustomConfiguration</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">AUTHORITY_PREFIX</span> <span class="o">=</span> <span class="s">"ROLE_"</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">CLAIM_ROLES</span> <span class="o">=</span> <span class="s">"roles"</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">httpBasic</span><span class="o">().</span><span class="na">disable</span><span class="o">()</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="nl">AbstractHttpConfigurer:</span><span class="o">:</span><span class="n">disable</span><span class="o">)</span> <span class="o">.</span><span class="na">csrf</span><span class="o">(</span><span class="nl">AbstractHttpConfigurer:</span><span class="o">:</span><span class="n">disable</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">(</span><span class="n">authorize</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">mvcMatchers</span><span class="o">(</span><span class="nc">HttpMethod</span><span class="o">.</span><span class="na">GET</span><span class="o">,</span> <span class="s">"/messages/**"</span><span class="o">).</span><span class="na">hasAuthority</span><span class="o">(</span><span class="s">"ROLE_student"</span><span class="o">)</span> <span class="o">.</span><span class="na">mvcMatchers</span><span class="o">(</span><span class="nc">HttpMethod</span><span class="o">.</span><span class="na">POST</span><span class="o">,</span> <span class="s">"/messages/**"</span><span class="o">).</span><span class="na">hasAuthority</span><span class="o">(</span><span class="s">"ROLE_admin"</span><span class="o">)</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">oauth2ResourceServer</span><span class="o">(</span><span class="n">oauth2ResourceServer</span> <span class="o">-&gt;</span> <span class="n">oauth2ResourceServer</span> <span class="o">.</span><span class="na">jwt</span><span class="o">(</span><span class="n">jwt</span> <span class="o">-&gt;</span> <span class="n">jwt</span><span class="o">.</span><span class="na">jwtAuthenticationConverter</span><span class="o">(</span><span class="n">getJwtAuthenticationConverter</span><span class="o">()))</span> <span class="o">)</span> <span class="o">.</span><span class="na">sessionManagement</span><span class="o">(</span><span class="n">sessionManagement</span> <span class="o">-&gt;</span> <span class="n">sessionManagement</span><span class="o">.</span><span class="na">sessionCreationPolicy</span><span class="o">(</span><span class="nc">SessionCreationPolicy</span><span class="o">.</span><span class="na">STATELESS</span><span class="o">))</span> <span class="o">;</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">Converter</span><span class="o">&lt;</span><span class="nc">Jwt</span><span class="o">,</span> <span class="nc">AbstractAuthenticationToken</span><span class="o">&gt;</span> <span class="nf">getJwtAuthenticationConverter</span><span class="o">()</span> <span class="o">{</span> <span class="nc">JwtAuthenticationConverter</span> <span class="n">jwtAuthenticationConverter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JwtAuthenticationConverter</span><span class="o">();</span> <span class="n">jwtAuthenticationConverter</span><span class="o">.</span><span class="na">setJwtGrantedAuthoritiesConverter</span><span class="o">(</span><span class="n">getJwtGrantedAuthoritiesConverter</span><span class="o">());</span> <span class="k">return</span> <span class="n">jwtAuthenticationConverter</span><span class="o">;</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">Converter</span><span class="o">&lt;</span><span class="nc">Jwt</span><span class="o">,</span> <span class="nc">Collection</span><span class="o">&lt;</span><span class="nc">GrantedAuthority</span><span class="o">&gt;&gt;</span> <span class="nf">getJwtGrantedAuthoritiesConverter</span><span class="o">()</span> <span class="o">{</span> <span class="nc">JwtGrantedAuthoritiesConverter</span> <span class="n">converter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JwtGrantedAuthoritiesConverter</span><span class="o">();</span> <span class="n">converter</span><span class="o">.</span><span class="na">setAuthorityPrefix</span><span class="o">(</span><span class="no">AUTHORITY_PREFIX</span><span class="o">);</span> <span class="n">converter</span><span class="o">.</span><span class="na">setAuthoritiesClaimName</span><span class="o">(</span><span class="no">CLAIM_ROLES</span><span class="o">);</span> <span class="k">return</span> <span class="n">converter</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>From above, first, we tell Spring that we want to use claim name <strong>roles</strong> instead of <strong>scope</strong> or <strong>scp</strong>. </p> <ul> <li>Only <strong>student</strong> role will pass the GET method authorisation.</li> <li>Only <strong>admin</strong> role will pass the POST method authorisation.</li> </ul> <p>Second, we want to set authority prefix with <strong>ROLE_</strong> instead of <strong>SCOPE_</strong></p> <p>We can modify it further... We can use <strong>hasRole</strong> instead of <strong>hasAuthority</strong>. </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="kn">package</span> <span class="nn">com.example.resourcesever</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.core.convert.converter.Converter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.http.HttpMethod</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.authentication.AbstractAuthenticationToken</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.builders.HttpSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.EnableWebSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.http.SessionCreationPolicy</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.GrantedAuthority</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.jwt.Jwt</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Collection</span><span class="o">;</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">OAuth2ResourceServerSecurityCustomConfiguration</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">AUTHORITY_PREFIX</span> <span class="o">=</span> <span class="s">"ROLE_"</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">CLAIM_ROLES</span> <span class="o">=</span> <span class="s">"roles"</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">httpBasic</span><span class="o">().</span><span class="na">disable</span><span class="o">()</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="nl">AbstractHttpConfigurer:</span><span class="o">:</span><span class="n">disable</span><span class="o">)</span> <span class="o">.</span><span class="na">csrf</span><span class="o">(</span><span class="nl">AbstractHttpConfigurer:</span><span class="o">:</span><span class="n">disable</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">(</span><span class="n">authorize</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">mvcMatchers</span><span class="o">(</span><span class="nc">HttpMethod</span><span class="o">.</span><span class="na">GET</span><span class="o">,</span> <span class="s">"/messages/**"</span><span class="o">).</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"student"</span><span class="o">)</span> <span class="o">.</span><span class="na">mvcMatchers</span><span class="o">(</span><span class="nc">HttpMethod</span><span class="o">.</span><span class="na">POST</span><span class="o">,</span> <span class="s">"/messages/**"</span><span class="o">).</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"admin"</span><span class="o">)</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">oauth2ResourceServer</span><span class="o">(</span><span class="n">oauth2ResourceServer</span> <span class="o">-&gt;</span> <span class="n">oauth2ResourceServer</span> <span class="o">.</span><span class="na">jwt</span><span class="o">(</span><span class="n">jwt</span> <span class="o">-&gt;</span> <span class="n">jwt</span><span class="o">.</span><span class="na">jwtAuthenticationConverter</span><span class="o">(</span><span class="n">getJwtAuthenticationConverter</span><span class="o">()))</span> <span class="o">)</span> <span class="o">.</span><span class="na">sessionManagement</span><span class="o">(</span><span class="n">sessionManagement</span> <span class="o">-&gt;</span> <span class="n">sessionManagement</span><span class="o">.</span><span class="na">sessionCreationPolicy</span><span class="o">(</span><span class="nc">SessionCreationPolicy</span><span class="o">.</span><span class="na">STATELESS</span><span class="o">))</span> <span class="o">;</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">Converter</span><span class="o">&lt;</span><span class="nc">Jwt</span><span class="o">,</span> <span class="nc">AbstractAuthenticationToken</span><span class="o">&gt;</span> <span class="nf">getJwtAuthenticationConverter</span><span class="o">()</span> <span class="o">{</span> <span class="nc">JwtAuthenticationConverter</span> <span class="n">jwtAuthenticationConverter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JwtAuthenticationConverter</span><span class="o">();</span> <span class="n">jwtAuthenticationConverter</span><span class="o">.</span><span class="na">setJwtGrantedAuthoritiesConverter</span><span class="o">(</span><span class="n">getJwtGrantedAuthoritiesConverter</span><span class="o">());</span> <span class="k">return</span> <span class="n">jwtAuthenticationConverter</span><span class="o">;</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">Converter</span><span class="o">&lt;</span><span class="nc">Jwt</span><span class="o">,</span> <span class="nc">Collection</span><span class="o">&lt;</span><span class="nc">GrantedAuthority</span><span class="o">&gt;&gt;</span> <span class="nf">getJwtGrantedAuthoritiesConverter</span><span class="o">()</span> <span class="o">{</span> <span class="nc">JwtGrantedAuthoritiesConverter</span> <span class="n">converter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JwtGrantedAuthoritiesConverter</span><span class="o">();</span> <span class="n">converter</span><span class="o">.</span><span class="na">setAuthorityPrefix</span><span class="o">(</span><span class="no">AUTHORITY_PREFIX</span><span class="o">);</span> <span class="n">converter</span><span class="o">.</span><span class="na">setAuthoritiesClaimName</span><span class="o">(</span><span class="no">CLAIM_ROLES</span><span class="o">);</span> <span class="k">return</span> <span class="n">converter</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Notice that I provide only the role name(<strong>admin</strong>, <strong>student</strong>) without the prefix <strong>ROLE_</strong> to the hasRole() method, because the <a href="https://github.com/spring-projects/spring-security/blob/146d9ba0bfa97d748e0e5fbbff3c1c187a6f22ab/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java#L245" rel="noopener noreferrer">implementation of hasRole()</a> does not expect us to put the prefix <strong>ROLE_</strong>, it will do for us.</p> <h1> Testing with Custom claim: roles </h1> <p>Request message endpoint using HTTP <strong>GET</strong>. The token contains <strong>student</strong> role</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> GET http://localhost:8080/message Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbXkubWljcm9zZXJ2aWNlLmNvbS8iLCJzdWIiOiJzdWJqZWN0Iiwicm9sZXMiOlsic3R1ZGVudCJdLCJleHAiOjQ3NDA1NzAxMjMsImp0aSI6IjM3OWVhNzYxLTNlNTAtNDM2Mi04ZTEyLWQwNzIzNDZhN2JlMSIsImlhdCI6MTU4Njk3MDEyM30.qJCgYrMb17D6Y6MWKrpsaTLBmWKZXvc4wTGsZg2YGGY </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> HTTP/1.1 200 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Type: text/plain;charset=UTF-8 Content-Length: 33 Date: Wed, 15 Apr 2020 17:11:01 GMT secret message Response code: 200; Time: 1261ms; Content length: 337bytes </code></pre> </div> <p>Request message endpoint using HTTP <strong>POST</strong>. The token contains <strong>student</strong> role. But it expects <strong>admin</strong> role.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> <p>POST <a href="http://localhost:8080/message" rel="noopener noreferrer">http://localhost:8080/message</a><br> Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbXkubWljcm9zZXJ2aWNlLmNvbS8iLCJzdWIiOiJzdWJqZWN0Iiwicm9sZXMiOlsic3R1ZGVudCJdLCJleHAiOjQ3NDA1NzAxMjMsImp0aSI6IjM3OWVhNzYxLTNlNTAtNDM2Mi04ZTEyLWQwNzIzNDZhN2JlMSIsImlhdCI6MTU4Njk3MDEyM30.qJCgYrMb17D6Y6MWKrpsaTLBmWKZXvc4wTGsZg2YGGY</p> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> <p>HTTP/1.1 403 <br> X-Content-Type-Options: nosniff<br> X-XSS-Protection: 1; mode=block<br> Cache-Control: no-cache, no-store, max-age=0, must-revalidate<br> Pragma: no-cache<br> Expires: 0<br> X-Frame-Options: DENY<br> Content-Type: application/json;charset=UTF-8<br> Transfer-Encoding: chunked<br> Date: Wed, 15 Apr 2020 22:10:05 GMT</p> <p>{<br> "timestamp": "2019-04-15T12:27:25.020+0000",<br> "status": 403,<br> "error": "Forbidden",<br> "message": "Access Denied",<br> "path": "/message"<br> }</p> <p>Response code: 403; Time: 28ms; Content length: 125 byte</p> </code></pre> </div> <h1> <br> <br> <br> Conclusion<br> </h1> <p>The OAuth 2 Resource Sever library provide us a minimal configuration. We do not need to write a filter anymore.</p> java spring security jwt