Spring Security with DB-JWT-OAUTH

No matter how spring boot has helped developers, These annotations hides many things which a developer should be known, but with so many options provided by spring leads to lot of confusion on top of it searching in google leads to many more approaches, all leading to confusion and frustration.Below are my notes/learning while I tried understanding Spring Security.I finally concluded my spring security study for now!!.

Spring Security with DB

Spring Security is a library consisting of multiple filters managed/delegated by DelegatingFilterProxy(

Proxy for a standard Servlet Filter, delegating to a Spring-managed bean that implements the Filter interface.)

Just by adding the dependency in spring boot app, Spring Security is enables along with its form Login.

Internally it uses AuthenticationManagerBuilder to authenticate the user.

There are multiple ways to provide AuthenticationProvider

1. DaoAuthenticationConfigurer
2. inMemoryAuthentication
3. jdbcAuthentication
4. ldapAuthentication etc

We mostly use DaoAuthenticationConfigurer AuthenticationProvider which needs

1. Datasource
2. UserDetails
3. UserDetailsService() which uses loadUserByUsername(String username)

We add these in a config class which extends WebSecurityConfigurerAdapter

One important method in it is configure(HttpSecurity http).(HttpSecurity :- It allows configuring web based security for specific http requests. By default it will be applied to all requests, but can be restricted using requestMatcher(RequestMatcher) or other similar methods.)

Spring Security with JWT:

• JWT integration is straight forward, if you are aware of spring security basics.
• All we do is just add a filter(OncePerRequestFilter/etc)
• Generate a Token for a valid credentials
• Validate the Token passed in header
• Add the filter in the HttpSecurity section
• httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class)

Oauth:-

Implementing Oauth is also much easier in spring boot.Its much easier then implementing the JWT based authentication.

The only additional part apart from WebSecurityConfigurerAdapter of spring security is to add one more config class:

AuthorizationServerConfigurerAdapter annotated with @EnableAuthorizationServer

Here we configure 3 methods

1. ClientDetailsServiceConfigurer: To fetch the client specific details, not to be confused with UserDetailsService, which is used to fetch user details.
2. AuthorizationServerEndpointsConfigurer: This is mainly to tell spring what kind of spring we are expecting and how to authenticate it.
3. AuthorizationServerSecurityConfigurer: This is similar to HttpSecurity , with only difference that this rule applies to Oauth endpoints like /checkToken etc.

Github Link for all 3 approaches along with postman collections can be found here:- SPRING SECURITY GIT LINK