Add ":servlet:spring-boot:java:oauth2:resource-server:opaque"
This commit is contained in:
parent
b15c37b72b
commit
c6feb269b5
|
@ -0,0 +1,114 @@
|
||||||
|
= OAuth 2.0 Resource Server Sample
|
||||||
|
|
||||||
|
This sample demonstrates integrating Resource Server with a mock Authorization Server, though it can be modified to integrate
|
||||||
|
with your favorite Authorization Server.
|
||||||
|
|
||||||
|
With it, you can run the integration tests or run the application as a stand-alone service to explore how you can
|
||||||
|
secure your own service with OAuth 2.0 Opaque Bearer Tokens using Spring Security.
|
||||||
|
|
||||||
|
== 1. Running the tests
|
||||||
|
|
||||||
|
To run the tests, do:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./gradlew integrationTest
|
||||||
|
```
|
||||||
|
|
||||||
|
Or import the project into your IDE and run `OAuth2ResourceServerApplicationTests` from there.
|
||||||
|
|
||||||
|
=== What is it doing?
|
||||||
|
|
||||||
|
By default, the tests are pointing at a mock Authorization Server instance.
|
||||||
|
|
||||||
|
The tests are configured with a set of hard-coded tokens originally obtained from the mock Authorization Server,
|
||||||
|
and each makes a query to the Resource Server with their corresponding token.
|
||||||
|
|
||||||
|
The Resource Server subsquently verifies with the Authorization Server and authorizes the request, returning the phrase
|
||||||
|
|
||||||
|
```bash
|
||||||
|
Hello, subject!
|
||||||
|
```
|
||||||
|
|
||||||
|
where "subject" is the value of the `sub` field in the JWT returned by the Authorization Server.
|
||||||
|
|
||||||
|
== 2. Running the app
|
||||||
|
|
||||||
|
To run as a stand-alone application, do:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./gradlew bootRun
|
||||||
|
```
|
||||||
|
|
||||||
|
Or import the project into your IDE and run `OAuth2ResourceServerApplication` from there.
|
||||||
|
|
||||||
|
Once it is up, you can use the following token:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
export TOKEN=00ed5855-1869-47a0-b0c9-0f3ce520aee7
|
||||||
|
```
|
||||||
|
|
||||||
|
And then make this request:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -H "Authorization: Bearer $TOKEN" localhost:8080
|
||||||
|
```
|
||||||
|
|
||||||
|
Which will respond with the phrase:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
Hello, subject!
|
||||||
|
```
|
||||||
|
|
||||||
|
where `subject` is the value of the `sub` field in the JWT returned by the Authorization Server.
|
||||||
|
|
||||||
|
Or this:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
export TOKEN=b43d1500-c405-4dc9-b9c9-6cfd966c34c9
|
||||||
|
|
||||||
|
curl -H "Authorization: Bearer $TOKEN" localhost:8080/message
|
||||||
|
```
|
||||||
|
|
||||||
|
Will respond with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
secret message
|
||||||
|
```
|
||||||
|
|
||||||
|
== 2. Testing against other Authorization Servers
|
||||||
|
|
||||||
|
_In order to use this sample, your Authorization Server must support Opaque Tokens and the Introspection Endpoint.
|
||||||
|
|
||||||
|
To change the sample to point at your Authorization Server, simply find this property in the `application.yml`:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
spring:
|
||||||
|
security:
|
||||||
|
oauth2:
|
||||||
|
resourceserver:
|
||||||
|
opaque:
|
||||||
|
introspection-uri: ${mockwebserver.url}/introspect
|
||||||
|
introspection-client-id: client
|
||||||
|
introspection-client-secret: secret
|
||||||
|
```
|
||||||
|
|
||||||
|
And change the property to your Authorization Server's Introspection endpoint, including its client id and secret:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
spring:
|
||||||
|
security:
|
||||||
|
oauth2:
|
||||||
|
resourceserver:
|
||||||
|
opaque:
|
||||||
|
introspection-uri: ${mockwebserver.url}/introspect
|
||||||
|
```
|
||||||
|
|
||||||
|
And then you can run the app the same as before:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./gradlew bootRun
|
||||||
|
```
|
||||||
|
|
||||||
|
Make sure to obtain valid tokens from your Authorization Server in order to play with the sample Resource Server.
|
||||||
|
To use the `/` endpoint, any valid token from your Authorization Server will do.
|
||||||
|
To use the `/message` endpoint, the token should have the `message:read` scope.
|
|
@ -0,0 +1,41 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2020 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
plugins {
|
||||||
|
id 'org.springframework.boot' version '2.2.6.RELEASE'
|
||||||
|
id 'io.spring.dependency-management' version '1.0.9.RELEASE'
|
||||||
|
id "nebula.integtest" version "7.0.9"
|
||||||
|
id 'java'
|
||||||
|
}
|
||||||
|
|
||||||
|
repositories {
|
||||||
|
mavenCentral()
|
||||||
|
maven { url "https://repo.spring.io/snapshot" }
|
||||||
|
}
|
||||||
|
|
||||||
|
dependencies {
|
||||||
|
implementation 'com.squareup.okhttp3:mockwebserver'
|
||||||
|
implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
|
||||||
|
implementation 'org.springframework.boot:spring-boot-starter-web'
|
||||||
|
implementation 'com.nimbusds:oauth2-oidc-sdk:7.4'
|
||||||
|
|
||||||
|
testImplementation 'org.springframework.boot:spring-boot-starter-test'
|
||||||
|
testImplementation 'org.springframework.security:spring-security-test'
|
||||||
|
}
|
||||||
|
|
||||||
|
tasks.withType(Test).configureEach {
|
||||||
|
useJUnitPlatform()
|
||||||
|
}
|
|
@ -0,0 +1 @@
|
||||||
|
spring-security.version=5.4.0.BUILD-SNAPSHOT
|
BIN
servlet/spring-boot/java/oauth2/resource-server/opaque/gradle/wrapper/gradle-wrapper.jar
vendored
Normal file
BIN
servlet/spring-boot/java/oauth2/resource-server/opaque/gradle/wrapper/gradle-wrapper.jar
vendored
Normal file
Binary file not shown.
|
@ -0,0 +1,5 @@
|
||||||
|
distributionBase=GRADLE_USER_HOME
|
||||||
|
distributionPath=wrapper/dists
|
||||||
|
distributionUrl=https\://services.gradle.org/distributions/gradle-6.2.2-bin.zip
|
||||||
|
zipStoreBase=GRADLE_USER_HOME
|
||||||
|
zipStorePath=wrapper/dists
|
|
@ -0,0 +1,183 @@
|
||||||
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
|
#
|
||||||
|
# Copyright 2015 the original author or authors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
##
|
||||||
|
## Gradle start up script for UN*X
|
||||||
|
##
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
# Attempt to set APP_HOME
|
||||||
|
# Resolve links: $0 may be a link
|
||||||
|
PRG="$0"
|
||||||
|
# Need this for relative symlinks.
|
||||||
|
while [ -h "$PRG" ] ; do
|
||||||
|
ls=`ls -ld "$PRG"`
|
||||||
|
link=`expr "$ls" : '.*-> \(.*\)$'`
|
||||||
|
if expr "$link" : '/.*' > /dev/null; then
|
||||||
|
PRG="$link"
|
||||||
|
else
|
||||||
|
PRG=`dirname "$PRG"`"/$link"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
SAVED="`pwd`"
|
||||||
|
cd "`dirname \"$PRG\"`/" >/dev/null
|
||||||
|
APP_HOME="`pwd -P`"
|
||||||
|
cd "$SAVED" >/dev/null
|
||||||
|
|
||||||
|
APP_NAME="Gradle"
|
||||||
|
APP_BASE_NAME=`basename "$0"`
|
||||||
|
|
||||||
|
# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
|
||||||
|
DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
|
||||||
|
|
||||||
|
# Use the maximum available, or set MAX_FD != -1 to use that value.
|
||||||
|
MAX_FD="maximum"
|
||||||
|
|
||||||
|
warn () {
|
||||||
|
echo "$*"
|
||||||
|
}
|
||||||
|
|
||||||
|
die () {
|
||||||
|
echo
|
||||||
|
echo "$*"
|
||||||
|
echo
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# OS specific support (must be 'true' or 'false').
|
||||||
|
cygwin=false
|
||||||
|
msys=false
|
||||||
|
darwin=false
|
||||||
|
nonstop=false
|
||||||
|
case "`uname`" in
|
||||||
|
CYGWIN* )
|
||||||
|
cygwin=true
|
||||||
|
;;
|
||||||
|
Darwin* )
|
||||||
|
darwin=true
|
||||||
|
;;
|
||||||
|
MINGW* )
|
||||||
|
msys=true
|
||||||
|
;;
|
||||||
|
NONSTOP* )
|
||||||
|
nonstop=true
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
|
||||||
|
|
||||||
|
# Determine the Java command to use to start the JVM.
|
||||||
|
if [ -n "$JAVA_HOME" ] ; then
|
||||||
|
if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
|
||||||
|
# IBM's JDK on AIX uses strange locations for the executables
|
||||||
|
JAVACMD="$JAVA_HOME/jre/sh/java"
|
||||||
|
else
|
||||||
|
JAVACMD="$JAVA_HOME/bin/java"
|
||||||
|
fi
|
||||||
|
if [ ! -x "$JAVACMD" ] ; then
|
||||||
|
die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
|
||||||
|
|
||||||
|
Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
location of your Java installation."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
JAVACMD="java"
|
||||||
|
which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
|
||||||
|
|
||||||
|
Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
location of your Java installation."
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Increase the maximum file descriptors if we can.
|
||||||
|
if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
|
||||||
|
MAX_FD_LIMIT=`ulimit -H -n`
|
||||||
|
if [ $? -eq 0 ] ; then
|
||||||
|
if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
|
||||||
|
MAX_FD="$MAX_FD_LIMIT"
|
||||||
|
fi
|
||||||
|
ulimit -n $MAX_FD
|
||||||
|
if [ $? -ne 0 ] ; then
|
||||||
|
warn "Could not set maximum file descriptor limit: $MAX_FD"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# For Darwin, add options to specify how the application appears in the dock
|
||||||
|
if $darwin; then
|
||||||
|
GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
|
||||||
|
fi
|
||||||
|
|
||||||
|
# For Cygwin or MSYS, switch paths to Windows format before running java
|
||||||
|
if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
|
||||||
|
APP_HOME=`cygpath --path --mixed "$APP_HOME"`
|
||||||
|
CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
|
||||||
|
JAVACMD=`cygpath --unix "$JAVACMD"`
|
||||||
|
|
||||||
|
# We build the pattern for arguments to be converted via cygpath
|
||||||
|
ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
|
||||||
|
SEP=""
|
||||||
|
for dir in $ROOTDIRSRAW ; do
|
||||||
|
ROOTDIRS="$ROOTDIRS$SEP$dir"
|
||||||
|
SEP="|"
|
||||||
|
done
|
||||||
|
OURCYGPATTERN="(^($ROOTDIRS))"
|
||||||
|
# Add a user-defined pattern to the cygpath arguments
|
||||||
|
if [ "$GRADLE_CYGPATTERN" != "" ] ; then
|
||||||
|
OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
|
||||||
|
fi
|
||||||
|
# Now convert the arguments - kludge to limit ourselves to /bin/sh
|
||||||
|
i=0
|
||||||
|
for arg in "$@" ; do
|
||||||
|
CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
|
||||||
|
CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
|
||||||
|
|
||||||
|
if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
|
||||||
|
eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
|
||||||
|
else
|
||||||
|
eval `echo args$i`="\"$arg\""
|
||||||
|
fi
|
||||||
|
i=`expr $i + 1`
|
||||||
|
done
|
||||||
|
case $i in
|
||||||
|
0) set -- ;;
|
||||||
|
1) set -- "$args0" ;;
|
||||||
|
2) set -- "$args0" "$args1" ;;
|
||||||
|
3) set -- "$args0" "$args1" "$args2" ;;
|
||||||
|
4) set -- "$args0" "$args1" "$args2" "$args3" ;;
|
||||||
|
5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
|
||||||
|
6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
|
||||||
|
7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
|
||||||
|
8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
|
||||||
|
9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Escape application args
|
||||||
|
save () {
|
||||||
|
for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
|
||||||
|
echo " "
|
||||||
|
}
|
||||||
|
APP_ARGS=`save "$@"`
|
||||||
|
|
||||||
|
# Collect all arguments for the java command, following the shell quoting and substitution rules
|
||||||
|
eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
|
||||||
|
|
||||||
|
exec "$JAVACMD" "$@"
|
|
@ -0,0 +1,103 @@
|
||||||
|
@rem
|
||||||
|
@rem Copyright 2015 the original author or authors.
|
||||||
|
@rem
|
||||||
|
@rem Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
@rem you may not use this file except in compliance with the License.
|
||||||
|
@rem You may obtain a copy of the License at
|
||||||
|
@rem
|
||||||
|
@rem https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
@rem
|
||||||
|
@rem Unless required by applicable law or agreed to in writing, software
|
||||||
|
@rem distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
@rem See the License for the specific language governing permissions and
|
||||||
|
@rem limitations under the License.
|
||||||
|
@rem
|
||||||
|
|
||||||
|
@if "%DEBUG%" == "" @echo off
|
||||||
|
@rem ##########################################################################
|
||||||
|
@rem
|
||||||
|
@rem Gradle startup script for Windows
|
||||||
|
@rem
|
||||||
|
@rem ##########################################################################
|
||||||
|
|
||||||
|
@rem Set local scope for the variables with windows NT shell
|
||||||
|
if "%OS%"=="Windows_NT" setlocal
|
||||||
|
|
||||||
|
set DIRNAME=%~dp0
|
||||||
|
if "%DIRNAME%" == "" set DIRNAME=.
|
||||||
|
set APP_BASE_NAME=%~n0
|
||||||
|
set APP_HOME=%DIRNAME%
|
||||||
|
|
||||||
|
@rem Resolve any "." and ".." in APP_HOME to make it shorter.
|
||||||
|
for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
|
||||||
|
|
||||||
|
@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
|
||||||
|
set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
|
||||||
|
|
||||||
|
@rem Find java.exe
|
||||||
|
if defined JAVA_HOME goto findJavaFromJavaHome
|
||||||
|
|
||||||
|
set JAVA_EXE=java.exe
|
||||||
|
%JAVA_EXE% -version >NUL 2>&1
|
||||||
|
if "%ERRORLEVEL%" == "0" goto init
|
||||||
|
|
||||||
|
echo.
|
||||||
|
echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
|
||||||
|
echo.
|
||||||
|
echo Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
echo location of your Java installation.
|
||||||
|
|
||||||
|
goto fail
|
||||||
|
|
||||||
|
:findJavaFromJavaHome
|
||||||
|
set JAVA_HOME=%JAVA_HOME:"=%
|
||||||
|
set JAVA_EXE=%JAVA_HOME%/bin/java.exe
|
||||||
|
|
||||||
|
if exist "%JAVA_EXE%" goto init
|
||||||
|
|
||||||
|
echo.
|
||||||
|
echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
|
||||||
|
echo.
|
||||||
|
echo Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
echo location of your Java installation.
|
||||||
|
|
||||||
|
goto fail
|
||||||
|
|
||||||
|
:init
|
||||||
|
@rem Get command-line arguments, handling Windows variants
|
||||||
|
|
||||||
|
if not "%OS%" == "Windows_NT" goto win9xME_args
|
||||||
|
|
||||||
|
:win9xME_args
|
||||||
|
@rem Slurp the command line arguments.
|
||||||
|
set CMD_LINE_ARGS=
|
||||||
|
set _SKIP=2
|
||||||
|
|
||||||
|
:win9xME_args_slurp
|
||||||
|
if "x%~1" == "x" goto execute
|
||||||
|
|
||||||
|
set CMD_LINE_ARGS=%*
|
||||||
|
|
||||||
|
:execute
|
||||||
|
@rem Setup the command line
|
||||||
|
|
||||||
|
set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
|
||||||
|
|
||||||
|
@rem Execute Gradle
|
||||||
|
"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
|
||||||
|
|
||||||
|
:end
|
||||||
|
@rem End local scope for the variables with windows NT shell
|
||||||
|
if "%ERRORLEVEL%"=="0" goto mainEnd
|
||||||
|
|
||||||
|
:fail
|
||||||
|
rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
|
||||||
|
rem the _cmd.exe /c_ return code!
|
||||||
|
if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
|
||||||
|
exit /b 1
|
||||||
|
|
||||||
|
:mainEnd
|
||||||
|
if "%OS%"=="Windows_NT" endlocal
|
||||||
|
|
||||||
|
:omega
|
|
@ -0,0 +1 @@
|
||||||
|
|
|
@ -0,0 +1,105 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2020 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package example;
|
||||||
|
|
||||||
|
import org.junit.jupiter.api.Test;
|
||||||
|
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
|
||||||
|
import org.springframework.boot.test.context.SpringBootTest;
|
||||||
|
import org.springframework.http.HttpHeaders;
|
||||||
|
import org.springframework.mock.web.MockHttpServletRequest;
|
||||||
|
import org.springframework.test.context.ActiveProfiles;
|
||||||
|
import org.springframework.test.web.servlet.MockMvc;
|
||||||
|
import org.springframework.test.web.servlet.request.RequestPostProcessor;
|
||||||
|
|
||||||
|
import static org.hamcrest.Matchers.containsString;
|
||||||
|
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||||
|
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
|
||||||
|
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
|
||||||
|
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Integration tests for {@link OAuth2ResourceServerApplication}.
|
||||||
|
*
|
||||||
|
* @author Josh Cummings
|
||||||
|
*/
|
||||||
|
@SpringBootTest
|
||||||
|
@AutoConfigureMockMvc
|
||||||
|
@ActiveProfiles("test")
|
||||||
|
public class OAuth2ResourceServerApplicationITests {
|
||||||
|
|
||||||
|
String noScopesToken = "00ed5855-1869-47a0-b0c9-0f3ce520aee7";
|
||||||
|
|
||||||
|
String messageReadToken = "b43d1500-c405-4dc9-b9c9-6cfd966c34c9";
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
MockMvc mvc;
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void performWhenValidBearerTokenThenAllows() throws Exception {
|
||||||
|
|
||||||
|
// @formatter:off
|
||||||
|
this.mvc.perform(get("/").with(bearerToken(this.noScopesToken)))
|
||||||
|
.andExpect(status().isOk())
|
||||||
|
.andExpect(content().string(containsString("Hello, subject!")));
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
// -- tests with scopes
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void performWhenValidBearerTokenThenScopedRequestsAlsoWork() throws Exception {
|
||||||
|
|
||||||
|
// @formatter:off
|
||||||
|
this.mvc.perform(get("/message").with(bearerToken(this.messageReadToken)))
|
||||||
|
.andExpect(status().isOk())
|
||||||
|
.andExpect(content().string(containsString("secret message")));
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void performWhenInsufficientlyScopedBearerTokenThenDeniesScopedMethodAccess() throws Exception {
|
||||||
|
|
||||||
|
// @formatter:off
|
||||||
|
this.mvc.perform(get("/message").with(bearerToken(this.noScopesToken)))
|
||||||
|
.andExpect(status().isForbidden())
|
||||||
|
.andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE,
|
||||||
|
containsString("Bearer error=\"insufficient_scope\"")));
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
private static BearerTokenRequestPostProcessor bearerToken(String token) {
|
||||||
|
return new BearerTokenRequestPostProcessor(token);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static class BearerTokenRequestPostProcessor implements RequestPostProcessor {
|
||||||
|
|
||||||
|
private String token;
|
||||||
|
|
||||||
|
BearerTokenRequestPostProcessor(String token) {
|
||||||
|
this.token = token;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
|
||||||
|
request.addHeader("Authorization", "Bearer " + this.token);
|
||||||
|
return request;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,33 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2020 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package example;
|
||||||
|
|
||||||
|
import org.springframework.boot.SpringApplication;
|
||||||
|
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OAuth2 Resource Application.
|
||||||
|
*
|
||||||
|
* @author Josh Cummings
|
||||||
|
*/
|
||||||
|
@SpringBootApplication
|
||||||
|
public class OAuth2ResourceServerApplication {
|
||||||
|
|
||||||
|
public static void main(String[] args) {
|
||||||
|
SpringApplication.run(OAuth2ResourceServerApplication.class, args);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,48 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2020 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package example;
|
||||||
|
|
||||||
|
import org.springframework.security.core.annotation.AuthenticationPrincipal;
|
||||||
|
import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
|
||||||
|
import org.springframework.web.bind.annotation.GetMapping;
|
||||||
|
import org.springframework.web.bind.annotation.PostMapping;
|
||||||
|
import org.springframework.web.bind.annotation.RequestBody;
|
||||||
|
import org.springframework.web.bind.annotation.RestController;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Controller demonstrating OAuth.
|
||||||
|
*
|
||||||
|
* @author Josh Cummings
|
||||||
|
*/
|
||||||
|
@RestController
|
||||||
|
public class OAuth2ResourceServerController {
|
||||||
|
|
||||||
|
@GetMapping("/")
|
||||||
|
public String index(@AuthenticationPrincipal OAuth2AuthenticatedPrincipal principal) {
|
||||||
|
return String.format("Hello, %s!", (String) principal.getAttribute("sub"));
|
||||||
|
}
|
||||||
|
|
||||||
|
@GetMapping("/message")
|
||||||
|
public String message() {
|
||||||
|
return "secret message";
|
||||||
|
}
|
||||||
|
|
||||||
|
@PostMapping("/message")
|
||||||
|
public String createMessage(@RequestBody String message) {
|
||||||
|
return String.format("Message was created. Content: %s", message);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,59 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2020 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package example;
|
||||||
|
|
||||||
|
import org.springframework.beans.factory.annotation.Value;
|
||||||
|
import org.springframework.http.HttpMethod;
|
||||||
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OAuth2 Security Configuration.
|
||||||
|
*
|
||||||
|
* @author Josh Cummings
|
||||||
|
*/
|
||||||
|
@EnableWebSecurity
|
||||||
|
public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
|
||||||
|
|
||||||
|
@Value("${spring.security.oauth2.resourceserver.opaque.introspection-uri}")
|
||||||
|
String introspectionUri;
|
||||||
|
|
||||||
|
@Value("${spring.security.oauth2.resourceserver.opaque.introspection-client-id}")
|
||||||
|
String clientId;
|
||||||
|
|
||||||
|
@Value("${spring.security.oauth2.resourceserver.opaque.introspection-client-secret}")
|
||||||
|
String clientSecret;
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected void configure(HttpSecurity http) throws Exception {
|
||||||
|
// @formatter:off
|
||||||
|
http
|
||||||
|
.authorizeRequests((requests) -> requests
|
||||||
|
.mvcMatchers(HttpMethod.GET, "/message/**").hasAuthority("SCOPE_message:read")
|
||||||
|
.mvcMatchers(HttpMethod.POST, "/message/**").hasAuthority("SCOPE_message:write")
|
||||||
|
.anyRequest().authenticated()
|
||||||
|
)
|
||||||
|
.oauth2ResourceServer((resourceServer) -> resourceServer
|
||||||
|
.opaqueToken((opaqueToken) -> opaqueToken
|
||||||
|
.introspectionUri(this.introspectionUri)
|
||||||
|
.introspectionClientCredentials(this.clientId, this.clientSecret)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,42 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2002-2019 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.springframework.boot.env;
|
||||||
|
|
||||||
|
import org.springframework.beans.factory.DisposableBean;
|
||||||
|
import org.springframework.boot.SpringApplication;
|
||||||
|
import org.springframework.core.env.ConfigurableEnvironment;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Add MockServerWebPropertySource to environment.
|
||||||
|
*
|
||||||
|
* @author Rob Winch
|
||||||
|
*/
|
||||||
|
public class MockWebServerEnvironmentPostProcessor implements EnvironmentPostProcessor, DisposableBean {
|
||||||
|
|
||||||
|
private final MockWebServerPropertySource propertySource = new MockWebServerPropertySource();
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void postProcessEnvironment(ConfigurableEnvironment environment, SpringApplication application) {
|
||||||
|
environment.getPropertySources().addFirst(this.propertySource);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void destroy() throws Exception {
|
||||||
|
this.propertySource.destroy();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,201 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2002-2019 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.springframework.boot.env;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.util.Base64;
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.Optional;
|
||||||
|
import java.util.stream.Collectors;
|
||||||
|
import java.util.stream.Stream;
|
||||||
|
|
||||||
|
import okhttp3.mockwebserver.Dispatcher;
|
||||||
|
import okhttp3.mockwebserver.MockResponse;
|
||||||
|
import okhttp3.mockwebserver.MockWebServer;
|
||||||
|
import okhttp3.mockwebserver.RecordedRequest;
|
||||||
|
import okio.Buffer;
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
|
||||||
|
import org.springframework.beans.factory.DisposableBean;
|
||||||
|
import org.springframework.core.env.PropertySource;
|
||||||
|
import org.springframework.http.HttpHeaders;
|
||||||
|
import org.springframework.http.MediaType;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Add the resource server URL to environment.
|
||||||
|
*
|
||||||
|
* @author Rob Winch
|
||||||
|
*/
|
||||||
|
public class MockWebServerPropertySource extends PropertySource<MockWebServer> implements DisposableBean {
|
||||||
|
|
||||||
|
// @formatter:off
|
||||||
|
private static final MockResponse NO_SCOPES_RESPONSE = response(
|
||||||
|
"{\n" +
|
||||||
|
" \"active\": true,\n" +
|
||||||
|
" \"sub\": \"subject\"\n" +
|
||||||
|
" }",
|
||||||
|
200
|
||||||
|
);
|
||||||
|
// @formatter:on
|
||||||
|
|
||||||
|
// @formatter:off
|
||||||
|
private static final MockResponse MESSASGE_READ_SCOPE_RESPONSE = response(
|
||||||
|
"{\n" +
|
||||||
|
" \"active\": true,\n" +
|
||||||
|
" \"scope\" : \"message:read\"," +
|
||||||
|
" \"sub\": \"subject\"\n" +
|
||||||
|
" }",
|
||||||
|
200
|
||||||
|
);
|
||||||
|
// @formatter:on
|
||||||
|
|
||||||
|
// @formatter:off
|
||||||
|
private static final MockResponse INACTIVE_RESPONSE = response(
|
||||||
|
"{\n" +
|
||||||
|
" \"active\": false,\n" +
|
||||||
|
" }",
|
||||||
|
200
|
||||||
|
);
|
||||||
|
// @formatter:on
|
||||||
|
|
||||||
|
// @formatter:off
|
||||||
|
private static final MockResponse BAD_REQUEST_RESPONSE = response(
|
||||||
|
"{ \"message\" : \"This mock authorization server requires a username and password of " +
|
||||||
|
"client/secret and a POST body of token=${token}\" }",
|
||||||
|
400
|
||||||
|
);
|
||||||
|
// @formatter:on
|
||||||
|
|
||||||
|
// @formatter:off
|
||||||
|
private static final MockResponse NOT_FOUND_RESPONSE = response(
|
||||||
|
"{ \"message\" : \"This mock authorization server responds to just one request: POST /introspect.\" }",
|
||||||
|
404
|
||||||
|
);
|
||||||
|
// @formatter:on
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Name of the random {@link PropertySource}.
|
||||||
|
*/
|
||||||
|
public static final String MOCK_WEB_SERVER_PROPERTY_SOURCE_NAME = "mockwebserver";
|
||||||
|
|
||||||
|
private static final String NAME = "mockwebserver.url";
|
||||||
|
|
||||||
|
private static final Log logger = LogFactory.getLog(MockWebServerPropertySource.class);
|
||||||
|
|
||||||
|
private boolean started;
|
||||||
|
|
||||||
|
public MockWebServerPropertySource() {
|
||||||
|
super(MOCK_WEB_SERVER_PROPERTY_SOURCE_NAME, new MockWebServer());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Object getProperty(String name) {
|
||||||
|
if (!name.equals(NAME)) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
if (logger.isTraceEnabled()) {
|
||||||
|
logger.trace("Looking up the url for '" + name + "'");
|
||||||
|
}
|
||||||
|
String url = getUrl();
|
||||||
|
return url;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void destroy() throws Exception {
|
||||||
|
getSource().shutdown();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get's the URL (e.g. "http://localhost:123456")
|
||||||
|
* @return the resource URL.
|
||||||
|
*/
|
||||||
|
private String getUrl() {
|
||||||
|
MockWebServer mockWebServer = getSource();
|
||||||
|
if (!this.started) {
|
||||||
|
initializeMockWebServer(mockWebServer);
|
||||||
|
}
|
||||||
|
String url = mockWebServer.url("").url().toExternalForm();
|
||||||
|
return url.substring(0, url.length() - 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void initializeMockWebServer(MockWebServer mockWebServer) {
|
||||||
|
Dispatcher dispatcher = new Dispatcher() {
|
||||||
|
@Override
|
||||||
|
public MockResponse dispatch(RecordedRequest request) {
|
||||||
|
return doDispatch(request);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
mockWebServer.setDispatcher(dispatcher);
|
||||||
|
try {
|
||||||
|
mockWebServer.start();
|
||||||
|
this.started = true;
|
||||||
|
}
|
||||||
|
catch (IOException ex) {
|
||||||
|
throw new RuntimeException("Could not start " + mockWebServer, ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private MockResponse doDispatch(RecordedRequest request) {
|
||||||
|
if ("/introspect".equals(request.getPath())) {
|
||||||
|
// @formatter:off
|
||||||
|
return Optional.ofNullable(request.getHeader(HttpHeaders.AUTHORIZATION))
|
||||||
|
.filter((authorization) -> isAuthorized(authorization, "client", "secret"))
|
||||||
|
.map((authorization) -> parseBody(request.getBody()))
|
||||||
|
.map((parameters) -> parameters.get("token"))
|
||||||
|
.map((token) -> {
|
||||||
|
if ("00ed5855-1869-47a0-b0c9-0f3ce520aee7".equals(token)) {
|
||||||
|
return NO_SCOPES_RESPONSE;
|
||||||
|
}
|
||||||
|
else if ("b43d1500-c405-4dc9-b9c9-6cfd966c34c9".equals(token)) {
|
||||||
|
return MESSASGE_READ_SCOPE_RESPONSE;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
return INACTIVE_RESPONSE;
|
||||||
|
}
|
||||||
|
})
|
||||||
|
.orElse(BAD_REQUEST_RESPONSE);
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
return NOT_FOUND_RESPONSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
private boolean isAuthorized(String authorization, String username, String password) {
|
||||||
|
String[] values = new String(Base64.getDecoder().decode(authorization.substring(6))).split(":");
|
||||||
|
return username.equals(values[0]) && password.equals(values[1]);
|
||||||
|
}
|
||||||
|
|
||||||
|
private Map<String, Object> parseBody(Buffer body) {
|
||||||
|
// @formatter:off
|
||||||
|
return Stream.of(body.readUtf8().split("&"))
|
||||||
|
.map((parameter) -> parameter.split("="))
|
||||||
|
.collect(Collectors.toMap((parts) -> parts[0], (parts) -> parts[1]));
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
private static MockResponse response(String body, int status) {
|
||||||
|
// @formatter:off
|
||||||
|
return new MockResponse()
|
||||||
|
.setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
|
||||||
|
.setResponseCode(status)
|
||||||
|
.setBody(body);
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,23 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2002-2019 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This provides integration of a {@link okhttp3.mockwebserver.MockWebServer} and the
|
||||||
|
* {@link org.springframework.core.env.Environment}.
|
||||||
|
*
|
||||||
|
* @author Rob Winch
|
||||||
|
*/
|
||||||
|
package org.springframework.boot.env;
|
|
@ -0,0 +1 @@
|
||||||
|
org.springframework.boot.env.EnvironmentPostProcessor=org.springframework.boot.env.MockWebServerEnvironmentPostProcessor
|
|
@ -0,0 +1,8 @@
|
||||||
|
spring:
|
||||||
|
security:
|
||||||
|
oauth2:
|
||||||
|
resourceserver:
|
||||||
|
opaque:
|
||||||
|
introspection-uri: ${mockwebserver.url}/introspect
|
||||||
|
introspection-client-id: client
|
||||||
|
introspection-client-secret: secret
|
|
@ -0,0 +1,104 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2020 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package example;
|
||||||
|
|
||||||
|
import org.junit.jupiter.api.Test;
|
||||||
|
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
|
||||||
|
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||||
|
import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors;
|
||||||
|
import org.springframework.test.web.servlet.MockMvc;
|
||||||
|
|
||||||
|
import static org.hamcrest.CoreMatchers.is;
|
||||||
|
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.jwt;
|
||||||
|
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.opaqueToken;
|
||||||
|
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||||
|
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
|
||||||
|
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
|
||||||
|
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author Josh Cummings
|
||||||
|
* @since 5.3
|
||||||
|
*/
|
||||||
|
@WebMvcTest(OAuth2ResourceServerController.class)
|
||||||
|
public class OAuth2ResourceServerControllerTests {
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
MockMvc mvc;
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void indexGreetsAuthenticatedUser() throws Exception {
|
||||||
|
// @formatter:off
|
||||||
|
SecurityMockMvcRequestPostProcessors.OpaqueTokenRequestPostProcessor token = opaqueToken()
|
||||||
|
.attributes((a) -> a.put("sub", "ch4mpy"));
|
||||||
|
this.mvc.perform(get("/").with(token))
|
||||||
|
.andExpect(content().string(is("Hello, ch4mpy!")));
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void messageCanBeReadWithScopeMessageReadAuthority() throws Exception {
|
||||||
|
// @formatter:off
|
||||||
|
SecurityMockMvcRequestPostProcessors.OpaqueTokenRequestPostProcessor token = opaqueToken()
|
||||||
|
.attributes((a) -> a.put("scope", "message:read"));
|
||||||
|
this.mvc.perform(get("/message").with(token))
|
||||||
|
.andExpect(content().string(is("secret message")));
|
||||||
|
|
||||||
|
this.mvc.perform(get("/message")
|
||||||
|
.with(jwt().authorities(new SimpleGrantedAuthority(("SCOPE_message:read")))))
|
||||||
|
.andExpect(content().string(is("secret message")));
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void messageCanNotBeReadWithoutScopeMessageReadAuthority() throws Exception {
|
||||||
|
// @formatter:off
|
||||||
|
this.mvc.perform(get("/message").with(opaqueToken()))
|
||||||
|
.andExpect(status().isForbidden());
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void messageCanNotBeCreatedWithoutAnyScope() throws Exception {
|
||||||
|
// @formatter:off
|
||||||
|
this.mvc.perform(post("/message")
|
||||||
|
.content("Hello message")
|
||||||
|
.with(opaqueToken()))
|
||||||
|
.andExpect(status().isForbidden());
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void messageCanNotBeCreatedWithScopeMessageReadAuthority() throws Exception {
|
||||||
|
this.mvc.perform(post("/message").content("Hello message")
|
||||||
|
.with(opaqueToken().authorities(new SimpleGrantedAuthority("SCOPE_message:read"))))
|
||||||
|
.andExpect(status().isForbidden());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void messageCanBeCreatedWithScopeMessageWriteAuthority() throws Exception {
|
||||||
|
// @formatter:off
|
||||||
|
this.mvc.perform(post("/message")
|
||||||
|
.content("Hello message")
|
||||||
|
.with(opaqueToken().authorities(new SimpleGrantedAuthority("SCOPE_message:write"))))
|
||||||
|
.andExpect(status().isOk())
|
||||||
|
.andExpect(content().string(is("Message was created. Content: Hello message")));
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -32,6 +32,6 @@ include ":servlet:spring-boot:java:hello-security-explicit"
|
||||||
include ":servlet:spring-boot:java:oauth2:login"
|
include ":servlet:spring-boot:java:oauth2:login"
|
||||||
include ":servlet:spring-boot:java:oauth2:resource-server:hello-security"
|
include ":servlet:spring-boot:java:oauth2:resource-server:hello-security"
|
||||||
include ":servlet:spring-boot:java:oauth2:resource-server:jwe"
|
include ":servlet:spring-boot:java:oauth2:resource-server:jwe"
|
||||||
|
include ":servlet:spring-boot:java:oauth2:resource-server:opaque"
|
||||||
include ":servlet:spring-boot:java:oauth2:webclient"
|
include ":servlet:spring-boot:java:oauth2:webclient"
|
||||||
include ":servlet:spring-boot:kotlin:hello-security"
|
include ":servlet:spring-boot:kotlin:hello-security"
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue