caelcs / spring-security-mongo Goto Github PK

Spring OAuth2 Security extension to use Mongo as Repository

License: MIT License

Java 100.00%

spring-boot-2 spring-boot mongodb spring-security-oauth2 java mongo oauth2

spring-security-mongo's Introduction

Spring Security Mongo

Library to provide full implementation of all the repositories and provider necessary to have all the security persisted in MongoDB.

ApprovalStore
ClientDetailsService
ClientRegistrationService
TokenStore
UserDetailsManager
ClientTokenServices

Important

The library does not provides the necessary config to use these services, you will have to do that for your self. On the other hand I have another library that you can use shows how to configure all the services and have up and running your oauth2 server.

https://github.com/caelcs/base-auth2-server

How to use it

Step 1

Add as dependency to your project and then use the beans in your Spring Oauth2 Configuration

Note:

Spring Boot 2.x and Oath2 library and Mongo Driver 3.6 has bring a lot of changes that are not backward compatible unless that you play around with dependencies. So I have updated all the dependencies to use the latest from version 3.0.0.

Spring Boot 1.5.x -> use 2.0.0
Spring Boot 2.x.x -> use 3.0.0

Step 2

Add this annotation to your configuration class:

@Configuration
@EnableSecurityMongo
public class MongoSecurityConfiguration {

}

Having this annotation will define in your spring context all the necessary to use this library.

Step 3

Create in your mongo instance the user that you will use to access the database

db.createUser(
  {
    user: "oauth2",
    pwd: "testpass",
    roles: [ { role: "readWrite", db: "invoicer" } ]
  }
)

Step 4

define the following properties in your app if you want to use the default Mongo client. If you want to use your own version just DO NOT ADD these properties.

mongo.host=localhost
mongo.port=27017
mongo.database=testdb
mongo.username=testuser
mongo.password=testpassword

Creating users manually in Mongo DB

You can produce the json to create in your mongo instance the users by executing some of the integration tests or just insert this json:

Mongo User

{
    "_id" : "testuser",
    "_class" : "uk.co.caeldev.springsecuritymongo.domain.User",
    "password" : "testpassword",
    "userUUID" : LUUID("03479d48-93cf-5e55-974f-842eb0200ca8"),
    "authorities" : [ 
        {
            "role" : "ROLE_USER",
            "_class" : "org.springframework.security.core.authority.SimpleGrantedAuthority"
        }
    ],
    "accountNonExpired" : true,
    "accountNonLocked" : true,
    "credentialsNonExpired" : true,
    "enabled" : true
}

Mongo Client Detail

{
    "_id" : "testclient",
    "_class" : "uk.co.caeldev.springsecuritymongo.domain.MongoClientDetails",
    "clientSecret" : "testclientsecret",
    "scope" : [ 
        "read"
    ],
    "resourceIds" : [ 
        "oauth2-resource"
    ],
    "authorizedGrantTypes" : [ 
        "authorization_code", 
        "implicit"
    ],
    "registeredRedirectUris" : [ 
        "http://www.google.co.uk"
    ],
    "authorities" : [ 
        {
            "role" : "ROLE_CLIENT",
            "_class" : "org.springframework.security.core.authority.SimpleGrantedAuthority"
        }
    ],
    "accessTokenValiditySeconds" : 30000.0000000000000000,
    "refreshTokenValiditySeconds" : 30000.0000000000000000,
    "additionalInformation" : {},
    "autoApproveScopes" : [ 
        ""
    ]
}

spring-security-mongo's People

Contributors

Stargazers

Watchers

Forkers

johnkim yusufbahadir viniciusmo fishsnacks ivartanian naddame blastingconcept loinavomi lnguyen2k patelgaurang goelprateek zhengwei-li honestrock pmanent muralidhararao dat-ng ikorovictor conchz andrzej-cichon ikonglong srinivasjava27 ngyencog enhsuld marynakontar nithinkota acaceresssit asadqazi nelsonkimaiga yaskier ajcastillo debski-a ashish-bhavsar-persistent wangmb tranmanh90 karthikkun archevis basumatarau thanhannguyen2014 yaroslav-k chidu-arch alphasingh pavankollepara wangyonghui888 netiz21 tobi-akindele shinichi0802 astrokathi

spring-security-mongo's Issues

MongoOAuth2ClientToken never used?

Hello,
I'm going over the code and it seems that MongoOAuth2ClientToken is never actually used/instantiated. Am I missing something ?
Cheers!

ClientSecret

If ClientDetails are added to the MongoDB the clientSecret(e.g. 123456) gets encoded and is stored encoded(lets say jfnk3451!) on the DB.

When you now try to get a token and you send the clientSecret(123456) in the Header you get an error message

2015-06-03 09:47:45.574 DEBUG 50776 --- [nio-8888-exec-5] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider

2015-06-03 09:47:45.579 DEBUG 50776 --- [nio-8888-exec-5] o.s.s.a.dao.DaoAuthenticationProvider : Authentication failed: password does not match stored value

But if you send the clientSecret(jfnk3451!) like it is on the DB it works.

The expected behaviour would be that you should be able to send the unencoded clientSecret(123456) in the Header.

Hi, how use your spring-security-mongo

Hello, I need to implement Oauth2 with MongoDB, but I have not seen updated information with Spring 5 (Spring boot 2.x) So I came across your Repository, I see that it has a library, but it does not have any Security Point, Why He asks me if he can help me with an example to use his library that he has built.

Greetings and thanks in advance

Which collection should we create Mongo User json into ?

I want to create Mongo User json Document.

Then I don't know the collection where I should insert the Mongo User document.

Please let me know about this.

Thank you!!!

Make MongoUserDetailsManager optional

It would be great if MongoUserDetailsManager wont be initialized as a required bean. Right now I have my my own UserDetailsService implementation and when having two of them at once Spring throws some nasty exteptions. How about trying using Autoconfiguration for that bean and use ConditionalOnMissingBean annotation? :)

Upgrade the project to use Spring Boot 2

Lack of information on how to use this library

Im trying to use this library and am failing to understand how to use the token store, any insight would be much appreciated.

MongoTemplate remove

According to the documentation you also have to use the class to remove something from the mongo db if you use the Query: http://docs.spring.io/spring-data/mongodb/docs/current/api/org/springframework/data/mongodb/core/MongoTemplate.html#remove-org.springframework.data.mongodb.core.query.Query-java.lang.Class-

Actual:

@Override
    public boolean deleteByTokenId(final String tokenId) {
        final Query query = Query.query(Criteria.where(ID).is(tokenId));
        final WriteResult removeResult = mongoTemplate.remove(query);
        return removeResult.getN() == 1;
    }

Expected

@Override
    public boolean deleteByTokenId(final String tokenId) {
        final Query query = Query.query(Criteria.where(ID).is(tokenId));
        final WriteResult removeResult = mongoTemplate.remove(query, MongoOAuth2AccessToken.class);
        return removeResult.getN() == 1;
    }

Testing options

Hello,

Thank you for this library. Could you add the info related with testing?

With regards

Do not serialize OAuth2AccessToken and OAuth2RefreshToken into byte[]

Just tried it locally, works pretty well when exposed in original structure and not serialized into byte[] for both of them, makes an option to take a look into Mongo and see how are tokens values, just a suggestion but would be awesome to see tokens in text rather in byte arrays ;)

Salting of user password

At the moment there is no support for salting a user's hashed password.

Do you think about supporting it?

oauth2 Client Example is needed

Hi Cael,

I am very new to spring security and mongo db.

I have found the base auth server example of yours.

Can you provide one example of Oauth2 client with your library?

It would be a great help. TIA

SecurityContextService defined two times?

Hi,

While starting up my local app and using EnableSecurityMongo annotation I'm getting this error:

***************************
APPLICATION FAILED TO START
***************************

Description:

The bean 'securityContextService', defined in class path resource [uk/co/caeldev/springsecuritymongo/config/MongoConfiguration$SpringSecurityConfiguration.class], could not be registered. A bean with that name has already been defined in URL [jar:file:/home/lukaszg/.m2/repository/uk/co/caeldev/spring-security-mongo/3.0.2/spring-security-mongo-3.0.2.jar!/uk/co/caeldev/springsecuritymongo/services/SecurityContextService.class] and overriding is disabled.

Action:

Consider renaming one of the beans or enabling overriding by setting spring.main.allow-bean-definition-overriding=true

I've noticed you are defining SecurityContext service in two manners at once:

@Bean
    public SecurityContextService securityContextService() {
      return new SecurityContextService();
    }

and by annotating this class with Component annotation...

Any ideas?

Thanks in advance