How can I combine basic authorization (login + password) with authorization of other services (google, github, facebook) using Spring Boot and Spring Security? There is a lot of information and I don’t understand how to solve this problem correctly. I would be grateful for the tutorial or link to the material.
2
-
Does this answer your question? Spring Boot + Oauth2 client credentialsprisar– prisar2020-06-23 20:36:11 +00:00Commented Jun 23, 2020 at 20:36
-
This is a very trivial question. Have a look here spring.io/guides/tutorials/spring-boot-oauth2prisar– prisar2020-06-23 20:37:16 +00:00Commented Jun 23, 2020 at 20:37
Add a comment
|
1 Answer
- Spring security is implemented using filter chain and each responsibility is allocated to particular type.
- For an example, the diagram below shows the components involved in username password authentication.
- But Spring security framework allows you to have multiple implementations for each type in the same application.
- If you want multiple authentication mechanisms, you provide list of concrete implementations for each stage for that mechanism. For example, in your case, in the
AuthenticationFilteryou will have aUsernamePasswordAuthenticationFilterfor username/password authentication mechanism and aOAuth2LoginAuthenticationFilterfor Oauth2 Login mechanism. And then forAuthenticationTokens, you will haveUsernamePasswordAuthenticationTokenandOAuth2LoginAuthenticationToken. And so on for each stage. - Now When an http request reaches the server, at each stage, spring will iterate through your list for that stage until one of them satisfies or the list is complete. For example, if the request is coming with a
passwordparam (or you know it is always come from/loginurl), at theAuthenticationFilter,OAuth2LoginAuthenticationFilterwill satisfy it and it will create theUsernamePasswordAuthenticationTokenand pass it to third stage . But if the request comes with token, it will satisfyOAuth2LoginAuthenticationFilterand it will createOAuth2LoginAuthenticationTokenand pass it to 3rd stage.
I hope this gives you a high level picture, just implement an sample app with username and password only, put breakpoints in the source code spring security classes I mentioned and see how it is iterating at each stage.
Once you are confident how these filters are chained, then try to add something like ldap authentication as the second authentication mechanism for your app.
Once you are confident implementing these 2, then go for adding OAuth2 by following https://spring.io/guides/tutorials/spring-boot-oauth2/
Reference Diagram: https://springbootdev.com/2017/08/23/spring-security-authentication-architecture/
answered Jun 23, 2020 at 22:31
Kavithakaran Kanapathippillai
8,3031 gold badge15 silver badges32 bronze badges
1 Comment
O.Mazuruk
I marked your answer as the answer to my question. thank you))