a143mk-Software Programming: OAuth2 Security

How to receive a JWT-based access token from the client, verify the token, and push data using the client's URL?

java 8 , JSON , JWT Token , OAuth2 Security , Rest API 1 comment :

JWT OAuth2 Integration and JSON Payload Handling in Java: JWT (JSON Web Token) is a token format used in OAuth2.

A JWT is:

Stateless
Digitally signed
Self-contained

Integrating with client APIs using APIs and JSON-based payloads involves an end-to-end process that includes making API calls with JSON payloads and pushing master/other data to REST API endpoints.

Step 1: Obtain the authentication details/Requirements from the client as shown in the example below.

############_MK_TOKEN_CLIENT_SECRET_####################

TOKEN_URL=https://a143mk-uat.client.com/api/v1/client/authentication/generate_token CLIENT_ID=AA143Mkbolgs

CLIENT_SECRET=testa143mk

####Example of Configure URL #############

CUST_URL=https://a143mk-uat.client.com/api/master/push_customer

CUST_USER_PASS_AUTH=useradmin:password //if it is required or not

Step 2: Making an API call with an Json payload and pushing master data to the location.

A REST API Controller is responsible for handling HTTP requests (such as GET, POST, PUT, DELETE) from clients and routing them to the appropriate service methods. It acts as the entry point for external clients to interact with the backend application.
Purpose: The main role of the controller is to manage incoming HTTP requests, map them to specific methods (often called endpoints), and return appropriate responses to the client.
Responsibilities: Handle HTTP requests (e.g., GET, POST, PUT, DELETE). Map the incoming requests to service methods. Return HTTP responses, often in JSON or Json format. Perform basic request validation or authentication. Act as the "interface" between the client and the service layer. In a Spring Boot application, for example, the controller is typically annotated with @RestController and the request mappings are handled using annotations like @GetMapping, @PostMapping, etc.

Example "ClientApiController.java" of a REST Controller in Spring Boot with handlined Json Payload :

package a143mk.a143mkCustMasterMaster.SystemClientcontroller;
import java.net.URL;
import java.text.Format;
import java.text.SimpleDateFormat;
import java.util.Date;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;
import a143mk.a143mkCustMasterMaster.FromBean.APIResponseEntityBean;
import a143mk.a143mkCustMasterMaster.SystemClientServices.CustMastSysteCliService;
import org.apache.log4j.PropertyConfigurator;

@RestController
@RequestMapping("/CUST_T_API")
public class ClientApiController {
	private static final Logger logger = LoggerFactory.getLogger(CustomerMasterCoSysteCli.class);
	 @Autowired
	 private CustMastSysteCliService custMasteServ;
	
	 @RequestMapping(method = RequestMethod.POST, value="/cust") 
	 public ResponseEntity<APIResponseEntityBean> getCustMasterSysteCli() {
		 APIResponseEntityBean responseEntityBean = null;
		 Object retunResult=null;
		 try {
		 /*Log4je Config*/
	        ClassLoader loader = Thread.currentThread().getContextClassLoader();
			 URL url = loader.getResource("application.properties");
			 PropertyConfigurator.configure(url);
		     /* End Log4je Config*/
			 logger.info("Push A143mk Customer TO SysteCli  Method is getCustMasterSysteCli()"); 
			 retunResult=custMasteServ.CustMastSystemNameService();
		     responseEntityBean = new APIResponseEntityBean("SUCCESS", "Please check Log file For Success or not!", dtFormater.format(new Date()), retunResult);
		     
		 } catch (Exception e) {
		 // TODO: handle exception
		 responseEntityBean = new APIResponseEntityBean("ERROR", e.getMessage(),dtFormater.format(new Date()), retunResult);
		 logger.error(e.getMessage());
		 //e.printStackTrace();
		 }
		 return new ResponseEntity<APIResponseEntityBean>(responseEntityBean, HttpStatus.OK);

}	
}

The Service class is a part of the business logic layer of your application. It contains methods that implement the core functionality of the application (e.g., creating, reading, updating, deleting data). The service class is called by the controller to perform operations that are not directly related to the web request itself.

Purpose: The service layer acts as a mediator between the controller and the data layer (such as a repository or database). It focuses on business logic and operations.
Responsibilities: Perform the core business logic of the application. Interact with the database (via repositories or DAOs). Provide methods for the controller to use (i.e., encapsulate business operations). Handle any necessary validation or transformation before sending data back to the controller. In a Spring Boot application, service classes are typically annotated with @Service, and they are injected into the controller using @Autowired (or constructor injection).

Example "CustMastSystemNameService.java" of a Service Class in Spring Boot:

Method Internal Working ->geta143mkCustMasterFOrSYS() ->pusha143mkCustToSystemNameSystem().

package a143mk.a143mkCustMaster.SYSServices;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import a143mk.a143mkCustMaster.Entity.a143mkCustAddressMaster;
import a143mk.a143mkCustMaster.Entity.a143mkCustMaster;
import a143mk.a143mkCustMaster.Repository.a143mkCustAddressMasterRepository;
import a143mk.a143mkCustMaster.Repository.a143mkCustMasterRepository;
import a143mk.a143mkCustMaster.SYSConfig.SSLStopGetToken;
import org.springframework.http.*;
import org.springframework.web.client.RestTemplate;

@SuppressWarnings("serial")
@Service
public class CustMastSystemNameService implements Serializable {
	private static final Logger logger = LoggerFactory.getLogger(CustMastSystemNameService.class);
	@Autowired
	private a143mkCustMasterRepository customerMastRepositM1Table;
	@Autowired
	private a143mkCustAddressMasterRepository custAdderssMastRepoM2Table;
	
	public List<Map<String, Object>> geta143mkCustMasterFOrSYS() {
	    List<Map<String, Object>> pusha143mkCustSystemNameList = new ArrayList<>();
	    try {
	        logger.info("Start a143mkCust_push");
	        List<a143mkCustMaster> getMasterV = customerMastRepositM1Table.mdmCustDetailsSystemName();        
	        if (getMasterV != null) {
	            for (a143mkCustMaster getCust : getMasterV) {
	                // Use a Map instead of JSONObject
	                Map<String, Object> customerMap = new HashMap<>();
	                customerMap.put("name", getCust.geta143mkCustName());
	                customerMap.put("type", "Business");
	                customerMap.put("sub_type", "a143mkCust");
	                customerMap.put("phone", Optional.ofNullable(getCust.getPhoneNo()).map(String::trim).filter(p->p.length()>10).orElse("no"));
	                customerMap.put("email", Optional.ofNullable(getCust.getEmailId()).orElse("no"));
	                customerMap.put("code", Optional.ofNullable(getCust.getWhDepotStoreNo()).map(String::trim).filter(p->p.length()>5).orElse("no"));
	                customerMap.put("user_id", "AA143Mkbolgs"); //Pass the client_id value or pass the value according to your client.
	                pusha143mkCustSystemNameList.add(customerMap);
	                // Address logic
	                List<a143mkCustAddressMaster> cutoAddressSystemName = 
	                        custAdderssMastRepoM2Table.geta143mkCustAddressTableList(getCust.getLegacyCustNo());
	                
	                List<Map<String, Object>> pushAddressList = new ArrayList<>();
	                if (cutoAddressSystemName != null) {
	                    for (a143mkCustAddressMaster custAdde : cutoAddressSystemName) {
	                        Map<String, Object> address = new HashMap<>();
	                        address.put("address_1", custAdde.getAddress1());
				            address.put("address_2", Optional.ofNullable(custAdde.getAddress2()).orElse(""));
				            address.put("address_3", Optional.ofNullable(custAdde.getAddress3()).orElse(""));
				            address.put("city", Optional.ofNullable(custAdde.getCityName()).orElse("no"));
				            address.put("state", Optional.ofNullable(custAdde.getStateCode()).orElse(""));
				            address.put("pincode", Optional.ofNullable(custAdde.getPincode()).orElse("") );
				            address.put("state_code", custAdde.getStateCode());
				          
	                        pushAddressList.add(address);
	                    }
	                } 
	                // Add the address list to the customer map
	                customerMap.put("address_details", pushAddressList);
	              
	            }
	            ResponseEntity<String>  returnto=pusha143mkCustToSystemNameSystem(pusha143mkCustSystemNameList);
	            if(returnto!=null) {
	            	 logger.info("Success:" +returnto);
	            }else {
	            	logger.error("Error to Push customer to SystemName", returnto);
	            }
	        }
	        
	    } catch (Exception e) {
	        logger.error("Error in geta143mkCustMasterFOrSYS", e);
	    }
	    
	    return pusha143mkCustSystemNameList;
	}
	
	private  ResponseEntity<String>  pusha143mkCustToSystemNameSystem(List<Map<String, Object>> pusha143mkCustSystemNameList) {
	    RestTemplate restTemplate = new RestTemplate();

try {
	        // 1. Get token
	        String getTokenTms = new SSLStopGetToken().GetToken();
	        if (getTokenTms == null) {
	            throw new RuntimeException("Failed to get SystemName token");
	        }
             // 2. Set headers
	        HttpHeaders headers = new HttpHeaders();
	        headers.set("Authorization", "Bearer " + getTokenTms);
	   
	        // 3. Build the request entity
	        HttpEntity<List<Map<String, Object>>> request = new HttpEntity<>(pusha143mkCustSystemNameList, headers);

// 4. This is the Client Master API URL through which client master data can be sent. This is a test URL; you can modify it according to your client's requirements.
	        String url = "https://a143mk-uat.client.com/api/master/push_customer";
	        ResponseEntity<String> response = restTemplate.postForEntity(url, request, String.class);
	        // 5. Get response body
	       /* responseObject = response.getBody();
	        System.out.println("Response: " + responseObject);
	        logger.info("statuse for  in geta143mkCustMasterFOrSYS: ", responseObject);*/
	        return response;
	    } catch (Exception e) {
	        logger.error("Error pushing customer to SystemName", e);
	        return null;
	    }  
	}
}

Step 3: The authorization server issues an access token in JWT format The client sends this token in requests using Authorization: Bearer<Token>
The API validates the JWT by checking its signature, expiration, issuer, and audience See the example below for how to obtain an access token for the client: Use this for server-to-server authentication.

Method Internal Working ->geta143mkCustMasterFOrSYS() ->pusha143mkCustToSystemNameSystem().

package a143mk.MdmCustomerMaster.SYSConfig;
import javax.net.ssl.*;
import java.io.*;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.cert.X509Certificate;
import org.json.JSONObject;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
public class SSLStopGetToken {
	public String GetToken() {
		try {
            disableSSL(); 
			// Only disable the SSL certificate if it is absolutely necessary 
		   //when using this method; otherwise, do not.
		   
            String apiUrl = "https://a143mk-uat.client.com/api/v1/client/authentication/generate_token";
            URL url = new URL(apiUrl);
            HttpURLConnection conn = (HttpURLConnection) url.openConnection();
            conn.setRequestMethod("POST");
            conn.setRequestProperty("Content-Type", "application/json");
            conn.setRequestProperty("Accept", "application/json");
            conn.setDoOutput(true);
            String jsonInput = "{"
                    + "\"client_id\":\"AA143Mkbolgs\","
                    + "\"client_secret\":\"testa143mk\""
                    + "}";
	//The client_id and client_secret values are examples
   // please ask the client for these as they are confidential 
  //information and should be changed.
            try (OutputStream os = conn.getOutputStream()) {
                os.write(jsonInput.getBytes("UTF-8"));
            }
            BufferedReader br;
            if (conn.getResponseCode() >= 200 && conn.getResponseCode() < 300) {
                br = new BufferedReader(new InputStreamReader(conn.getInputStream()));
            } else {
                br = new BufferedReader(new InputStreamReader(conn.getErrorStream()));
            }
			
            StringBuilder response = new StringBuilder();
            String line;
            while ((line = br.readLine()) != null) {
                response.append(line);
            }
            ObjectMapper mapper = new ObjectMapper();
            JsonNode jsonNode = mapper.readTree(response.toString());
            System.out.println(jsonNode.get("access_token").asText());
            conn.disconnect();
            return jsonNode.get("access_token").asText();
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
		}
	    
		// SSL bypass (TESTING ONLY)
	    private static void disableSSL() throws Exception {
	        TrustManager[] trustAll = new TrustManager[]{
	            new X509TrustManager() {
	                public X509Certificate[] getAcceptedIssuers() { return null; }
	                public void checkClientTrusted(X509Certificate[] c, String a) {}
	                public void checkServerTrusted(X509Certificate[] c, String a) {}
	            }
	        };
	        SSLContext sc = SSLContext.getInstance("TLS");
	        sc.init(null, trustAll, new java.security.SecureRandom());
	        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
	        HttpsURLConnection.setDefaultHostnameVerifier((h, s) -> true);
	    }
}

JWT-based access tokens are secure, stateless, and scalable, making them ideal for modern authentication and authorization systems.

Social Client Login with OAuth2 Spring Boot Application

java , Microservices , OAuth2 Security , Spring Boot 2 comments :

First of all you have to take auth2 access to the social web site, we see it in the video, then we will create a services and test it and see some services we learned in the previous post, we will give their link below which includes Eureka (client-1, client-2), ApiGetway, services.

Add client and secret Id in ApiGetway application.properties file:

spring.security.oauth2.client.registration.Oauth2_Security.client-id = Write your Client ID spring.security.oauth2.client.registration.Oauth2_Security.client-secret = Write your Secret ID

Add use Dependency in ApiGetway pom.xml file:

Add New Package in ApiGetway-> com.javatechie.spring.zulu.api.cofig and create SecurityConfiguration.java file.

package com.javatechie.spring.zulu.api.cofig;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
@EnableGlobalAuthentication
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
	
	
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		
		http.csrf().disable().antMatcher("/**").authorizeRequests()
         .antMatchers("/cli-api/**","/cli2-api/**").authenticated()
         .anyRequest().authenticated()
         .and()
         .oauth2Login().permitAll()
         .and()
         .logout()
         .invalidateHttpSession(true)
         .clearAuthentication(true)
         .logoutSuccessUrl("/");
		
	}
}

See the video step by step to run/learn past post video and current configuration post.

How to Develop Some Other Rest API How to Develop Eureka Server and Eureka Client Configuration How to Develop GateWayAPI How to get Google Token

OAuth2 Security with Spring Boot

java , OAuth2 Security , Spring , Spring Boot 1 comment :

Introduction
OAuth2 is a token-based security authentication and authorization framework that breaks security down into four components. These four components are

A protected resource—This is the resource (in our case, a microservice) you want to protect and ensure that only authenticated users who have the proper authorization can access
A resource owner—A resource owner defines what applications can call their service, which users are allowed to access the service, and what they can do with the service. Each application registered by the resource owner will be given an application name that identifies the application along with an application secret key. The combination of the application name and the secret key are part of the credentials that are passed when authenticating an OAuth2 token.
An application—This is the application that’s going to call the service on a behalf of a user. After all, users rarely invoke a service directly. Instead, they rely on an application to do the work for them.
OAuth2 authentication server—The OAuth2 authentication server is the intermediary between the application and the services being consumed. The OAuth2 server allows the user to authenticate themselves without having to pass their user credentials down to every service the application is going to call on behalf of the user.

OAuth2 is a token-based security framework. A user authenticates against the OAuth2 server by providing their credentials along with the application that they’re using to access the resource. If the user’s credentials are valid, the OAuth2 server provides a token that can be presented every time a service being used by the user’s application tries to access a protected resource (the microservice). The OAuth2 specification has four types of grants:

Password
Client credential
Authorization code
Implicit

To set up an OAuth2 authentication server, you need the following Spring Cloud dependencies in the authentication-service/pom.xml file

For Example: You have to Create Project Node Name is: "a143mk-Oauth2-Security" on STS4 Tools.

Pom.xml file.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>2.1.3.RELEASE</version>
		<relativePath/> 
	</parent>
	<groupId>a143mk.Controller.jpa</groupId>
	<artifactId>springsecurity</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<name>a143mk-Oauth2-Security</name>
	<description>Demo project for Spring Boot Oauth2 Security</description>
	<properties>
		<java.version>1.8</java.version>
		<spring-cloud.version>Greenwich.SR3</spring-cloud.version>
		
	</properties>
	<dependencies>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-security</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>
		
		<dependency>
			<groupId>org.springframework.cloud</groupId>
			<artifactId>spring-cloud-starter-oauth2</artifactId>
		</dependency>

<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-test</artifactId>
			<scope>test</scope>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-test</artifactId>
			<scope>test</scope>
		</dependency>
	</dependencies>
	
	<dependencyManagement>
		<dependencies>
			<dependency>
				<groupId>org.springframework.cloud</groupId>
				<artifactId>spring-cloud-dependencies</artifactId>
				<version>${spring-cloud.version}</version>
				<type>pom</type>
				<scope>import</scope>
			</dependency>
		</dependencies>
	</dependencyManagement>

<build>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
			</plugin>
		</plugins>
	</build>

</project>

Create AuthServer.java class for use Authorization Server Configuration.

package a143mk.Security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;

@Configuration
@EnableAuthorizationServer
public class AuthServer extends AuthorizationServerConfigurerAdapter{

@Autowired
	AuthenticationManager authenticationManager;
	
	@Override
	public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
		clients.inMemory().withClient("abcds").secret("12345").scopes("read"). //abcd is client name/ID
		accessTokenValiditySeconds(1000)  // write the token expiry time.
		.authorizedGrantTypes("password","refresh_token");
		
		
		
	}

@SuppressWarnings("deprecation")
	@Override
	public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
		security.passwordEncoder(NoOpPasswordEncoder.getInstance());
		security.checkTokenAccess("isAuthenticated()").tokenKeyAccess("permitAll()");
		
	}

@Override
	public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
		 
		endpoints.authenticationManager(authenticationManager);
	}

}

The first thing to note in this listing is the @EnableAuthorizationServer annotation. This annotation tells Spring Cloud that this service will be used as an OAuth2 service and to add several REST-based endpoints that will be used in the OAuth2 authentication and authorization processes.

Like other pieces of the Spring Security framework, to set up users (and their roles), start by extending the WebSecurityConfigurerAdapter class and mark it with the @Configuration annotation.
As such, you need to provide the OAuth2 server a mechanism to authenticate users and return the user information about the authenticating user. This is done by defining two beans in your Spring WebSecurityConfigurerAdapter implementation: authenticationManagerBean() and userDetailsServiceBean(). These two beans are exposed by using the default authentication authenticationManagerBean() and userDetailsServiceBean() methods from the parent WebSecurityConfigurerAdapter class.
you have to Create ConfigWeb.java class.

package a143mk.Security;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;

@SuppressWarnings("deprecation")
@Configuration
public class ConfigWeb extends WebSecurityConfigurerAdapter{

@Bean
	public UserDetailsService userdetailsservice()
	{
		InMemoryUserDetailsManager user=new InMemoryUserDetailsManager();
		user.createUser(User.withUsername("abcd")
				.password(passwordEncoder().encode("123")).roles("USER").authorities("read").build());
		return user;
	}
	
	@Bean
	public PasswordEncoder passwordEncoder()
	{
		return new BCryptPasswordEncoder();
	}

@Override
	@Bean
	public AuthenticationManager authenticationManagerBean() throws Exception {
		// TODO Auto-generated method stub
		return super.authenticationManagerBean();
	}

@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.formLogin();
		http.authorizeRequests().anyRequest().authenticated();
	}
		
}

Run As-> Spring Boot App for Output:

For step by step development working watch the video and learn yourself.

Subscribe to: Comments ( Atom )

How to receive a JWT-based access token from the client, verify the token, and push data using the client's URL?

Social Client Login with OAuth2 Spring Boot Application

OAuth2 Security with Spring Boot

Pageviews

LABELS

OUR TECH-PROJECTS

Development Accessories

DOWNLOAD ANY ONLINE VIDEOS

POPULAR POSTS