This repository is created to demonstrate how to create a Spring Security application using Spring Boot 4.0.6 (Spring Framework 7.x, Spring Security 7.x) with OAuth 2.0 and custom security Authorization rules. The main focuses of this repository include the following:
- How to secure an API with OAuth 2.0
- How to customize Roles from the JWT token
- How to add custom Roles from another source
- How to pass the Authorization down to another microservice
- How to call another microservice using client credentials
- Authorization masking with
@HandleAuthorizationDeniedand@AuthorizeReturnObject - Architectural verification with Spring Modulith
- Utilizing only Spring to accomplish each task
This project contains 3 applications, two that represent the servlet and reactive approach to creating an API and one that is a basic secured microservice that the first two services call. All modules use Spring Modulith for architectural verification.
This application is an API created using Spring Boot using a servlet approach. This application provides endpoints that provide demos including the following:
- RestClient and RestTemplate
- Method Level Security with
@PreAuthorize - Authorization Masking with
@HandleAuthorizationDeniedand@AuthorizeReturnObject - Custom Security Filters
- Integration tests using the following:
- MockMvc
- MockRestServiceServer
- MockServerRestClientCustomizer
- WithMockUser
This application is an API created using Spring Boot using a reactive approach. This application provides endpoints that provide demos including the following:
- WebClient
- Method Level Security with
@PreAuthorize - Manual Authorization Masking via
ReactiveSecurityContextHolder - Custom Security Filters
- Integration tests using the following:
- OkHttp
- WithMockUser
Note:
@AuthorizeReturnObjectand@HandleAuthorizationDeniedare not yet supported in Spring Security's reactive stack. Manual masking viaReactiveSecurityContextHolderis used as a workaround. See spring-projects/spring-security#7594 for tracking.
This application is a simple Spring Boot microservice using a reactive approach that contains one endpoint that is secured using OAuth 2.0. It demonstrates how to set it up and how to perform an integration test.
