tessl/maven-org-springframework-security--spring-security-config
Spring Security configuration module providing comprehensive declarative security configuration capabilities for Spring applications
—
Pending
oauth2-configuration.mddocs/
OAuth2 and SAML2 Configuration
Spring Security Config provides comprehensive support for modern authentication protocols including OAuth2, OpenID Connect (OIDC), and SAML2. These configurers enable integration with external identity providers and secure API access patterns.
OAuth2 Client Configuration
OAuth2LoginConfigurer
Configuration for OAuth2/OpenID Connect authentication flows.
public final class OAuth2LoginConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractAuthenticationFilterConfigurer<H, OAuth2LoginConfigurer<H>, OAuth2LoginAuthenticationFilter> {
// Client Registration and Repository
public OAuth2LoginConfigurer<H> clientRegistrationRepository(ClientRegistrationRepository clientRegistrationRepository);
public OAuth2LoginConfigurer<H> authorizedClientRepository(OAuth2AuthorizedClientRepository authorizedClientRepository);
public OAuth2LoginConfigurer<H> authorizedClientService(OAuth2AuthorizedClientService authorizedClientService);
// Login Page Configuration
public OAuth2LoginConfigurer<H> loginPage(String loginPage);
public OAuth2LoginConfigurer<H> loginProcessingUrl(String loginProcessingUrl);
// Authorization Endpoint Configuration
public OAuth2LoginConfigurer<H> authorizationEndpoint(Customizer<AuthorizationEndpointConfig> authorizationEndpointCustomizer);
// Redirection Endpoint Configuration
public OAuth2LoginConfigurer<H> redirectionEndpoint(Customizer<RedirectionEndpointConfig> redirectionEndpointCustomizer);
// Token Endpoint Configuration
public OAuth2LoginConfigurer<H> tokenEndpoint(Customizer<TokenEndpointConfig> tokenEndpointCustomizer);
// User Info Endpoint Configuration
public OAuth2LoginConfigurer<H> userInfoEndpoint(Customizer<UserInfoEndpointConfig> userInfoEndpointCustomizer);
// OIDC Logout Configuration
public OAuth2LoginConfigurer<H> oidcLogout(Customizer<OidcLogoutConfigurer<H>> oidcLogoutCustomizer);
// Nested Configuration Classes
public final class AuthorizationEndpointConfig {
public AuthorizationEndpointConfig baseUri(String baseUri);
public AuthorizationEndpointConfig authorizationRequestRepository(AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository);
public AuthorizationEndpointConfig authorizationRequestResolver(OAuth2AuthorizationRequestResolver authorizationRequestResolver);
}
public final class RedirectionEndpointConfig {
public RedirectionEndpointConfig baseUri(String baseUri);
}
public final class TokenEndpointConfig {
public TokenEndpointConfig accessTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient);
}
public final class UserInfoEndpointConfig {
public UserInfoEndpointConfig userAuthoritiesMapper(GrantedAuthoritiesMapper userAuthoritiesMapper);
public UserInfoEndpointConfig userService(OAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService);
public UserInfoEndpointConfig oidcUserService(OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService);
public UserInfoEndpointConfig customUserType(Class<? extends OAuth2User> customUserType, String clientRegistrationId);
}
}Usage Example:
http.oauth2Login(oauth2 -> oauth2
.clientRegistrationRepository(clientRegistrationRepository())
.authorizedClientService(authorizedClientService())
.loginPage("/oauth2/authorization")
.authorizationEndpoint(authorization -> authorization
.baseUri("/oauth2/authorize")
.authorizationRequestRepository(cookieAuthorizationRequestRepository())
.authorizationRequestResolver(customAuthorizationRequestResolver())
)
.redirectionEndpoint(redirection -> redirection
.baseUri("/oauth2/callback/*")
)
.tokenEndpoint(token -> token
.accessTokenResponseClient(customAccessTokenResponseClient())
)
.userInfoEndpoint(userInfo -> userInfo
.userService(customOAuth2UserService())
.oidcUserService(customOidcUserService())
.userAuthoritiesMapper(customGrantedAuthoritiesMapper())
)
.successHandler(oauth2AuthenticationSuccessHandler())
.failureHandler(oauth2AuthenticationFailureHandler())
);OAuth2ClientConfigurer
Configuration for OAuth2 client functionality and authorized client management.
public final class OAuth2ClientConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<OAuth2ClientConfigurer<H>, H> {
// Client Registration Repository
public OAuth2ClientConfigurer<H> clientRegistrationRepository(ClientRegistrationRepository clientRegistrationRepository);
// Authorized Client Repository
public OAuth2ClientConfigurer<H> authorizedClientRepository(OAuth2AuthorizedClientRepository authorizedClientRepository);
// Authorized Client Service
public OAuth2ClientConfigurer<H> authorizedClientService(OAuth2AuthorizedClientService authorizedClientService);
// Authorization Code Grant Configuration
public OAuth2ClientConfigurer<H> authorizationCodeGrant(Customizer<AuthorizationCodeGrantConfig> authorizationCodeGrantCustomizer);
// Client Credentials Grant Configuration
public OAuth2ClientConfigurer<H> clientCredentialsGrant(Customizer<ClientCredentialsGrantConfig> clientCredentialsGrantCustomizer);
// Password Grant Configuration
public OAuth2ClientConfigurer<H> passwordGrant(Customizer<PasswordGrantConfig> passwordGrantCustomizer);
// Nested Configuration Classes
public final class AuthorizationCodeGrantConfig {
public AuthorizationCodeGrantConfig accessTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient);
}
public final class ClientCredentialsGrantConfig {
public ClientCredentialsGrantConfig accessTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient);
}
public final class PasswordGrantConfig {
public PasswordGrantConfig accessTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient);
}
}Usage Example:
http.oauth2Client(oauth2Client -> oauth2Client
.clientRegistrationRepository(clientRegistrationRepository())
.authorizedClientRepository(authorizedClientRepository())
.authorizationCodeGrant(authorizationCode -> authorizationCode
.accessTokenResponseClient(customAuthorizationCodeTokenResponseClient())
)
.clientCredentialsGrant(clientCredentials -> clientCredentials
.accessTokenResponseClient(customClientCredentialsTokenResponseClient())
)
);OidcLogoutConfigurer
Configuration for OpenID Connect logout functionality.
public final class OidcLogoutConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<OidcLogoutConfigurer<H>, H> {
// Backchannel Logout Configuration
public OidcLogoutConfigurer<H> backChannel(Customizer<BackChannelLogoutConfig> backChannelCustomizer);
// RP-Initiated Logout Configuration
public OidcLogoutConfigurer<H> rpInitiatedLogout(Customizer<RpInitiatedLogoutConfig> rpInitiatedLogoutCustomizer);
// Nested Configuration Classes
public final class BackChannelLogoutConfig {
public BackChannelLogoutConfig logoutUri(String logoutUri);
}
public final class RpInitiatedLogoutConfig {
public RpInitiatedLogoutConfig logoutUri(String logoutUri);
public RpInitiatedLogoutConfig postLogoutRedirectUri(String postLogoutRedirectUri);
}
}Usage Example:
http.oidcLogout(oidcLogout -> oidcLogout
.backChannel(backChannel -> backChannel
.logoutUri("/logout/connect/back-channel")
)
.rpInitiatedLogout(rpInitiated -> rpInitiated
.logoutUri("/logout/connect/rp-initiated")
.postLogoutRedirectUri("/")
)
);OAuth2 Resource Server Configuration
OAuth2ResourceServerConfigurer
Configuration for OAuth2 resource server functionality with JWT and opaque token support.
public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<OAuth2ResourceServerConfigurer<H>, H> {
// JWT Configuration
public OAuth2ResourceServerConfigurer<H> jwt(Customizer<JwtConfigurer> jwtCustomizer);
// Opaque Token Configuration
public OAuth2ResourceServerConfigurer<H> opaqueToken(Customizer<OpaqueTokenConfigurer> opaqueTokenCustomizer);
// Bearer Token Resolution
public OAuth2ResourceServerConfigurer<H> bearerTokenResolver(BearerTokenResolver bearerTokenResolver);
// Authentication Entry Point
public OAuth2ResourceServerConfigurer<H> authenticationEntryPoint(AuthenticationEntryPoint entryPoint);
// Access Denied Handler
public OAuth2ResourceServerConfigurer<H> accessDeniedHandler(AccessDeniedHandler accessDeniedHandler);
// Authentication Manager Resolver
public OAuth2ResourceServerConfigurer<H> authenticationManagerResolver(AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver);
// Nested Configuration Classes
public final class JwtConfigurer {
public JwtConfigurer decoder(ReactiveJwtDecoder jwtDecoder);
public JwtConfigurer jwkSetUri(String jwkSetUri);
public JwtConfigurer jwtAuthenticationConverter(Converter<Jwt, ? extends AbstractAuthenticationToken> jwtAuthenticationConverter);
public JwtConfigurer authenticationManager(AuthenticationManager authenticationManager);
}
public final class OpaqueTokenConfigurer {
public OpaqueTokenConfigurer introspectionUri(String introspectionUri);
public OpaqueTokenConfigurer introspectionClientCredentials(String clientId, String clientSecret);
public OpaqueTokenConfigurer introspector(OpaqueTokenIntrospector introspector);
public OpaqueTokenConfigurer authenticationConverter(Converter<String, ? extends AbstractAuthenticationToken> authenticationConverter);
public OpaqueTokenConfigurer authenticationManager(AuthenticationManager authenticationManager);
}
}Usage Example:
http.oauth2ResourceServer(oauth2 -> oauth2
.jwt(jwt -> jwt
.jwkSetUri("https://example.com/.well-known/jwks.json")
.jwtAuthenticationConverter(customJwtAuthenticationConverter())
.decoder(customJwtDecoder())
)
.bearerTokenResolver(customBearerTokenResolver())
.authenticationEntryPoint(customAuthenticationEntryPoint())
.accessDeniedHandler(customAccessDeniedHandler())
);
// Alternative: Opaque Token Configuration
http.oauth2ResourceServer(oauth2 -> oauth2
.opaqueToken(opaque -> opaque
.introspectionUri("https://example.com/oauth2/introspect")
.introspectionClientCredentials("client-id", "client-secret")
.authenticationConverter(customOpaqueTokenAuthenticationConverter())
)
);Common OAuth2 Provider Support
CommonOAuth2Provider
Enum providing pre-configured OAuth2 provider settings for popular identity providers.
public enum CommonOAuth2Provider {
GOOGLE {
@Override
public ClientRegistration.Builder getBuilder(String registrationId) {
ClientRegistration.Builder builder = getBuilder(registrationId,
ClientAuthenticationMethod.CLIENT_SECRET_BASIC, DEFAULT_REDIRECT_URL);
builder.scope("openid", "profile", "email");
builder.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth");
builder.tokenUri("https://www.googleapis.com/oauth2/v4/token");
builder.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs");
builder.issuerUri("https://accounts.google.com");
builder.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo");
builder.userNameAttributeName(IdTokenClaimNames.SUB);
builder.clientName("Google");
return builder;
}
},
GITHUB {
@Override
public ClientRegistration.Builder getBuilder(String registrationId) {
ClientRegistration.Builder builder = getBuilder(registrationId,
ClientAuthenticationMethod.CLIENT_SECRET_BASIC, DEFAULT_REDIRECT_URL);
builder.scope("read:user");
builder.authorizationUri("https://github.com/login/oauth/authorize");
builder.tokenUri("https://github.com/login/oauth/access_token");
builder.userInfoUri("https://api.github.com/user");
builder.userNameAttributeName("id");
builder.clientName("GitHub");
return builder;
}
},
FACEBOOK {
@Override
public ClientRegistration.Builder getBuilder(String registrationId) {
ClientRegistration.Builder builder = getBuilder(registrationId,
ClientAuthenticationMethod.CLIENT_SECRET_POST, DEFAULT_REDIRECT_URL);
builder.scope("public_profile", "email");
builder.authorizationUri("https://www.facebook.com/v2.8/dialog/oauth");
builder.tokenUri("https://graph.facebook.com/v2.8/oauth/access_token");
builder.userInfoUri("https://graph.facebook.com/me?fields=id,name,email");
builder.userNameAttributeName("id");
builder.clientName("Facebook");
return builder;
}
},
OKTA {
@Override
public ClientRegistration.Builder getBuilder(String registrationId) {
ClientRegistration.Builder builder = getBuilder(registrationId,
ClientAuthenticationMethod.CLIENT_SECRET_BASIC, DEFAULT_REDIRECT_URL);
builder.scope("openid", "profile", "email");
builder.userNameAttributeName(IdTokenClaimNames.SUB);
builder.clientName("Okta");
return builder;
}
};
private static final String DEFAULT_REDIRECT_URL = "{baseUrl}/{action}/oauth2/code/{registrationId}";
/**
* Create a pre-configured ClientRegistration.Builder for the provider.
* @param registrationId the registration identifier
* @return the ClientRegistration.Builder for the provider
*/
public abstract ClientRegistration.Builder getBuilder(String registrationId);
protected final ClientRegistration.Builder getBuilder(String registrationId,
ClientAuthenticationMethod method, String redirectUri) {
ClientRegistration.Builder builder = ClientRegistration.withRegistrationId(registrationId);
builder.clientAuthenticationMethod(method);
builder.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE);
builder.redirectUri(redirectUri);
return builder;
}
}Usage Example:
@Bean
public ClientRegistrationRepository clientRegistrationRepository() {
return new InMemoryClientRegistrationRepository(
CommonOAuth2Provider.GOOGLE.getBuilder("google")
.clientId("google-client-id")
.clientSecret("google-client-secret")
.build(),
CommonOAuth2Provider.GITHUB.getBuilder("github")
.clientId("github-client-id")
.clientSecret("github-client-secret")
.build()
);
}SAML2 Configuration
Saml2LoginConfigurer
Configuration for SAML2 authentication flows.
public final class Saml2LoginConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractAuthenticationFilterConfigurer<H, Saml2LoginConfigurer<H>, Saml2WebSsoAuthenticationFilter> {
// Relying Party Registration Repository
public Saml2LoginConfigurer<H> relyingPartyRegistrationRepository(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository);
// Login Processing URL
public Saml2LoginConfigurer<H> loginProcessingUrl(String loginProcessingUrl);
// Authentication Manager
public Saml2LoginConfigurer<H> authenticationManager(AuthenticationManager authenticationManager);
// Authentication Request Context Resolver
public Saml2LoginConfigurer<H> authenticationRequestContextResolver(Saml2AuthenticationRequestContextResolver authenticationRequestContextResolver);
// Authentication Converters
public Saml2LoginConfigurer<H> authenticationConverter(AuthenticationConverter authenticationConverter);
}Usage Example:
http.saml2Login(saml2 -> saml2
.relyingPartyRegistrationRepository(relyingPartyRegistrations())
.loginProcessingUrl("/login/saml2/sso/{registrationId}")
.successHandler(saml2AuthenticationSuccessHandler())
.failureHandler(saml2AuthenticationFailureHandler())
);Saml2LogoutConfigurer
Configuration for SAML2 logout functionality.
public final class Saml2LogoutConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<Saml2LogoutConfigurer<H>, H> {
// Relying Party Registration Repository
public Saml2LogoutConfigurer<H> relyingPartyRegistrationRepository(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository);
// Logout Request and Response Handlers
public Saml2LogoutConfigurer<H> logoutRequest(Customizer<LogoutRequestConfig> logoutRequestCustomizer);
public Saml2LogoutConfigurer<H> logoutResponse(Customizer<LogoutResponseConfig> logoutResponseCustomizer);
// Nested Configuration Classes
public final class LogoutRequestConfig {
public LogoutRequestConfig logoutRequestResolver(Saml2LogoutRequestResolver logoutRequestResolver);
public LogoutRequestConfig logoutRequestSuccessHandler(Saml2LogoutRequestSuccessHandler logoutRequestSuccessHandler);
}
public final class LogoutResponseConfig {
public LogoutResponseConfig logoutResponseResolver(Saml2LogoutResponseResolver logoutResponseResolver);
public LogoutResponseConfig logoutResponseSuccessHandler(Saml2LogoutResponseSuccessHandler logoutResponseSuccessHandler);
}
}Usage Example:
http.saml2Logout(saml2Logout -> saml2Logout
.relyingPartyRegistrationRepository(relyingPartyRegistrations())
.logoutRequest(logoutRequest -> logoutRequest
.logoutRequestResolver(customSaml2LogoutRequestResolver())
.logoutRequestSuccessHandler(customLogoutRequestSuccessHandler())
)
.logoutResponse(logoutResponse -> logoutResponse
.logoutResponseResolver(customSaml2LogoutResponseResolver())
.logoutResponseSuccessHandler(customLogoutResponseSuccessHandler())
)
);Saml2MetadataConfigurer
Configuration for SAML2 metadata generation and handling.
public final class Saml2MetadataConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<Saml2MetadataConfigurer<H>, H> {
// Metadata Resolver
public Saml2MetadataConfigurer<H> metadataResolver(Saml2MetadataResolver metadataResolver);
// Metadata URL
public Saml2MetadataConfigurer<H> metadataUrl(String metadataUrl);
}Usage Example:
http.saml2Metadata(metadata -> metadata
.metadataUrl("/saml2/metadata/{registrationId}")
.metadataResolver(customSaml2MetadataResolver())
);Integration Patterns
Multiple Provider Configuration
Configure multiple OAuth2 providers simultaneously:
@Configuration
@EnableWebSecurity
public class OAuth2SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(authz -> authz
.anyRequest().authenticated()
)
.oauth2Login(oauth2 -> oauth2
.clientRegistrationRepository(clientRegistrationRepository())
.loginPage("/oauth2/authorization")
)
.oauth2Client(Customizer.withDefaults())
.build();
}
@Bean
public ClientRegistrationRepository clientRegistrationRepository() {
return new InMemoryClientRegistrationRepository(
googleClientRegistration(),
githubClientRegistration(),
oktaClientRegistration()
);
}
}JWT and OAuth2 Resource Server
Configure both JWT and opaque token support:
http.oauth2ResourceServer(oauth2 -> oauth2
.authenticationManagerResolver(authenticationManagerResolver())
);
@Bean
public AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver() {
return request -> {
String path = request.getRequestURI();
if (path.startsWith("/api/v1/")) {
return jwtAuthenticationManager();
}
return opaqueTokenAuthenticationManager();
};
}Custom Token Validation
Implement custom JWT validation logic:
http.oauth2ResourceServer(oauth2 -> oauth2
.jwt(jwt -> jwt
.decoder(customJwtDecoder())
.jwtAuthenticationConverter(customJwtAuthenticationConverter())
)
);
@Bean
public JwtDecoder customJwtDecoder() {
NimbusJwtDecoder decoder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri).build();
decoder.setJwtValidator(customJwtValidator());
return decoder;
}Install with Tessl CLI
npx tessl i tessl/maven-org-springframework-security--spring-security-config