SpringBoot - Security

7. SpringBoot - Security (Old - Deprecated < 2.7.0 >)

Spring Security is a framework that focuses on providing both authentication and authorization (or -access-control”) to Java web application and SOAP/RESTful web services.

Spring Security currently supports integration with all of the following technologies:

HTTP basic access authentication
LDAP system
OpenID identity providers – Google, Facebook etc
JAAS API: JAAS stands for Java Authentication and Authorization Service. This is a pluggable module which is implemented in Java and the Spring Security Framework uses it for its authentication purposes.
Single Sign-On: This allows the user to get access to multiple applications with only one account (username and password).
CAS Server
ESB Platform
Your own authentication systems

Spring Security Architecture

Spring security comes with a set of security filters. Each request to the server is intercepted by these filters. These filters will process the request based on the logic and will pass or reject the incoming request, let’s look at the distinct steps of the authentication process.

1. Incoming HTTP Request

Each incoming request will go through a chain of filters for authentication and authorization process. Look at the step 1 in above diagram, each request is passing through the security filter chain. Keep in mind the following points.

Each request will pass through the filters until it reaches relevant authentication filter.
Each request can go through a distinct set of security filters. We can configure filters by request patterns or even based on the request headers.
In above diagram, login request goes through the filter chains and reaches to the UsernamePasswordAuthenticationFilter.
Similarly, a basic authentication request goes through the chains of filters until it reaches BasicAuthenticationFilter.

2. AuthenticationToken Based on User Credentials

For the user login, once the authentication request reached the authentication filter, it will extract the username and password from the request payload. Spring security will create an Authentication object based on the username and password. This is how the Authentication objection creation look like:

UsernamePasswordAuthenticationToken authentication
= new UsernamePasswordAuthenticationToken(username, password);

3. Authentication Manager

Authentication Manager is the core for the Spring security authentication process. AuthenticationManager is the API that defines how Spring Security’s Filters perform authentication.

public interface AuthenticationManager {

Authentication authenticate(Authentication authentication)
throwsAuthenticationException;

}

Before we move ahead, let’s cover important points for the AuthenticationManager.

Internally the AuthenticationProvider responsible to perform the authentication process.
ProviderManager manager is the most used implementation of AuthenticationProvider.
ProviderManager delegates the request to the list of AuthenticationProvider.

4. AuthenticationProviders

The AuthenticationProvider are responsible to process the request and perform a specific authentication. It provides a mechanism for getting the user details with which we can perform authentication. This is how the AuthenticationProvider interface looks like:

public interface AuthenticationProvider {

Authentication authenticate(Authentication authentication) throws
AuthenticationException;

boolean supports(Class <?> authentication);

}

Our AuthenticationProvider can’t execute directly but we can configure multiple providers using the AuthenticationProvider.

If you are curious, here is the list of some OOTB authentication providers.

DaoAuthenticationProvider.
JAAS Authentication
OpenID Authentication
X509 Authentication
SAML 2.0
OAuth 2.0
RememberMeAuthenticationProvider
LdapAuthenticationProvider

5. Custom Authentication Provider

For enterprise applications, we may need a custom authentication provider. Implement the AuthenticationProvider interface to create a custom authentication provider for your application.

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {

    @Override
    public Authentication authenticate(Authentication auth) throws AuthenticationException {
      String username = authentication.getName();
      String pwd = authentication.getCredentials().toString();
      if ("javadevjournal".equals(username) && "pass".equals(pwd)) {
            return new UsernamePasswordAuthenticationToken(username, password, Collections.emptyList());
       } else {
            throw new BadCredentialsException("User authentication failed!!!!");
       }
    }

    @Override
    public boolean supports(Class<?>auth) {
        return auth.equals(UsernamePasswordAuthenticationToken.class);
    }
}

The last step is to configure our custom authentication provider with Spring security. We do that by creating a custom configuration class and extending the WebSecurityConfigurerAdapter.

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    CustomAuthenticationProvider customAuthenticationProvider;

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        //configuring our custom auth provider
        auth.authenticationProvider(customAuthProvider);
    }
}

6. Spring Security UserDetailsService

Not all, but few authentication providers may need UserDetailsService to get the user details stored in the database by username (e.g. DaoAuthenticationProvider). Most of the standard web application may use the UserDetailsService to get user information during login process. This is how the UserDetailsService interface look like:

package org.springframework.security.core.userdetails;

public interface UserDetailsService {
    UserDetails loadUserByUsername(String var1) throws UsernameNotFoundException;
}

It’s a common use case to define a custom UserDetailsService for our application.

7. Authentication and Authentication Exception

During the authentication process, if the user authentication is successful, we will send a fully initialized Authentication object back. For failed authentication, AuthenticationException will be thrown. A fully populated authentication object carries the following details:

User credentials.
List of granted authorities (for authorization).
Authentication flag.

public interface Authentication extends Principal, Serializable {
    Collection<? extends GrantedAuthority> getAuthorities();

    Object getCredentials();
    Object getDetails();
    Object getPrincipal();
    boolean isAuthenticated();
    void setAuthenticated(boolean var1) throws IllegalArgumentException;
}

8. Setting Authentication SecurityContext

The last step on the successful authentication is setting up the authentication object in the SecurityContext. It wraps the SecurityContext around the SecurityContextHolder. Keep in mind following points:

SecurityContextHolder is where Spring Security stores the details about authenticated users.
Spring security will not validate how the SecurityContextHolder is populated.
If it finds values in the SecurityContextHolder, it assumes that current user is an authenticated user.This is how the SecurityContextHolder populates

SecurityContext context = //get the context from security holder

UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(username, password);

context.setAuthentication(authentication);
SecurityContextHolder.setContext(context);

Ref.: https://www.javadevjournal.com/spring-security/spring-security-authentication/

Spring Security Authentication Types

Web Security Authentication (@EnableWebSecurity)
1. Basic Authenication
2. In-Memory Authentication
3. JDBC Authentication
4. LDAP Authentication
JWT(JSON Web Token) Authentication
OAuth 2.0 SSO Authentication
REST API

With the latest Spring Security and/or Spring Boot versions, the way to configure Spring Security is by having a class that:

Is annotated with @EnableWebSecurity.
Extends WebSecurityConfigurer, which basically offers you a configuration DSL/method. With those methods, you can specify what URIs in your application to protect or what exploit protections to enable/disable.

Here’s what a typical WebSecurityConfigurerAdapter looks like

@Configuration
@EnableWebSecurity // (1)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { // (1)

  @Override
  protected void configure(HttpSecurity http) throws Exception {  // (2)
      http
        .authorizeRequests()
          .antMatchers("/", "/home").permitAll() // (3)
          .anyRequest().authenticated() // (4)
          .and()
       .formLogin() // (5)
         .loginPage("/login") // (5)
         .permitAll()
         .and()
      .logout() // (6)
        .permitAll()
        .and()
      .httpBasic(); // (7)
  }
}

A normal Spring @Configuration with the @EnableWebSecurity annotation, extending from WebSecurityConfigurerAdapter.
By overriding the adapter’s configure(HttpSecurity) method, you get a nice little DSL with which you can configure your FilterChain.
All requests going to / and /home are allowed (permitted) - the user does not have to authenticate. You are using an antMatcher, which means you could have also used wildcards (*, \*\*, ?) in the string.
Any other request needs the user to be authenticated first, i.e. the user needs to login.
You are allowing form login (username/password in a form), with a custom loginPage (/login, i.e. not Spring Security’s auto-generated one). Anyone should be able to access the login page, without having to log in first (permitAll; otherwise, we would have a Catch-22!).
The same goes for the logout page
On top of that, you are also allowing Basic Auth, i.e. sending in an HTTP Basic Auth Header to authenticate.

1.Spring Security – Quick Start Example

We have SpringBoot Application, which doesn’t have login page. After running application, it will show all Employees Page.

We are going to add Spring Security jar to this project. spring-boot-starter-security: take care of all the required dependencies related to spring security.

<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-security</artifactId>
</dependency>

This will include the SecurityAutoConfiguration class – containing the initial/default security configuration.

Just Run the project & see the magic – It will Directly open Login Page

We never created this login form, but from where it came from?

In our application, we did not create this login page but configured the Spring Security. This is a built-in login page provided by the framework itself to authenticate the user.SpringSecurity default comes with login page & you can login with generated password which is already printed in the console

Using generated security password: **8b4667a4-cc3a-47fd-b51f-b6f5e83745df**
Def.user name is: **user**

You can change the password by providing a security.user.password. This and other useful properties are externalized via SecurityProperties (properties prefix “security”).

security.user.name=user
security.user.name=password
security.basic.enabled=true

Thus, by just adding the spring boot security starter dependency the basic security has already been configured by default. Let’s customize the security configuration by writing our own authorization and authentication. For this create a new class SecurityConfig that extends the WebSecurityConfigurerAdapter and overrides its methods.

To discard the security auto-configuration and add our own configuration, we need to exclude the SecurityAutoConfiguration class.

@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })
public class SpringBootSecurityApplication { 
    public static void main(String[] args) {
        SpringApplication.run(SpringBootSecurityApplication.class, args);
    }
}

Or by adding some configuration into the application.properties file:

spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration

2.Spring Security – Basic & In-Memory Authentication Example

If we are disabling security auto-configuration, we need to provide our own configuration by creating new class annotated with @EnableWebSecurity which extends WebSecurityConfigurerAdapter.

Spring Security provides HTTP basic authentication to authenticate the user at the client-side and send the user credentials with the request header to the server. The server receives these credentials, extract them from the header, and map them with the existing record to validate the user.

The BasicAuthenticationFilter handles the request and check whether the request contains an authentication header or not. The httpBasic() method enables the Basic HTTP security in our application. Let’s create a project and implements HTTP security.

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

	@Override
	public void configure(HttpSecurity http) throws Exception {
		// It allows configuring web based security for specific http requests
		http.authorizeRequests()
            	.anyRequest().authenticated() 
            	.and()
        	.formLogin()                      
            	.and()
        	.httpBasic();	// This means it is Basic Authenication
	}

    @Bean
    @Override
    public UserDetailsService userDetailsService() {
        UserDetails user =
             User.withDefaultPasswordEncoder()
                .username("user")
                .password("user")
                .roles("USER")
                .build();
 
        return new InMemoryUserDetailsManager(user); 
// This means We probive User data using InMomory
    }	
}

Here we provided Static user conntenet. This type of Authurization Known as In Memory Authrization.

Let’s summarize what we did in order to add Spring Boot Security to his web app. To secure his web app,

we added Spring Boot Security to the classpath/maven.
Once it was in the classpath, Spring Boot Security was enabled by default.
Then customized the security by extending WebSecurityConfigurerAdapter and added his own configure and userDetailsServiceimplementation.

By default, the Spring Security framework provides its own login page the get user credentials but also allows us to set our own custom login page.

It is useful when we want to render a login page that matches the company website theme. We will do it by creating a login.jsp. It will submit to the “/authenticateTheUser” action and then Spring Security will perform authentication based on the provided input.

EmployeeController.java – add /login to display login page

@GetMapping("/login")
public String login() {
	return "login";
}

SecurityConfig.java
We used HttpSecurity class to configure the login page. The loginPage() is used to specify our login.jsp page. We can also use any other name for login form such as login-form.jsp or user-login.jsp and then specify the mapping to this method. The “/login” value passed here will map to the controller’s action and then render the JSP page.

@Override
public void configure(HttpSecurity http) throws Exception {
	http.authorizeRequests().anyRequest().
	authenticated().and()
	.formLogin()
	.loginPage("/login")
	.loginProcessingUrl("/authenticateTheUser").permitAll();
}

Now It will display our own custom form.

Custom Error message

If the user enters the wrong credentials then Spring Security responds by attaching an error parameter to the URL.Update login.jsp page

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>

<c:if test="${param.error!=null}">
    <p style="color: red">You entered wrong credentials!</p>
</c:if>

Logout User

To implement this feature, follow these steps

Add a Logout Button
Configure Security
Show Message

1. Add a Logout Button(index.jsp)
add a button to the JSP page that enables logout to the user. This button is a submit button that submits a form request to the logout URL that will be handle by Spring Security. Put it on the JSP home page.

<form:form
	action="${pageContext.request.contextPath}/logout"
	method="post">
	<input type="submit" value="logout" class="list-group-item list-group-item-action">
</form:form>

2. Configure Security(SecurityConfig.java)
Now, update the SecurityConfig.java class by adding logout() and permitAll() method.

logout() method will logout the user
permitAll() method give access to all the users to use the logout feature.

.logout().permitAll();

@Override
public void configure(HttpSecurity http) throws Exception {
	// 2.Custom Login Form
	http.authorizeRequests().anyRequest()
	.authenticated()
	.and()
	.formLogin()
	.loginPage("/login")
	.loginProcessingUrl("/authenticateTheUser")
	.permitAll()
	.and()
	.logout()
	.permitAll();
}

3.Show Message(login.jsp)
Now, set a message to show the user when the user logged out successfully. Add it to the login.jsp to display a logout message to the user after successful logout.

<c:if test="${param.logout!=null}">
	<p style="color: green">You have successfully logged out.!</p>
</c:if>

Remember Me Feature

remember-me feature of Spring Security allows a user to remember even after the session is closed. It performs automatic login by using the stored cookies.

An application that has a remember-me feature, stores a cookie in the browser which is used to identify the user and avoid entering the user credentials each time to log in. So what we need to do is just simply use the rememberMe() method in the configure() method of SecurityConfig class.

@Override
public void configure(HttpSecurity http) throws Exception {
	// 2.Custom Login Form
	http.authorizeRequests().anyRequest()
	.authenticated()
	.and()
	.formLogin().loginPage("/login").loginProcessingUrl("/authenticateTheUser")
	.permitAll()
	.and()
	.logout().permitAll()
	.and()
.rememberMe().key("rem-me-key")  
		   .rememberMeParameter("remember")  
		   .rememberMeCookieName("rememberlogin")  
		   .tokenValiditySeconds(200);
}

Verify the Cookies
See it stores the cookie that we set in the SecurityConfig file. It has the same name that we set and a token in encrypted form and expiring life of the cookie.

4.Spring Security – JDBC Authentication

By default, spring security expects tables named users table for storing username, passwords and authorities table for storing the associated roles.

CREATE TABLE `users` (
  `username` varchar(50) NOT NULL,
  `password` varchar(50) NOT NULL,
  `enabled` tinyint(1) NOT NULL,
  PRIMARY KEY (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

INSERT INTO `users` 
VALUES 
('satya','{noop}satya',1),
('a','{noop}a',1);


CREATE TABLE `authorities` (
  `username` varchar(50) NOT NULL,
  `authority` varchar(50) NOT NULL,
  UNIQUE KEY `authorities_idx_1` (`username`,`authority`),
  CONSTRAINT `authorities_ibfk_1` FOREIGN KEY (`username`) REFERENCES `users` (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

INSERT INTO `authorities` 
VALUES 
('satya','ROLE_ADMIN'),
('a', 'ROLE_GUEST')

Override configure(AuthenticationManagerBuilder) — this method will help us in fetching user data from DB and validate if the credentials provided by the user is valid

SecurityConfig.java

package springboot.security;
import javax.sql.DataSource;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    DataSource dataSource;
		
    //Enable jdbc authentication
    @Autowired
    public void configAuthentication(AuthenticationManagerBuilder auth) {
        auth.jdbcAuthentication().dataSource(dataSource);
    }
		
	@Override
	public void configure(HttpSecurity http) throws Exception {

		//3. JDBC Authenication
		//role should not start with 'ROLE_' since it is automatically inserted
		// ADMIN - Allowed All Operations - ADD, EDIT , DELETE
		// GUEST- Allowed VIEW Operations - VIEW, SHOW
		http.authorizeRequests()
		.antMatchers("/").hasAnyRole("GUEST","ADMIN")
		.antMatchers("/all").hasAnyRole("GUEST","ADMIN")
		.antMatchers("/addEmployee").hasRole("ADMIN")
		.antMatchers("/saveEmployee").hasRole("ADMIN")
		.antMatchers("/deleteEmployee").hasRole("ADMIN")
		.and()
		.formLogin()
		.loginPage("/login")
		.loginProcessingUrl("/authenticateTheUser")
		.permitAll()
		.and()
		.logout()
		.permitAll()
		.and()
		.exceptionHandling().accessDeniedPage("/unauthorized");		
	}
}

5. Spring Security – LDAP Authentication

What is LDAP?

LDAP is Lightweight Directory Access Protocol that is used to interact with directory server. LDAP is a centralized directory acts as a data source, which contains all important information related to the organization such as user details, system information, etc. LDAP is used for authentication and storing information about users, groups and applications.

Spring Security provides LdapAuthenticationProvider class to authenticate a user against a LDAP server. The equivalent XML element is <ldap-authentication-provider>.
LDAP node is created with following keywords.

uid : User Id
cn : Common Name
sn : Surname
o : Organization
ou : Organizational unit
dn : Distinguished name
dc : Domain Component

When the user submits login form, then to find the user a LDAP DN is created. Suppose the username is ‘krishna’ then the actual name used to authenticate to LDAP will be the full DN as following.

uid=krishna,ou=people,dc=concretepage,dc=com

LDAP Server Configuration (Free Online)

LDAP Server Information (read-only access):

Server: ldap.forumsys.com   
Port: 389

Bind DN: cn=read-only-admin,dc=example,dc=com  
Bind Password: password

All user passwords are password.

Ref. https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/

Example Code

Pom.xml – Update Maven Dependency

<dependency>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-ldap</artifactId>
</dependency>

<dependency>
   <groupId>org.apache.directory.server</groupId>
   <artifactId>apacheds-server-jndi</artifactId>
   <version>1.5.5</version>
</dependency>

application.properties – update LDAP Server Properties

ldap.urls=ldap://ldap.forumsys.com:389/
ldap.base.dn=dc=example,dc=com
ldap.username=cn=read-only-admin,dc=example,dc=com
ldap.password=password
ldap.user.dn.pattern = uid={0}

SpringSecurityConfig

At this point, we need to tell spring how to we are doing authentication, as in which URLs should be authenticated. We need to update Authentication provider as LDAP in our code.

@Configuration
@EnableWebSecurity
public class LDAPAuthenticationSecurityConfig extends WebSecurityConfigurerAdapter { 
	
    @Value("${ldap.urls}")
    private String ldapUrls;	

    @Value("${ldap.base.dn}")
    private String ldapBaseDn;

    @Value("${ldap.username}")
    private String ldapSecurityPrincipal;

    @Value("${ldap.password}")
    private String ldapPrincipalPassword;

    @Value("${ldap.user.dn.pattern}")
    private String ldapUserDnPattern;
    
 
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        	auth.ldapAuthentication()
                .contextSource()
                .url(ldapUrls + ldapBaseDn)
                .managerDn(ldapSecurityPrincipal)
                .managerPassword(ldapPrincipalPassword)
                .and()
                .userDnPatterns(ldapUserDnPattern);
    }
	
    
	//4. LDAP Authenication
	//role should not start with 'ROLE_' since it is automatically inserted
	// authenticated - Allowed All Operations - ADD, EDIT , DELETE
	// permitAll- Allowed VIEW Operations - VIEW, SHOW
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
    		http.authorizeRequests()
                .antMatchers("/login**").anonymous()
                .antMatchers("/all").permitAll()
                .antMatchers("/view**").permitAll()
                .antMatchers("/addEmployee").authenticated()
                .antMatchers("/addEmployee").authenticated()
                .antMatchers("/deleteEmployee").authenticated()
                .and()
                .formLogin()
                .loginPage("/login")
                .loginProcessingUrl("/authenticateTheUser")
                .permitAll()
                .and()
                .logout()
                .permitAll()
                .and()
                .csrf()
                .disable();
    }
}

For Testing

//All UID’s password is: **password**
uid=boyle
uid=curie
uid=einstein
uid=euclid
uid=euler

We can access /all , /view** - with out login. But for /addEmployee, /saveEmployee user must login with LDAP credencials.

6. Spring Security – JWT Authentication

What is JWT Authentication

By using JWT authentication you no longer have to store user information in a session to authenticate each request. Instead, we send this information with each request along with any data we want.

When the client logs in, the server gives them a JSON Web Token (JWT). Afterward, the client has to put that token in the Authorization header of each request after the word Bearer and space.

The token has three different parts, the header, the payload, and the signature.

JWT Structure

Create JWT Token Online

Will generate JWT Token by using JWT Online Token Generator.Provide the payload as given below: Standard JWT Claims Provide Claim data. Additional
Claims We’ll have the following claims in the payload. Generated Claim
Set Sign the payload using the hashing algorithm. Signed JSON Web
Token

Example

Pom.xml

<dependency>
   <groupId>io.jsonwebtoken</groupId>
   <artifactId>jjwt</artifactId>
   <version>0.9.1</version>
</dependency>

We have API for Employee Services

/ 	 	GET 	 Homepage
/login 	 	GET 	 Loginform
/all 	 	GET 	 All Employees 
/saveEmployee 	POST 	 saveEmployee

Not much Important for now, Skipping

Ref. https://www.tutorialspoint.com/spring_security/spring_security_with_jwt.htm

7. Spring Security – OAuth 2.0 SSO Authentication

Spring Boot 2.x provides full auto-configuration for OAuth2 login. We just need to configure client id and client secret for OAuth2 provider such as GitHub, Facebook and Google in application.property file and we are done.

We can customize the configuration by overriding methods of WebSecurityConfigurerAdapter and using HttpSecurity.oauth2Login() method introduced in Spring 5.0.

We need to create a bean for ClientRegistrationRepository to override OAuth2 property value.
Here on this page we will create a Spring Boot Security application for OAuth2 login using GitHub, Facebook and Google authentication provider.

<dependency>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>

Example

1.Genetrate github API Keys by going https://github.com/settings/developers

redirect URI as

http://localhost:8080/login/oauth2/code/github
http://localhost:8081/login/oauth2/code/google
http://localhost:8081/login/oauth2/code/facebook

Watch this : https://www.youtube.com/watch?v=R9lxXQcy-nM

2.Update application.properties

spring.security.oauth2.client.registration.google.client-id=\<your client id\>
spring.security.oauth2.client.registration.google.client-secret=\<your client
secret\>

spring.security.oauth2.client.registration.facebook.client-id=\<your client id\>
spring.security.oauth2.client.registration.facebook.client-secret=\<your client
secret\>

spring.security.oauth2.client.registration.github.client-id=4d381Dummy
spring.security.oauth2.client.registration.github.client-secret=2876951aSercrit

Update Login Page

<a href=" /oauth2/authorization/github">Login with GitHub</a>

4.CustomOAuth2User.java

this class extends OAuthUser interface as defined by Spring OAuth2 API. this class wraps an instance of OAuth2User, which will be passed by Spring OAuth2 upon successful OAuth authentication. And we override the getName() method to return username associated with GitHub account.

public class CustomOAuth2User implements OAuth2User {
	private OAuth2User oauth2User;
	
	public CustomOAuth2User(OAuth2User oauth2User) {
		this.oauth2User = oauth2User;
	}
	@Override
	public Map<String, Object> getAttributes() {
		return oauth2User.getAttributes();
	}
	@Override
	public Collection<? extends GrantedAuthority> getAuthorities() {
		return oauth2User.getAuthorities();
	}
	@Override
	public String getName() {
		return oauth2User.getAttribute("name");
	}
}

5.CustomOAuth2UserService subclass of DefaultOAuth2UserService. we override the loadUser() method which will be called by Spring OAuth2 upon successful authentication, and it returns a new CustomOAuth2User object

@Service
public class CustomOAuth2UserService extends DefaultOAuth2UserService  {

	@Override
	public OAuth2User loadUser(OAuth2UserRequest userRequest) throws OAuth2AuthenticationException {
		OAuth2User user =  super.loadUser(userRequest);
		return new CustomOAuth2User(user);
	}
}

6.OAuth2AuthenticationSecurityConfig To integrate single sign on with GitHub with traditional username and password login, update configuration for Spring security as follows

@Configuration
@EnableWebSecurity
public class OAuth2AuthenticationSecurityConfig extends WebSecurityConfigurerAdapter {
	
	@Autowired
	private CustomOAuth2UserService userService;

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.authorizeRequests().antMatchers("/", "/login").permitAll()
		.and()
		.formLogin()
		.loginPage("/login")
		.loginProcessingUrl("/authenticateTheUser")
		.permitAll()
		.and()
		.logout()
		.permitAll()
       .and()
              .oauth2Login()
              .loginPage("/login")
              .userInfoEndpoint()
              .userService(userService);
	}
}

7.Test Login using GitHub

8. Spring Security – Summary

To customize Spring Security, we need a configuration class annotated with @EnableWebSecurity annotation in our classpath. Also, to simplify the customization process, the framework exposes a WebSecurityConfigurerAdapter class.

We will extend this adapter and override both of its functions so as to:

Configure the authentication manager with the correct provider
Configure web security (public URLs, private URLs, authorization, etc.)

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // TODO configure authentication manager
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // TODO configure web security
    }
}