An Intro to Spring Cloud Security – 春季云安全介绍

最后修改: 2018年 2月 20日

1. Overview


The Spring Cloud Security module provides features related to token-based security in Spring Boot applications.

Spring Cloud Security模块提供了与Spring Boot应用程序中基于令牌的安全有关的功能。

Specifically, it makes OAuth2-based SSO easier – with support for relaying tokens between Resource Servers, as well as configuring downstream authentication using an embedded Zuul proxy.


In this quick article, we’ll have a look at how we can configure these features using a Spring Boot client application, an Authorization Server and a REST API working as a Resource Server.

在这篇文章中,我们将看看如何使用Spring Boot客户端应用程序、授权服务器和作为资源服务器的REST API来配置这些功能。

Note that for this example, we only have one Client application that uses SSO to demonstrate the cloud security features – but in a typical scenario, we would have at least two client applications to justify the need for Single Sign-On.

请注意,在这个例子中,我们只有一个客户端应用程序使用SSO来展示云安全功能 – 但在一个典型的场景中,我们至少有两个客户端应用程序来证明单点登录的必要性。

2. Quick Start a Cloud Security App


Let’s start by configuring SSO in a Spring Boot application.

让我们从在Spring Boot应用程序中配置SSO开始。

First, we need to add the spring-cloud-starter-oauth2 dependency:



This will also bring in the spring-cloud-starter-security dependency.


We can configure any social site as an Auth Server for our site or we can use our own server. In our case, we’ve chosen the latter option and configured an application that acts as an Authorization Server – which is deployed locally at http://localhost:7070/authserver.


Our authorization server uses JWT tokens.


Additionally, for any Client to be able to retrieve the credentials of a user, we need to configure our Resource Server, running on port 9000, with an endpoint which can serve these credentials.


Here, we’ve configured a /user endpoint that is available at http://localhost:9000/user.


For more details on how to set up an Authorization Server and a Resource Server, check out our previous article here.


We can now add the annotation in a configuration class in our Client application:


public class SiteSecurityConfigurer
  extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) throws Exception {
        // ...    

Any requests that require authentication will be redirected to the Authorization Server. For this to work we also have to define the server properties:


      accessTokenUri: http://localhost:7070/authserver/oauth/token
      userAuthorizationUri: http://localhost:7070/authserver/oauth/authorize
      clientId: authserver
      clientSecret: passwordforauthserver
      userInfoUri: http://localhost:9000/user

Note that we need to have spring-boot-starter-security in our classpath to find the above configuration working.


3. Relaying Access Tokens


While relaying a token, an OAuth2 Client forwards the OAuth2 token received by it to an outgoing resource request.


Since we’ve declared the @EnableOauth2Sso annotation, Spring Boot adds an OAuth2ClientContext bean in the request scope. Based on this, we can create our own OAuth2RestTemplate in our client application:

由于我们已经声明了@EnableOauth2Sso注解,Spring Boot在请求范围内添加了一个OAuth2ClientContext豆子。在此基础上,我们可以在客户端应用程序中创建我们自己的OAuth2RestTemplate

public OAuth2RestOperations restOperations(
  OAuth2ProtectedResourceDetails resource, OAuth2ClientContext context) {
    return new OAuth2RestTemplate(resource, context);

Once we’ve configured the bean, the context will forward the access token to the requested services and will also refresh the token if it expires.


4. Relaying an OAuth Token Using the RestTemplate


We previously defined a restOperations bean of type OAuth2RestTemplate in our Client application. As a result, we can use the getForObject() method of OAuth2RestTemplate to send a request with the necessary tokens to a protected Resource server from our client.


First, let’s define an endpoint which requires authentication in our Resource Server:


@PreAuthorize("hasAnyRole('ADMIN', 'USER')")
public @ResponseBody Person personInfo(){        
    return new Person("abir", "Dhaka", "Bangladesh", 29, "Male");       

This is a simple REST endpoint that returns a JSON representation of a Person object.


Now, we can send a request from the Client application using the getForObject() method which will relay the token to the Resource Server:


private RestOperations restOperations;

public ModelAndView person() { 
    ModelAndView mav = new ModelAndView("personinfo");
    String personResourceUrl = "http://localhost:9000/person";
      restOperations.getForObject(personResourceUrl, String.class));       
    return mav;

5. Configuring Zuul for Token Relay


If we’d like to relay a token downstream to the proxy services, we can use Spring Cloud Zuul Embedded Reverse Proxy.

如果我们想把令牌中转到下游的代理服务,我们可以使用Spring Cloud Zuul嵌入式反向代理。

First, we need to add the Maven dependency for working with Zuul:



Next, we need to add the @EnableZuulProxy annotation on to our configuration class in the Client application:


public class SiteSecurityConfigurer
  extends WebSecurityConfigurerAdapter {

All that’s left to do is add the Zuul configuration properties to our application.yml file:


  sensitiveHeaders: Cookie,Set-Cookie  
      path: /api/**
      url: http://localhost:9000
      path: /user/**
      url: http://localhost:9000/user

Any request coming to the /api endpoint of the Client application will be redirected to the Resource Server URL. We also need to provide the URL of the user credentials endpoint.


6. Conclusion


In this quick article, we explored how to use Spring Cloud Security with OAuth2 and Zuul to configure secured authorization and resource servers, as well as how to relay OAuth2 tokens between servers using Oauth2RestTemplate and Embedded Zuul Proxy.

在这篇快速文章中,我们探讨了如何使用Spring Cloud Security与OAuth2和Zuul来配置安全的授权和资源服务器,以及如何使用Oauth2RestTemplate和嵌入式Zuul Proxy在服务器之间中转OAuth2令牌。

As always, the code is available over on GitHub.