SpringBoot Security 15 : Securing WebApp

-

 ok













Whenever an ORG is trying to build an Auth servere there are 2 options

  1. custom
  2. product : keycloak (open src) , okta  , there are many on cloud as well (aws cognito)

https://www.keycloak.org/ can be used for

  1. SSO
  2. Identity Broker & Social Login
  3. User Federation
  4. + more 

What is a Keycloak : Realm ?

A Keycloak realm is an isolated management space, akin to a tenant, that manages a logical collection of users, credentials, roles, and groups

Convert Sprint Boot Application to a Resource Server


first : add dependency like below ( line number 43 ) 

< dependency >
            < groupId > org.springframework.boot < / groupId >
            < artifactId > spring-boot-starter-security-oauth2-resource-server < / artifactId >
< / dependency >

second : delete all authentication classes and user resource classes in config folder , because you dont want to use the existing DB authn mechnism

third : create KeyCloakRoleConverter class

responsibility of generating Access token or JWT token will be with key cloak. token has info of user , email and role details 

this class will take out info from access token and convert it into form of simple granted authority, because spring framework can only understand the roles and authorities information when we present them in form of granted authority or simple granted authority. ?????.

https://github.com/eazybytes/spring-security/blob/4.x.x/section_15/springsecsection_15/src/main/java/com/eazybytes/config/KeycloakRoleConverter.java

public class KeycloakRoleConverter implements Converter<Jwt, Collection<GrantedAuthority>> {

@Override

    public Collection<GrantedAuthority> convert(Jwt source) { 

... // convert JWT Token to collection of authority

    

}


then configure the KeyCloakRoleConverter in ProjectConfig.

https://github.com/eazybytes/spring-security/blob/4.x.x/section_15/springsecsection_15/src/main/java/com/eazybytes/config/ProjectSecurityConfig.java

@Bean

    SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {

        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();

        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(new KeycloakRoleConverter());

...

http.oauth2ResourceServer(rsc -> rsc.jwt(jwtConfigurer ->

                jwtConfigurer.jwtAuthenticationConverter(jwtAuthenticationConverter)));

 ...

}


https://github.com/eazybytes/spring-security/blob/4.x.x/section_15/springsecsection_15/src/main/java/com/eazybytes/controller/AccountController.java

change param of method from id to email (from DB)

client app will look forward to get account details by email id 

https://github.com/eazybytes/spring-security/blob/4.x.x/section_15/springsecsection_15/src/main/resources/application.properties

spring.security.oauth2.resourceserver.jwt.jwk-set-uri=${JWK_SET_URI:http://localhost:8180/realms/eazybankdev/protocol/openid-connect/certs}

what is opaque token ?

implement new class https://github.com/eazybytes/spring-security/blob/4.x.x/section_15/springsecsection_15/src/main/java/com/eazybytes/config/KeycloakOpaqueRoleConverter.java























ok

Comments

Post a Comment

Popular posts from this blog

Agentic AI Course : Week 1

-
Image
8 weeks https://edwarddonner.com/2024/11/13/llm-engineering-resources/  6 week Agentic AI Course https://github.com/ed-donner/agents the file .env has all the keys select kernel https://github.com/ed-donner/agents/blob/main/1_foundations/1_lab1.ipynb import os openai_api_key = os.getenv( 'OPENAI_API_KEY' ) from openai import OpenAI openai = OpenAI() messages = [{ "role" : "user" , "content" : "What is 2+2?" }] response = openai.chat.completions.create(      model= "gpt-4.1-nano" ,      messages=messages      ) print (response.choices[ 0 ].message.content) Day 2 : what are AI Agents? 5 different patterns for agentic systems https://lavnish.blogspot.com/2025/05/essential-design-patterns-for-building.html In General Day 3 comparing different models  https://www.vellum.ai/llm-leaderboard syntax to call diff LLMs openAI , anthropic, gemini, deepseek, groq https://github.com/ed-donner/agents/blob/main/1_foundations/2_lab2.ipynb...
Read more

LLM Engineering course : Day 1

-
Image
 Anaconda Power Shell    this will open , way you know if it is a anaconda power shell by seeing "base" Then you can install the full environment    then to activate use command "conda activate llms"     Open Ques "what is environment.yml" Then activate the conda environment and open jupyter lab   you can start with virtualenv as well (all details in readme) Video 11 : Day 1 every AI has 2 types of plan 1) pro plan with UI monthly subscription 2) API pricing , pay per request, for OPEN API need to put in 5$ pre payment (can use gpt4-o-mini for less cost)  (all details in readme)  Video 11:  store keys in .env files (all details in readme)  Video 14 there are two types of prompt   Video 15 OpenAI came up with a standard way of interacting with LLMs which is now standard for many LLMs. It is a list of dictionaries. Use completions API https://platform.openai.com/docs/guides/completions   For websites that use Java...
Read more

LLM Engineering : Week 2

-
Day 2.1 setup  anthropic api key google api key (more complex) update .env file     What is Temperature ?  Pass value between 0 to 1. 1 is most creative , 0 is least There is a slight difference in Claude API and OpenAI  in claude API we pass system message and user message separately in claude we also give context  if you want to stream , in claude there is an extra method , in openAI there is a boolean attribute.    Day 2.2 : Gradio         Day 2.3         Day 2.4 Day 2.5          
Read more