How to Use Apache Shiro and OAuth 2.0 to Build a Secure Application
How to Use Apache Shiro and OAuth 2.0 to Build a Secure Application
This article demonstrates how to use Apache Shiro and OAuth 2.0 to create a secure Maven-based account with Okta.
Jul. 29, 20 · Java Zone ·
Comment (0)
Join the DZone community and get the full member experience.
For those unfamiliar, Apache Shiro—a Java Security framework—performs authorization, authentication, and session management (along with many other functions) to help build more secure applications.
This post will show you how to use JAX-RS to build a simple Java REST application. JAX-RS is a set of interfaces so you’ll need to pick your implementation. In this post, we’ll be using Jersey—but you can use whatever implementation you prefer and none of these APIs are Jersey specific.
In OAuth 2.0, REST services are usually resource servers. In simple terms, they authenticate using an access token sent in the Authorization HTTP header, formatted as Authorization: Bearer <access-token>.
For this tutorial you will need:
Create a New JAX-RS project
There are a few ways to create a new Maven-based project. I usually use my IDE, but you can also generate one on the command line. Whichever way you decide, start with a pom.xml file that looks like this:
<?xml version="1.0" encoding="UTF-8"?><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.okta.example</groupId> <artifactId>okta-shiro-jaxrs-example</artifactId> <version>1.0-SNAPSHOT</version> <packaging>war</packaging><project xmlns="http://maven.apache.org/POM/4.0.0"0
<project xmlns="http://maven.apache.org/POM/4.0.0"1
<project xmlns="http://maven.apache.org/POM/4.0.0"2
<project xmlns="http://maven.apache.org/POM/4.0.0"3
<project xmlns="http://maven.apache.org/POM/4.0.0"4
<project xmlns="http://maven.apache.org/POM/4.0.0"5
<project xmlns="http://maven.apache.org/POM/4.0.0"6
<project xmlns="http://maven.apache.org/POM/4.0.0"7
<project xmlns="http://maven.apache.org/POM/4.0.0"8
Next, add the dependencies:
<project xmlns="http://maven.apache.org/POM/4.0.0"9
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"0
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"1
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"2
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"3
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"4
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"5
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"6
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"7
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"8
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"9
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">0
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">1
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">2
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">3
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">4
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">5
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">6
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">7
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">8
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">9
<modelVersion>4.0.0</modelVersion>0
<modelVersion>4.0.0</modelVersion>1
<modelVersion>4.0.0</modelVersion>2
<modelVersion>4.0.0</modelVersion>3
<modelVersion>4.0.0</modelVersion>4
<modelVersion>4.0.0</modelVersion>5
<modelVersion>4.0.0</modelVersion>6
<modelVersion>4.0.0</modelVersion>7
<modelVersion>4.0.0</modelVersion>8
<modelVersion>4.0.0</modelVersion>9
0
1
2
3
4
5
6
7
8
9
<groupId>com.okta.example</groupId>0
<groupId>com.okta.example</groupId>1
<groupId>com.okta.example</groupId>2
<groupId>com.okta.example</groupId>3
<groupId>com.okta.example</groupId>4
<groupId>com.okta.example</groupId>5
<groupId>com.okta.example</groupId>6
<groupId>com.okta.example</groupId>7
<groupId>com.okta.example</groupId>8
<groupId>com.okta.example</groupId>9
<artifactId>okta-shiro-jaxrs-example</artifactId>0
<artifactId>okta-shiro-jaxrs-example</artifactId>1
<artifactId>okta-shiro-jaxrs-example</artifactId>2
<artifactId>okta-shiro-jaxrs-example</artifactId>3
<artifactId>okta-shiro-jaxrs-example</artifactId>4
<artifactId>okta-shiro-jaxrs-example</artifactId>5
<artifactId>okta-shiro-jaxrs-example</artifactId>6
To make running the WAR file easy, we can add the Jetty Maven Plugin to the pom file:
<artifactId>okta-shiro-jaxrs-example</artifactId>7
<artifactId>okta-shiro-jaxrs-example</artifactId>8
<artifactId>okta-shiro-jaxrs-example</artifactId>9
<version>1.0-SNAPSHOT</version>0
<version>1.0-SNAPSHOT</version>1
<version>1.0-SNAPSHOT</version>2
<version>1.0-SNAPSHOT</version>3
<version>1.0-SNAPSHOT</version>4
<version>1.0-SNAPSHOT</version>5
<version>1.0-SNAPSHOT</version>6
<version>1.0-SNAPSHOT</version>7
<version>1.0-SNAPSHOT</version>8
<version>1.0-SNAPSHOT</version>9
<packaging>war</packaging>0
<packaging>war</packaging>1
Create a JAX-RS Endpoint
A JAX-RS application contains at least two parts: the REST resources/endpoints, to serve the requests, and the Application class to hold them all together. The resources are simply Java objects that have annotations mapping an HTTP request to a method.
Create a simple resource that displays the current user’s email address in src/main/java/com/okta/example/shiro/SecureEndpoint.java
<packaging>war</packaging>2
<packaging>war</packaging>3
<packaging>war</packaging>4
<packaging>war</packaging>5
<packaging>war</packaging>6
<packaging>war</packaging>7
<packaging>war</packaging>8
<packaging>war</packaging>9
<project xmlns="http://maven.apache.org/POM/4.0.0"00
<project xmlns="http://maven.apache.org/POM/4.0.0"01
<project xmlns="http://maven.apache.org/POM/4.0.0"02
<project xmlns="http://maven.apache.org/POM/4.0.0"03
<project xmlns="http://maven.apache.org/POM/4.0.0"04
<project xmlns="http://maven.apache.org/POM/4.0.0"05
<project xmlns="http://maven.apache.org/POM/4.0.0"06
<project xmlns="http://maven.apache.org/POM/4.0.0"07
<project xmlns="http://maven.apache.org/POM/4.0.0"08
<project xmlns="http://maven.apache.org/POM/4.0.0"09
<project xmlns="http://maven.apache.org/POM/4.0.0"10
<project xmlns="http://maven.apache.org/POM/4.0.0"11
<project xmlns="http://maven.apache.org/POM/4.0.0"12
- The base path for all methods in this class
- Keep things simple in this post and just return plain text
- This method will handle HTTP
GETrequestsRequire Authentication! - Inject the current user’s security context
- Get the name from the Java Principal
If you need to get other information out of the access token, cast the user principal to an OktaJwtPrincipal and use the getClaim() method:
<project xmlns="http://maven.apache.org/POM/4.0.0"13
<project xmlns="http://maven.apache.org/POM/4.0.0"14
<project xmlns="http://maven.apache.org/POM/4.0.0"15
Create a JAX-RS Application
A JAX-RS Application class defines the metadata and components associated with an application. Most JAX-RS implementations provide helper classes that scan your resources automatically but, because this example works with any implementation, you’ll configure them directly.
Create a class that extends from Application in src/main/java/com/okta/example/shiro/RestApplication.java:
<project xmlns="http://maven.apache.org/POM/4.0.0"16
<project xmlns="http://maven.apache.org/POM/4.0.0"17
<project xmlns="http://maven.apache.org/POM/4.0.0"18
<project xmlns="http://maven.apache.org/POM/4.0.0"19
<project xmlns="http://maven.apache.org/POM/4.0.0"20
<project xmlns="http://maven.apache.org/POM/4.0.0"21
<project xmlns="http://maven.apache.org/POM/4.0.0"22
<project xmlns="http://maven.apache.org/POM/4.0.0"23
<project xmlns="http://maven.apache.org/POM/4.0.0"24
<project xmlns="http://maven.apache.org/POM/4.0.0"25
<project xmlns="http://maven.apache.org/POM/4.0.0"26
<project xmlns="http://maven.apache.org/POM/4.0.0"27
<project xmlns="http://maven.apache.org/POM/4.0.0"28
<project xmlns="http://maven.apache.org/POM/4.0.0"29
<project xmlns="http://maven.apache.org/POM/4.0.0"30
<project xmlns="http://maven.apache.org/POM/4.0.0"31
<project xmlns="http://maven.apache.org/POM/4.0.0"32
<project xmlns="http://maven.apache.org/POM/4.0.0"33
<project xmlns="http://maven.apache.org/POM/4.0.0"34
<project xmlns="http://maven.apache.org/POM/4.0.0"35
- This application is mounted to /, all resource paths are relative to this one
- Register Apache Shiro’s JAX-RS feature
- Add the SecureResource we created in the previous step
Configure Apache Shiro to Use OAuth 2.0
Apache Shiro can be configured in a few different ways: programmatically, using dependency injection with Spring and Guice, or using an "ini" file. To keep things focused, I’ll use a simple shiro.ini file located in src/main/resources:
<project xmlns="http://maven.apache.org/POM/4.0.0"36
<project xmlns="http://maven.apache.org/POM/4.0.0"37
<project xmlns="http://maven.apache.org/POM/4.0.0"38
<project xmlns="http://maven.apache.org/POM/4.0.0"39
<project xmlns="http://maven.apache.org/POM/4.0.0"40
<project xmlns="http://maven.apache.org/POM/4.0.0"41
<project xmlns="http://maven.apache.org/POM/4.0.0"42
<project xmlns="http://maven.apache.org/POM/4.0.0"43
<project xmlns="http://maven.apache.org/POM/4.0.0"44
<project xmlns="http://maven.apache.org/POM/4.0.0"45
<project xmlns="http://maven.apache.org/POM/4.0.0"46
If you have resources that require anonymous access, use authcBearer[permissive]—just make sure all of your endpoints are annotated correctly!
Add a web.xml
You might be asking yourself, "really, a web.xml file?" Technically you don’t need one—you could instead configure the Maven War Plugin to not require a web.xml.
Or, just add an empty web.xml to src/main/webapp:
<project xmlns="http://maven.apache.org/POM/4.0.0"47
<project xmlns="http://maven.apache.org/POM/4.0.0"48
<project xmlns="http://maven.apache.org/POM/4.0.0"49
<project xmlns="http://maven.apache.org/POM/4.0.0"50
<project xmlns="http://maven.apache.org/POM/4.0.0"51
<project xmlns="http://maven.apache.org/POM/4.0.0"52
<project xmlns="http://maven.apache.org/POM/4.0.0"53
Run the Secure REST Application
You could build the project with ./mvnw package. Simply grab the war file from the target directory, copy it to your favorite container, and start it up. Instead, we’re going to use the Jetty Maven Plugin. From the project directory, run:
<project xmlns="http://maven.apache.org/POM/4.0.0"54
<project xmlns="http://maven.apache.org/POM/4.0.0"55
This command starts a server running on port 8000. Make a request using curl:
<project xmlns="http://maven.apache.org/POM/4.0.0"56
<project xmlns="http://maven.apache.org/POM/4.0.0"57
<project xmlns="http://maven.apache.org/POM/4.0.0"58
<project xmlns="http://maven.apache.org/POM/4.0.0"59
<project xmlns="http://maven.apache.org/POM/4.0.0"60
<project xmlns="http://maven.apache.org/POM/4.0.0"61
<project xmlns="http://maven.apache.org/POM/4.0.0"62
<project xmlns="http://maven.apache.org/POM/4.0.0"63
The server returned a 401 status code because we did not provide an access token. There are a few ways to get an access token; which option is right for you depends on where and how you access your REST application. Usually, the application that is invoking your REST API already has an access token. For example, a SPA mobile app, or another web app likely already has an authenticated user. For testing purposes, we will set up the OIDC Debugger.
Create an OAuth 2.0 Application
Login in to your Okta admin console. If you just created a new Okta account and have not logged in yet, follow the activation link in your inbox.
Make a note of the Org URL on the top right; I’ll refer to this as {yourOktaDomain} in the next section.
Once you are logged in, select Applications → Add Application from the top menu. Then, select Web → Next.
Give your application a name, something clever like: "Shiro JAX-RS Example."
Set the Login redirect URIs to https://oidcdebugger.com/debug
Check Implicit (Hybrid)
Click Done
Make note of the Client ID, you will need this for the next step.
Get a Token with the OIDC Debugger
Head over to https://oidcdebugger.com/ and populate the form with the following values:
Authorize URI –
{yourOktaDomain}/oauth2/default/v1/authorizeClient ID –
{yourClientID}from the previous stepState –
this is a test(this can be any value)Response type – select token
Use defaults for all other fields
Press the Send Request button.
If you are using an incognito/private browser, this may prompt you to login again. Once the Success page loads, copy the Access token and create an environment variable:
<project xmlns="http://maven.apache.org/POM/4.0.0"64
<project xmlns="http://maven.apache.org/POM/4.0.0"65
<project xmlns="http://maven.apache.org/POM/4.0.0"66
Now that you have a token, you can make another request to your JAX-RS server:
<project xmlns="http://maven.apache.org/POM/4.0.0"67
<project xmlns="http://maven.apache.org/POM/4.0.0"68
<project xmlns="http://maven.apache.org/POM/4.0.0"69
And just like that, you have made an authenticated request to your JAX-RS application!
Learn More About Secure Applications
In this tutorial, I’ve shown you how to secure a simple JAX-RS application with Apache Shiro and Okta. This same resource server technique can be used with other servlet based web applications too.
Check out these related blog posts to learn more about building secure web applications.
If you like this blog post and want to see more like it, follow @oktadev on Twitter, subscribe to our YouTube channel, or follow us on LinkedIn. As always, please leave a comment below if you have any questions.
Comment (0)
Published at DZone with permission of Brian Demers , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Java Partner Resources
ABOUT US
CONTRIBUTE ON DZONE
LEGAL
CONTACT US
- 600 Park Offices Drive
- Suite 150
- Research Triangle Park, NC 27709
- support@dzone.com
- +1 (919) 678-0300
- {{ node.blurb }}
{{ editionName }}
{{ parent.title || parent.header.title}}
{{ parent.tldr }}
{{ parent.linkDescription }}