2. Spring Boot Configuration
When using the Spring CredHub starter dependency, Spring CredHub can be configured with Spring Boot application properties. With the proper configuration properties, Spring CredHub will auto-configure a connection to a CredHub server.
2.1. Mutual TLS Authentication
An application running on Cloud Foundry can authenticate to a CredHub server deployed to the same platform using mutual TLS. Mutual TLS is the default authentication scheme when no other authentication credentials are provided. To use mutual TLS authentication to a CredHub server, simply provide the URL of the CredHub server as an application property:
spring:
credhub:
url: [CredHub server URL]See the CredHub documentation for more information on mutual TLS authentication.
An application running on Cloud Foundry can use the internal address https://credhub.service.cf.internal:8844 to communicate with a CredHub server deployed to the same platform.
2.2. OAuth2 Authentication
OAuth2 can be used to authenticate via UAA to any CredHub server. Spring CredHub supports client credentials grant tokens for authentication using the following Spring CredHub and Spring Security configuration:
spring:
credhub:
url: [CredHub server URL]
oauth2:
registration-id: credhub-client
security:
oauth2:
client:
registration:
credhub-client:
provider: uaa
client-id: [OAuth2 client ID]
client-secret: [OAuth2 client secret]
authorization-grant-type: client_credentials
provider:
uaa:
token-uri: [UAA token server endpoint]The ID provided in spring.credhub.oauth2.registration-id must refer to a client configured under spring.security.oauth2.client.registration.
See the Spring Boot documentation for more information on Spring Boot OAuth2 client configuration.
The OAuth2 client specified in the Spring Security client registration must have CredHub scopes such as credhub.read or credhub.write to perform most operations.
See the CredHub documentation for more information on OAuth2 authentication with UAA.
2.2.1. Auto-configuration of Spring Security OAuth2
When spring.credhub.oauth2 properties are set and Spring Security is on the application classpath, Spring CredHub will auto-configure the Spring Security beans required for OAuth2 authentication.
An application can provide the required Spring Security OAuth2 beans to override the auto-configuration if necessary.
Servlet and Non-reactive Applications
Spring CredHub requires beans of the following types, provided by Spring Security, in order to authenticate using OAuth2.
| Required Bean Type | Auto-configured Type |
|---|---|
The auto-configured DefaultOAuth2AuthorizedClientManager assumes the application is running in a servlet container and has an active HttpServletRequest.
An application might need to provide an alternate implementation of the OAuth2AuthorizedClientManager bean such as AuthorizedClientServiceOAuth2AuthorizedClientManager to process requests outside of an HttpServletRequest, as shown in the following example:
/*
* Copyright 2016-2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.example.credhub;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.client.AuthorizedClientServiceOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.ClientCredentialsOAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
@Configuration
public class CredHubSecurityConfiguration {
@Bean
public AuthorizedClientServiceOAuth2AuthorizedClientManager reactiveClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientService authorizedClientService) {
AuthorizedClientServiceOAuth2AuthorizedClientManager clientManager = new AuthorizedClientServiceOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientService);
clientManager.setAuthorizedClientProvider(new ClientCredentialsOAuth2AuthorizedClientProvider());
return clientManager;
}
}Refer to the Spring Security documentation for more information and examples of configuring other beans.
Reactive Applications
Spring CredHub requires beans of the following types, provided by Spring Security, in order to authenticate using OAuth2.
| Required Bean Type | Auto-configured Type |
|---|---|
The auto-configured DefaultReactiveOAuth2AuthorizedClientManager requires an active ServerHttpRequest context.
An application might need to provide an alternate implementation of the ReactiveOAuth2AuthorizedClientManager bean such as AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager to process requests outside of an ServerHttpRequest, as shown in the following example:
/*
* Copyright 2016-2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.example.credhub;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.client.AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.ClientCredentialsReactiveOAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
@Configuration
public class CredHubReactiveSecurityConfiguration {
@Bean
public AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager reactiveClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ReactiveOAuth2AuthorizedClientService authorizedClientService) {
AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager clientManager = new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientService);
clientManager.setAuthorizedClientProvider(new ClientCredentialsReactiveOAuth2AuthorizedClientProvider());
return clientManager;
}
}Refer to the Spring Security documentation for more information and examples of configuring other beans.