Securing a Spring Boot Application

ZTrust integrates with Spring Boot using OpenID Connect (OIDC) to handle authentication and authorization. This setup enables secure login and role-based access for your applications.

Prerequisites

Before integrating your Spring Boot application with ZTrust, ensure the following are in place:

• ZTrust SSO – A running ZTrust instance that will act as the identity and access management provider.

• Spring Boot Application – Your application should be set up with Spring Security, which provides the foundation for authentication and authorization.

• Configured Realm and Client – A realm and client must already be created in ZTrust, with the client configured for OIDC. These settings will be used by your Spring Boot app to authenticate users and validate tokens.

With these prerequisites, your application will be ready to establish a secure connection with ZTrust using OpenID Connect.

Step 1: Set up ZTrust

1. Access ZTrust Admin Console:

   
2. Click on Manage Realms in the sidebar to view the list of realms available in your ZTrust.

   
3. From the list of realms, select the realm where you want to configure Geo fencing.

   
4. From the left sidebar, navigate to the Clients section.

   

5. You will see a list of clients (applications). Choose/ Create the client for which you want to secure Spring Boot Application.

   
6. After select your client, it will take you to the settings page

   
7. Enter your application’s redirect URL in the Valid Redirect URIs field.

   
8. Then under Capability config turn on Client authentication and save

   
9. You will now see a new tab enabled, called Credentials.

   
10. Navigate to the Credentials tab, where you can view and copy the Client Secret.

    
11. With the ZTrust configuration complete, we can now move on to the Spring Boot side of the setup.

Step 2: Set up Spring Boot

1. Add Dependencies to Your Spring Boot App If you're using Spring Boot 3.x:

   <!-- pom.xml -->
   <dependencies>
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-security</artifactId>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-web</artifactId>
     </dependency>
   </dependencies>

   If you want to enable OAuth2 Login, also add:

   <dependency>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-oauth2-client</artifactId>
   </dependency>
   

2. Configure application.yml or application.properties

   application.yml example:

   server:
     port: 8081
   spring:
     security:
       oauth2:
         resourceserver:
           jwt:
             issuer-uri: https://auth.example.com/realms/organisation-realm
         client:
           registration:
             ztrust:
               client-id: application-client
               client-secret: YOUR_CLIENT_SECRET
               authorization-grant-type: authorization_code
               redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
               scope: openid,profile,email
           provider:
             ztrust:
               issuer-uri: https://auth.example.com/realms/organisation-realm

3. Secure Endpoints

   Create a basic SecurityConfig:

   @EnableWebSecurity
   public class SecurityConfig {
       @Bean
       public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
           http
               .authorizeHttpRequests(authz -> authz
                   .requestMatchers("/public/**").permitAll()
                   .anyRequest().authenticated()
               )
               .oauth2Login(Customizer.withDefaults())
               .oauth2ResourceServer(oauth2 -> oauth2.jwt());
           return http.build();
       }
   }