finkrobertb
diff --git a/‎README.adoc‎
Lines changed: 14 additions & 32 deletions b/‎README.adoc‎
Lines changed: 14 additions & 32 deletions
diff --git a/‎auth-server/README.adoc‎
Lines changed: 55 additions & 123 deletions b/‎auth-server/README.adoc‎
Lines changed: 55 additions & 123 deletions
diff --git a/‎click/README.adoc‎
Lines changed: 24 additions & 52 deletions b/‎click/README.adoc‎
Lines changed: 24 additions & 52 deletions
diff --git a/‎custom-error/README.adoc‎
Lines changed: 27 additions & 61 deletions b/‎custom-error/README.adoc‎
Lines changed: 27 additions & 61 deletions
@@ -12,26 +12,14 @@ projects: [spring-security,spring-security-oauth,spring-boot]
 
 = Social Login with Spring Boot and OAuth2
 
-This guide shows you how to build a sample app doing various things
-with "social login" using https://tools.ietf.org/html/rfc6749[OAuth2]
-and https://projects.spring.io/spring-boot/[Spring Boot]. It starts
-with a simple, single-provider single-sign on, and works up to a
-self-hosted OAuth2 Authorization Server with a choice of
-authentication providers (https://developers.facebook.com[Facebook] or
-https://developer.github.com/[Github]). The samples are all
-single-page apps using Spring Boot and Spring OAuth on the back
-end. They also all use plain https://jquery.org/[jQuery] on the front
-end, but the changes needed to convert to a different JavaScript
-framework or to use server side rendering would be minimal.
-
-Because one of the samples is a full OAuth2 Authorization Server we
-have used the
-https://docs.spring.io/spring-security-oauth2-boot/docs/current/reference/htmlsingle/[shim
-JAR] which supports bridging from Spring Boot 2.0 to the old Spring
-Security OAuth2 library. The simpler samples could also be implemented
-using the native OAuth2 support in
-https://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/htmlsingle/#boot-features-security-oauth2[Spring
-Boot] security features. The configuration is very similar.
+This guide shows you how to build a sample app doing various things with "social login" using https://tools.ietf.org/html/rfc6749[OAuth2] and https://projects.spring.io/spring-boot/[Spring Boot].
+It starts with a simple, single-provider single-sign on, and works up to a self-hosted OAuth2 Authorization Server with a choice of authentication providers (https://developers.facebook.com[Facebook] or https://developer.github.com/[Github]).
+The samples are all single-page apps using Spring Boot and Spring OAuth on the back end.
+They also all use plain https://jquery.org/[jQuery] on the front end, but the changes needed to convert to a different JavaScript framework or to use server side rendering would be minimal.
+
+Because one of the samples is a full OAuth2 Authorization Server we have used the https://docs.spring.io/spring-security-oauth2-boot/docs/current/reference/htmlsingle/[shim JAR] which supports bridging from Spring Boot 2.0 to the old Spring Security OAuth2 library.
+The simpler samples could also be implemented using the native OAuth2 support in https://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/htmlsingle/#boot-features-security-oauth2[Spring Boot] security features.
+The configuration is very similar.
 
 include::overview.adoc[]
 
@@ -45,17 +33,11 @@ include::custom-error/README.adoc[leveloffset=+1]
 
 == Conclusion
 
-We have seen how to use Spring Boot and Spring Security to build apps
-in a number of styles with very little effort. The main theme running
-through all of the samples is "social" login using an external OAuth2
-provider. The final sample could even be used to provide such a
-service "internally" because it has the same basic features that the
-external providers have. All of the sample apps can be easily extended
-and re-configured for more specific use cases, usually with nothing
-more than a configuration file change. Remember if you use versions of
-the samples in your own servers to register with Facebook or Github
-(or similar) and get client credentials for your own host
-addresses. And remember not to put those credentials in source
-control!
+We have seen how to use Spring Boot and Spring Security to build apps in a number of styles with very little effort.
+The main theme running through all of the samples is "social" login using an external OAuth2 provider.
+The final sample could even be used to provide such a service "internally" because it has the same basic features that the external providers have.
+All of the sample apps can be easily extended and re-configured for more specific use cases, usually with nothing more than a configuration file change.
+Remember if you use versions of the samples in your own servers to register with Facebook or Github (or similar) and get client credentials for your own host addresses.
+And remember not to put those credentials in source control!
 
 include::https://raw.githubusercontent.com/spring-guides/getting-started-macros/master/footer.adoc[]
@@ -1,22 +1,14 @@
 [[_social_login_click]]
 = Add a Welcome Page
 
-In this section we modify the <<_social_login_simple,simple>> app we
-just built, by adding an explicit link to login with Facebook. Instead
-of being redirected immediately, the new link will be visible on the
-home page, and the user can choose to login or to stay
-unauthenticated. Only when the user has clicked on the link will he be
-shown the secure content.
+In this section we modify the <<_social_login_simple,simple>> app we just built, by adding an explicit link to login with Facebook.
+Instead of being redirected immediately, the new link will be visible on the home page, and the user can choose to login or to stay unauthenticated.
+Only when the user has clicked on the link will he be shown the secure content.
 
 == Conditional Content in Home Page
 
-To render some content conditional on whether the user is
-authenticated or not we could use server side rendering (e.g. with
-Freemarker or Tymeleaf), or we can just ask the browser to to it,
-using some JavaScript. To do that we are going to use
-https://angularjs.org/[AngularJS], but if you prefer to use a
-different framework, it shouldn't be very hard to translate the client
-code.
+To render some content conditional on whether the user is authenticated or not we could use server side rendering (e.g. with Freemarker or Tymeleaf), or we can just ask the browser to to it, using some JavaScript.
+To do that we are going to use https://angularjs.org/[AngularJS], but if you prefer to use a different framework, it shouldn't be very hard to translate the client code.
 
 To get started with the dynamic content we need to mark up the HTML in parts of it are going to display it:
 
@@ -31,10 +23,8 @@ To get started with the dynamic content we need to mark up the HTML in parts of
 </div>
 ----
 
-This HTML sets us up with a need for some client side code that manipulates the 
-`authenticated`, `unauthenticated` and `user` elements.
-Here's a simple implementation of those features (drop them in
-at the end of the `<body>`):
+This HTML sets us up with a need for some client side code that manipulates the `authenticated`, `unauthenticated` and `user` elements.
+Here's a simple implementation of those features (drop them in at the end of the `<body>`):
 
 .index.html
 [source,html]
@@ -50,9 +40,9 @@ at the end of the `<body>`):
 
 == Server Side Changes
 
-For this to work we need some changes on the server side. The "home"
-controller needs an endpoint at "/user" that describes the currently
-authenticated user. That's quite easy to do, e.g. in our main class:
+For this to work we need some changes on the server side.
+The "home" controller needs an endpoint at "/user" that describes the currently authenticated user.
+That's quite easy to do, e.g. in our main class:
 
 .SocialApplication
 [source,java]
@@ -74,19 +64,14 @@ public class SocialApplication {
 }
 ----
 
-Note the use of `@RestController` and `@RequestMapping` and the
-`java.security.Principal` we inject into the handler method.
+Note the use of `@RestController` and `@RequestMapping` and the `java.security.Principal` we inject into the handler method.
 
-WARNING: It's not a great idea to return a whole `Principal` in a
-`/user` endpoint like that (it might contain information you would
-rather not reveal to a browser client). We only did it to get
-something working quickly. Later in the guide we will convert the
-endpoint to hide the information we don't need the browser to have.
+WARNING: It's not a great idea to return a whole `Principal` in a `/user` endpoint like that (it might contain information you would rather not reveal to a browser client).
+We only did it to get something working quickly.
+Later in the guide we will convert the endpoint to hide the information we don't need the browser to have.
 
-This app will now work fine and authenticate as before, but without
-giving the user a chance to click on the link we just provided. To
-make the link visible we also need to switch off the security on the
-home page by adding a `WebSecurityConfigurer`:
+This app will now work fine and authenticate as before, but without giving the user a chance to click on the link we just provided.
+To make the link visible we also need to switch off the security on the home page by adding a `WebSecurityConfigurer`:
 
 .SocialApplication
 [source,java]
@@ -112,25 +97,12 @@ public class SocialApplication extends WebSecurityConfigurerAdapter {
 }
 ----
 
-Spring Boot attaches a special meaning to a `WebSecurityConfigurer` on
-the class that carries the `@EnableOAuth2Sso` annotation: it uses it
-to configure the security filter chain that carries the OAuth2
-authentication processor. So all we need to do to make our home page
-visible is to explicitly `authorizeRequests()` to the home page and
-the static resources it contains (we also include access to the login
-endpoints which handle the authentication). All other requests
-(e.g. to the `/user` endpoint) require authentication.
-
-NOTE: `/error**` is an unprotected path because we want Spring Boot
-to be able to render errors if there is a problem in the app, even
-if the user is unauthenticated.
-
-With that change in place the application is complete, and if you run
-it and visit the home page you should see a nicely styled HTML link to
-"login with Facebook". The link takes you not directly to Facebook,
-but to the local path that processes the authentication (and sends a
-redirect to Facebook). Once you have authenticated you get redirected
-back to the local app, where it now displays your name (assuming you
-have set up your permissions in Facebook to allow access to that
-data).
+Spring Boot attaches a special meaning to a `WebSecurityConfigurer` on the class that carries the `@EnableOAuth2Sso` annotation: it uses it to configure the security filter chain that carries the OAuth2 authentication processor.
+So all we need to do to make our home page visible is to explicitly `authorizeRequests()` to the home page and the static resources it contains (we also include access to the login endpoints which handle the authentication).
+All other requests (e.g. to the `/user` endpoint) require authentication.
 
+NOTE: `/error**` is an unprotected path because we want Spring Boot to be able to render errors if there is a problem in the app, even if the user is unauthenticated.
+
+With that change in place the application is complete, and if you run it and visit the home page you should see a nicely styled HTML link to "login with Facebook".
+The link takes you not directly to Facebook, but to the local path that processes the authentication (and sends a redirect to Facebook).
+Once you have authenticated you get redirected back to the local app, where it now displays your name (assuming you have set up your permissions in Facebook to allow access to that data).
@@ -1,21 +1,14 @@
 [[_custom_error]]
 = Adding an Error Page for Unauthenticated Users
 
-In this section we modify the <<_social_login_logout,logout>> app we
-built earlier, switching to Github authentication, and also giving
-some feedback to users that cannot authenticate. At the same time we
-take the opportunity to extend the authentication logic to include a
-rule that only allows users if they belong to a specific Github
-organization. The "organization" is a Github domain-specific concept,
-but similar rules could be devised for other providers, e.g. with
-Google you might want to only authenticate users from a specific
-domain.
+In this section we modify the <<_social_login_logout,logout>> app we built earlier, switching to Github authentication, and also giving some feedback to users that cannot authenticate.
+At the same time we take the opportunity to extend the authentication logic to include a rule that only allows users if they belong to a specific Github organization.
+The "organization" is a Github domain-specific concept, but similar rules could be devised for other providers, e.g. with Google you might want to only authenticate users from a specific domain.
 
 == Switching to Github
 
-The <<_social_login_logout,logout>> sample use Facebook as an OAuth2
-provider. We can easily switch to Github by changing the local
-configuration:
+The <<_social_login_logout,logout>> sample use Facebook as an OAuth2 provider.
+We can easily switch to Github by changing the local configuration:
 
 .application.yml
 [source,yaml]
@@ -34,9 +27,8 @@ security:
 
 == Detecting an Authentication Failure in the Client
 
-On the client we need to be able to provide some feedback for a user
-that could not authenticate. To facilitate this we add a div with an
-informative message:
+On the client we need to be able to provide some feedback for a user that could not authenticate.
+To facilitate this we add a div with an informative message:
 
 .index.html
 ----
@@ -45,8 +37,7 @@ There was an error (bad credentials).
 </div>
 ----
 
-This text will only be shown when the "error" element is shown,
-so we need some code to do that:
+This text will only be shown when the "error" element is shown, so we need some code to do that:
 
 .index.html
 ----
@@ -68,15 +59,12 @@ $.ajax({
 });
 ----
 
-The authentication function checks the browser location when it loads
-and if it finds a URL with "error=true" in it, the flag is set.
+The authentication function checks the browser location when it loads and if it finds a URL with "error=true" in it, the flag is set.
 
 == Adding an Error Page
 
-To support the flag setting in the client we need to be able to
-capture an authentication error and redirect to the home page
-with that flag set in query parameters. Hence we need an 
-endpoint, in a regular `@Controller` like this:
+To support the flag setting in the client we need to be able to capture an authentication error and redirect to the home page with that flag set in query parameters.
+Hence we need an endpoint, in a regular `@Controller` like this:
 
 .SocialApplication.java
 [source,java]
@@ -87,11 +75,8 @@ public String unauthenticated() {
 }
 ----
 
-In the sample app we put this in the main application class, which is
-now a `@Controller` (not a `@RestController`) so it can handle the
-redirect. The last thing we need is a mapping from an unauthenticated
-response (HTTP 401, a.k.a. UNAUTHORIZED) to the "/unauthenticated"
-endpoint we just added:
+In the sample app we put this in the main application class, which is now a `@Controller` (not a `@RestController`) so it can handle the redirect.
+The last thing we need is a mapping from an unauthenticated response (HTTP 401, a.k.a. UNAUTHORIZED) to the "/unauthenticated" endpoint we just added:
 
 .ServletCustomizer.java
 [source,java]
@@ -107,26 +92,16 @@ public class ServletCustomizer {
 }
 ----
 
-(In the sample, this is added as a nested class inside the main
-application, just for conciseness.)
+(In the sample, this is added as a nested class inside the main application, just for conciseness.)
 
 == Generating a 401 in the Server
 
-A 401 response will already be coming from Spring Security if the user
-cannot or does not want to login with Github, so the app is already
-working if you fail to authenticate (e.g. by rejecting the token
-grant).
-
-To spice things up a bit we will extend the authentication rule to
-reject users that are not in the right organization. It is easy to use
-the Github API to find out more about the user, so we just need to
-plug that into the right part of the authentication
-process. Fortunately, for such a simple use case, Spring Boot has
-provided an easy extension point: if we declare a `@Bean` of type
-`AuthoritiesExtractor` it will be used to construct the authorities
-(typically "roles") of an authenticated user. We can use that hook to
-assert the the user is in the correct orignization, and throw an
-exception if not:
+A 401 response will already be coming from Spring Security if the user cannot or does not want to login with Github, so the app is already working if you fail to authenticate (e.g. by rejecting the token grant).
+
+To spice things up a bit we will extend the authentication rule to reject users that are not in the right organization.
+It is easy to use the Github API to find out more about the user, so we just need to plug that into the right part of the authentication process.
+Fortunately, for such a simple use case, Spring Boot has provided an easy extension point: if we declare a `@Bean` of type `AuthoritiesExtractor` it will be used to construct the authorities (typically "roles") of an authenticated user.
+We can use that hook to assert the the user is in the correct organization, and throw an exception if not:
 
 .SocialApplication.java
 [source,java]
@@ -146,19 +121,12 @@ public AuthoritiesExtractor authoritiesExtractor(OAuth2RestOperations template)
 }
 ----
 
-Note that we have autowired a `OAuth2RestOperations` into this method,
-so we can use that to access the Github API on behalf of the
-authenticated user. We do that, and loop over the organizations,
-looking for one that matches "spring-projects" (this is the
-organization that is used to store Spring open source projects). You
-can substitute your own value there if you want to be able to
-authenticate successfully and you are not in the Spring Engineering
-team. If there is no match, we throw `BadCredentialsException` and
-this is picked up by Spring Security and turned in to a 401 response.
+Note that we have autowired a `OAuth2RestOperations` into this method, so we can use that to access the Github API on behalf of the authenticated user.
+We do that, and loop over the organizations, looking for one that matches "spring-projects" (this is the organization that is used to store Spring open source projects).
+You can substitute your own value there if you want to be able to authenticate successfully and you are not in the Spring Engineering team.
+If there is no match, we throw `BadCredentialsException` and this is picked up by Spring Security and turned in to a 401 response.
 
-The `OAuth2RestOperations` has to be created as a bean as well (as of
-Spring Boot 1.4), but that's trivial because its ingredients are all
-autowirable by virtue of having used `@EnableOAuth2Sso`:
+The `OAuth2RestOperations` has to be created as a bean as well (as of Spring Boot 1.4), but that's trivial because its ingredients are all autowirable by virtue of having used `@EnableOAuth2Sso`:
 
 [source,java,indent=0]
 ----
@@ -168,7 +136,5 @@ public OAuth2RestTemplate oauth2RestTemplate(OAuth2ProtectedResourceDetails reso
 }
 ----
 
-TIP: Obviously the code above can be generalized to other
-authentication rules, some applicable to Github and some to other
-OAuth2 providers. All you need is the `OAuth2RestOperations` and some
-knowledge of the provider's API.
+TIP: Obviously the code above can be generalized to other authentication rules, some applicable to Github and some to other OAuth2 providers.
+All you need is the `OAuth2RestOperations` and some knowledge of the provider's API.