Java Getting started
This multistep quickstart guide will walk you through managing authentication in your Java Servlet MVC Application with Auth0.
Each tutorial in the series includes a link to its corresponding sample project. You can find all the samples here.
Create a Client
If you haven't already done so, create a new client application in your Auth0 dashboard and choose Regular Web Application for the Type and POST for the Token Endpoint Authentication Method.
Configure Callback URLs
Callback URLs are URLs that Auth0 invokes after the authentication process. Auth0 routes your application back to this URL and attaches some details to it including a token. Callback URLs can be manipulated on the fly and that could be harmful. For security reasons, you will need to add your application's URL in the app's
Allowed Callback URLs. This will enable Auth0 to recognize the URLs as valid. If omitted, authentication will not be successful for the app instance.
The same applies for the Logout URLs. They must be whitelisted in the Auth0 Dashboard. If you follow our seed project or the samples based on it, the values you must configure are:
- Allowed Callback URLs:
- Allowed Logout URLs:
To integrate your Java application with Auth0 you need to add the following dependencies:
- javax.servlet-api: is the library that allows you to create Java Servlets. You then need to add a Server dependency like Tomcat or Gretty, which one is up to you. Check our sample code for more information.
- auth0-java-mvc-commons: is the Java library that allows you to use Auth0 with Java for server-side MVC web apps. It generates the Authorize URL that you need to call in order to authenticate and validates the result received on the way back to finally obtain the Auth0 Tokens that identify the user. You can always check the latest version in the library's GitHub.
If you are using Gradle, add them to your
compile 'javax.servlet:javax.servlet-api:3.1.0' compile 'com.auth0:mvc-auth-commons:1.+'
If you are using Maven, add them to your
<dependency> <groupId>com.auth0</groupId> <artifactId>mvc-auth-commons</artifactId> <version>1.+</version> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>3.1.0</version> </dependency>
Configure your Java App
Your Java App needs some information in order to authenticate against your Auth0 account. The samples read this information from the deployment descriptor file
src/main/webapp/WEB-INF/web.xml, but you could store them anywhere else. The required information is:
<context-param> <param-name>com.auth0.domain</param-name> <param-value>YOUR_AUTH0_DOMAIN</param-value> </context-param> <context-param> <param-name>com.auth0.clientId</param-name> <param-value>YOUR_CLIENT_ID</param-value> </context-param> <context-param> <param-name>com.auth0.clientSecret</param-name> <param-value>YOUR_CLIENT_SECRET</param-value> </context-param>
The library we're using has this default behavior:
- Request the scope
openid, needed to call the
/userinfoendpoint later to verify the User's identity.
- Request the
codeResponse Type and later perform a Code Exchange to obtain the tokens.
- Use the
HS256Algorithm along with the Client Secret to verify the tokens.
But it also allows us to customize it's behavior:
- To use the
RS256Algorithm along with the Public Key obtained dynamically from the Auth0 hosted JWKs file, pass a
JwkProviderinstance to the
- To use a different Response Type, set the desired value in the
AuthenticationControllerbuilder. Any combination of
code token id_tokenis allowed.
- To request a different
scope, set the desired value in the
AuthorizeUrlreceived after calling
- To specify the
audience, set the desired value in the
AuthorizeUrlreceived after calling
Check populated attributes
If you download the seed using our Download Sample button then the
clientSecret attributes will be populated for you, unless you are not logged in or you do not have at least one registered client. In any case, you should verify that the values are correct if you have multiple clients in your account and you might want to use another than the one we set the information for.