From de73eb24168d4233101d4e8676a74af55fe7e55f Mon Sep 17 00:00:00 2001
From: archcentric <51startup\@sina.com>
Date: Sat, 14 Apr 2018 12:49:54 +0800
Subject: [PATCH] upload security lab

---
 README.md                                     |  2 +
 lab07/README.md                               | 38 ++++++++++++
 .../state-client/.gitignore                   | 24 ++++++++
 .../state-param-security/state-client/pom.xml | 56 +++++++++++++++++
 .../clientstate/ClientStateApplication.java   | 12 ++++
 .../oauth2/clientstate/HomeController.java    | 36 +++++++++++
 .../clientstate/OAuth2Configuration.java      | 32 ++++++++++
 .../src/main/resources/application.properties |  4 ++
 .../src/main/resources/templates/home.html    | 13 ++++
 .../main/resources/templates/resource.html    | 10 +++
 .../state-oauth2server/.gitignore             | 24 ++++++++
 .../state-oauth2server/pom.xml                | 61 +++++++++++++++++++
 .../oauth2serverstate/ApiController.java      | 18 ++++++
 .../CustomUserDetailsService.java             | 25 ++++++++
 .../oauth2serverstate/OAuth2Server.java       | 36 +++++++++++
 .../Oauth2ServerStateApplication.java         | 12 ++++
 .../oauth2/oauth2serverstate/UserInfo.java    | 59 ++++++++++++++++++
 .../oauth2serverstate/UserInfoRepository.java |  9 +++
 .../src/main/resources/application.properties |  0
 .../src/main/resources/data.sql               |  2 +
 20 files changed, 473 insertions(+)
 create mode 100644 lab07/README.md
 create mode 100644 lab07/state-param-security/state-client/.gitignore
 create mode 100644 lab07/state-param-security/state-client/pom.xml
 create mode 100644 lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/ClientStateApplication.java
 create mode 100644 lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/HomeController.java
 create mode 100644 lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/OAuth2Configuration.java
 create mode 100644 lab07/state-param-security/state-client/src/main/resources/application.properties
 create mode 100644 lab07/state-param-security/state-client/src/main/resources/templates/home.html
 create mode 100644 lab07/state-param-security/state-client/src/main/resources/templates/resource.html
 create mode 100644 lab07/state-param-security/state-oauth2server/.gitignore
 create mode 100644 lab07/state-param-security/state-oauth2server/pom.xml
 create mode 100644 lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/ApiController.java
 create mode 100644 lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/CustomUserDetailsService.java
 create mode 100644 lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/OAuth2Server.java
 create mode 100644 lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/Oauth2ServerStateApplication.java
 create mode 100644 lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/UserInfo.java
 create mode 100644 lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/UserInfoRepository.java
 create mode 100644 lab07/state-param-security/state-oauth2server/src/main/resources/application.properties
 create mode 100644 lab07/state-param-security/state-oauth2server/src/main/resources/data.sql

diff --git a/README.md b/README.md
index a968218..a0e3936 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,8 @@ oauth2lab
 5. [Postman](https://www.getpostman.com/)
 6. [Eclipse STS](https://spring.io/tools)
 7. [Android Studio](https://developer.android.com/studio/index.html)
+8. [Firefox Browser](http://rj.baidu.com/soft/detail/10365.html)
+9. [NoRedirect Add on for Firefox](https://addons.mozilla.org/en-US/firefox/addon/noredirect/)
 
 # 实验目录
 1. [lab01](lab01)~授权服务器实验
diff --git a/lab07/README.md b/lab07/README.md
new file mode 100644
index 0000000..4cb298e
--- /dev/null
+++ b/lab07/README.md
@@ -0,0 +1,38 @@
+跨站点请求伪造(CSRF)安全实验
+======
+
+# 操作方式
+
+### 1. 安装Firefox浏览器和NoRedirect Add on for Firefox
+* [Firefox Browser](http://rj.baidu.com/soft/detail/10365.html)
+* [NoRedirect Add on for Firefox](https://addons.mozilla.org/en-US/firefox/addon/noredirect/)
+
+将`http://localhost:8080`加入NoRedirect设置的规则列表，选中`来源`，并将该规则置顶。
+
+### 2. 启动授权服务器state-oauth2server，端口8080
+
+### 3. 启动Web客户端应用state-client，端口9000
+
+### 4. 使用Firefox浏览器获取授权码
+
+使用黑客账号`attacker/xyz`进行登录认证，注意请求不带**state**
+
+```
+http://localhost:8080/oauth/authorize?client_id=clientapp&redirect_uri=http
+://localhost:9000/resource&response_type=code&scope=read+write
+```
+获取授权码返回链接被NoRedirect截获，复制该链接
+
+```
+http://localhost:9000/resource?code=So3A96
+```
+
+### 5. 使用Chrome浏览器登录`http://loalhost:9000`
+
+使用正常用户账号`bobo/xyz`进行登录认证
+
+在浏览器地址栏粘贴上面复制的授权码返回链接，并请求，Spring Security OAuth2 client会进行state校验并报错：
+
+```
+Possible CSRF detected - state parameter was required but no state could be found
+```
\ No newline at end of file
diff --git a/lab07/state-param-security/state-client/.gitignore b/lab07/state-param-security/state-client/.gitignore
new file mode 100644
index 0000000..2af7cef
--- /dev/null
+++ b/lab07/state-param-security/state-client/.gitignore
@@ -0,0 +1,24 @@
+target/
+!.mvn/wrapper/maven-wrapper.jar
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+
+### NetBeans ###
+nbproject/private/
+build/
+nbbuild/
+dist/
+nbdist/
+.nb-gradle/
\ No newline at end of file
diff --git a/lab07/state-param-security/state-client/pom.xml b/lab07/state-param-security/state-client/pom.xml
new file mode 100644
index 0000000..8961118
--- /dev/null
+++ b/lab07/state-param-security/state-client/pom.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<groupId>io.spring2go.oauth2</groupId>
+	<artifactId>state-client</artifactId>
+	<version>0.0.1-SNAPSHOT</version>
+	<packaging>jar</packaging>
+
+	<name>state-client</name>
+	<description>Demo project for Spring Boot</description>
+
+	<parent>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-parent</artifactId>
+		<version>1.5.10.RELEASE</version>
+		<relativePath/> <!-- lookup parent from repository -->
+	</parent>
+
+	<properties>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+		<java.version>1.8</java.version>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-thymeleaf</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security.oauth</groupId>
+			<artifactId>spring-security-oauth2</artifactId>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+
+
+</project>
diff --git a/lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/ClientStateApplication.java b/lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/ClientStateApplication.java
new file mode 100644
index 0000000..1de2ba9
--- /dev/null
+++ b/lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/ClientStateApplication.java
@@ -0,0 +1,12 @@
+package io.spring2go.oauth2.clientstate;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class ClientStateApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(ClientStateApplication.class, args);
+	}
+}
diff --git a/lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/HomeController.java b/lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/HomeController.java
new file mode 100644
index 0000000..bf6ebc5
--- /dev/null
+++ b/lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/HomeController.java
@@ -0,0 +1,36 @@
+package io.spring2go.oauth2.clientstate;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.oauth2.client.OAuth2RestTemplate;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.servlet.ModelAndView;
+
+@Controller
+public class HomeController {
+
+    @Autowired
+    private OAuth2RestTemplate restTemplate;
+
+    @GetMapping("/")
+    public ModelAndView home() {
+        User user = (User) SecurityContextHolder
+            .getContext().getAuthentication().getPrincipal();
+        ModelAndView mv = new ModelAndView("home");
+        mv.addObject("username", user.getUsername());
+        return mv;
+    }
+
+    @GetMapping("/resource")
+    public ModelAndView resource() {
+        String result = restTemplate
+                .getForObject("http://localhost:8080/api/username", String.class);
+
+        ModelAndView mv = new ModelAndView("resource");
+        mv.addObject("result", result);
+        return mv;
+    }
+
+}
diff --git a/lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/OAuth2Configuration.java b/lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/OAuth2Configuration.java
new file mode 100644
index 0000000..4fcbbe5
--- /dev/null
+++ b/lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/OAuth2Configuration.java
@@ -0,0 +1,32 @@
+package io.spring2go.oauth2.clientstate;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.oauth2.client.OAuth2ClientContext;
+import org.springframework.security.oauth2.client.OAuth2RestTemplate;
+import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
+import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails;
+import org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client;
+
+@Configuration @EnableOAuth2Client
+public class OAuth2Configuration {
+
+    @Bean
+    public OAuth2ProtectedResourceDetails authorizationCode() {
+        AuthorizationCodeResourceDetails details =
+            new AuthorizationCodeResourceDetails();
+        details.setId("oauth2server");
+        details.setClientId("clientapp");
+        details.setClientSecret("112233");
+        details.setUseCurrentUri(true);
+        details.setUserAuthorizationUri("http://localhost:8080/oauth/authorize");
+        details.setAccessTokenUri("http://localhost:8080/oauth/token");
+        return details;
+    }
+
+    @Bean
+    public OAuth2RestTemplate restTemplate(OAuth2ClientContext context) {
+        return new OAuth2RestTemplate(authorizationCode(), context);
+    }
+
+}
diff --git a/lab07/state-param-security/state-client/src/main/resources/application.properties b/lab07/state-param-security/state-client/src/main/resources/application.properties
new file mode 100644
index 0000000..b2231c4
--- /dev/null
+++ b/lab07/state-param-security/state-client/src/main/resources/application.properties
@@ -0,0 +1,4 @@
+server.port=9000
+server.session.cookie.name=client_session
+security.user.name=bobo
+security.user.password=xyz
diff --git a/lab07/state-param-security/state-client/src/main/resources/templates/home.html b/lab07/state-param-security/state-client/src/main/resources/templates/home.html
new file mode 100644
index 0000000..6cd8d68
--- /dev/null
+++ b/lab07/state-param-security/state-client/src/main/resources/templates/home.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml"
+  xmlns:th="http://www.thymeleaf.org">
+<body>
+<div style="border: 3px solid black; width: 30%; padding: 10px">
+    <h1>Hello</h1>
+    <span th:text="${username}"></span>
+    <div>
+        <a th:href="@{/resource}">Get resource</a>
+    </div>
+</div>
+</body>
+</html>
diff --git a/lab07/state-param-security/state-client/src/main/resources/templates/resource.html b/lab07/state-param-security/state-client/src/main/resources/templates/resource.html
new file mode 100644
index 0000000..27b187a
--- /dev/null
+++ b/lab07/state-param-security/state-client/src/main/resources/templates/resource.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml"
+  xmlns:th="http://www.thymeleaf.org">
+<body>
+<div style="border: 3px solid black; width: 30%; padding: 10px">
+    <h1>That's the result</h1>
+    <p>result:<span th:text="${result}"></span></p>
+</div>
+</body>
+</html>
diff --git a/lab07/state-param-security/state-oauth2server/.gitignore b/lab07/state-param-security/state-oauth2server/.gitignore
new file mode 100644
index 0000000..2af7cef
--- /dev/null
+++ b/lab07/state-param-security/state-oauth2server/.gitignore
@@ -0,0 +1,24 @@
+target/
+!.mvn/wrapper/maven-wrapper.jar
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+
+### NetBeans ###
+nbproject/private/
+build/
+nbbuild/
+dist/
+nbdist/
+.nb-gradle/
\ No newline at end of file
diff --git a/lab07/state-param-security/state-oauth2server/pom.xml b/lab07/state-param-security/state-oauth2server/pom.xml
new file mode 100644
index 0000000..024f5a2
--- /dev/null
+++ b/lab07/state-param-security/state-oauth2server/pom.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<groupId>io.spring2go.oauth2</groupId>
+	<artifactId>state-oauth2server</artifactId>
+	<version>0.0.1-SNAPSHOT</version>
+	<packaging>jar</packaging>
+
+	<name>state-oauth2server</name>
+	<description>Demo project for Spring Boot</description>
+
+	<parent>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-parent</artifactId>
+		<version>1.5.10.RELEASE</version>
+		<relativePath/> <!-- lookup parent from repository -->
+	</parent>
+
+	<properties>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+		<java.version>1.8</java.version>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-data-jpa</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>com.h2database</groupId>
+			<artifactId>h2</artifactId>
+			<scope>runtime</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security.oauth</groupId>
+			<artifactId>spring-security-oauth2</artifactId>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+
+
+</project>
diff --git a/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/ApiController.java b/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/ApiController.java
new file mode 100644
index 0000000..283a5f3
--- /dev/null
+++ b/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/ApiController.java
@@ -0,0 +1,18 @@
+package io.spring2go.oauth2.oauth2serverstate;
+
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Controller
+public class ApiController {
+
+    @GetMapping("/api/username")
+    public ResponseEntity<String> getUsername() {
+        UserInfo user = (UserInfo) SecurityContextHolder
+            .getContext().getAuthentication().getPrincipal();
+        return ResponseEntity.ok("success " + user.getUsername());
+    }
+
+}
diff --git a/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/CustomUserDetailsService.java b/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/CustomUserDetailsService.java
new file mode 100644
index 0000000..aa7ba73
--- /dev/null
+++ b/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/CustomUserDetailsService.java
@@ -0,0 +1,25 @@
+package io.spring2go.oauth2.oauth2serverstate;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.stereotype.Service;
+
+import java.util.Optional;
+
+@Service
+public class CustomUserDetailsService implements UserDetailsService {
+
+    @Autowired
+    private UserInfoRepository repository;
+
+    @Override
+    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
+        Optional<UserInfo> user =
+            repository.findByUsername(username);
+
+        return user.orElseThrow(() ->
+            new UsernameNotFoundException("user does not exists"));
+    }
+}
diff --git a/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/OAuth2Server.java b/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/OAuth2Server.java
new file mode 100644
index 0000000..46cda50
--- /dev/null
+++ b/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/OAuth2Server.java
@@ -0,0 +1,36 @@
+package io.spring2go.oauth2.oauth2serverstate;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
+import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
+import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
+import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
+import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
+
+@Configuration
+public class OAuth2Server {
+
+    @EnableAuthorizationServer
+    public static class AuthorizationServer
+        extends AuthorizationServerConfigurerAdapter {
+
+        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
+            clients.inMemory()
+                .withClient("clientapp").secret("112233")
+                .scopes("read", "write")
+                .authorizedGrantTypes("authorization_code");
+        }
+
+    }
+
+    @EnableResourceServer
+    public static class ResourceServer
+        extends ResourceServerConfigurerAdapter {
+        public void configure(HttpSecurity http) throws Exception {
+            http.authorizeRequests().anyRequest().authenticated().and()
+                    .requestMatchers().antMatchers("/api/**");
+        }
+    }
+
+}
diff --git a/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/Oauth2ServerStateApplication.java b/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/Oauth2ServerStateApplication.java
new file mode 100644
index 0000000..5a4b3db
--- /dev/null
+++ b/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/Oauth2ServerStateApplication.java
@@ -0,0 +1,12 @@
+package io.spring2go.oauth2.oauth2serverstate;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class Oauth2ServerStateApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(Oauth2ServerStateApplication.class, args);
+	}
+}
diff --git a/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/UserInfo.java b/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/UserInfo.java
new file mode 100644
index 0000000..f846dd4
--- /dev/null
+++ b/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/UserInfo.java
@@ -0,0 +1,59 @@
+package io.spring2go.oauth2.oauth2serverstate;
+
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+import java.util.Arrays;
+import java.util.Collection;
+
+@Entity
+@Table(name = "userinfo")
+public class UserInfo implements UserDetails {
+    @Id @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    private String username;
+
+    private String password;
+
+    @Override
+    public Collection<? extends GrantedAuthority> getAuthorities() {
+        return Arrays.asList(new SimpleGrantedAuthority("ROLE_USER"));
+    }
+
+    @Override
+    public String getPassword() {
+        return password;
+    }
+
+    @Override
+    public String getUsername() {
+        return username;
+    }
+
+    @Override
+    public boolean isAccountNonExpired() {
+        return true;
+    }
+
+    @Override
+    public boolean isAccountNonLocked() {
+        return true;
+    }
+
+    @Override
+    public boolean isCredentialsNonExpired() {
+        return true;
+    }
+
+    @Override
+    public boolean isEnabled() {
+        return true;
+    }
+}
diff --git a/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/UserInfoRepository.java b/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/UserInfoRepository.java
new file mode 100644
index 0000000..c75c586
--- /dev/null
+++ b/lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/UserInfoRepository.java
@@ -0,0 +1,9 @@
+package io.spring2go.oauth2.oauth2serverstate;
+
+import org.springframework.data.jpa.repository.JpaRepository;
+
+import java.util.Optional;
+
+public interface UserInfoRepository extends JpaRepository<UserInfo, Long> {
+    Optional<UserInfo> findByUsername(String username);
+}
diff --git a/lab07/state-param-security/state-oauth2server/src/main/resources/application.properties b/lab07/state-param-security/state-oauth2server/src/main/resources/application.properties
new file mode 100644
index 0000000..e69de29
diff --git a/lab07/state-param-security/state-oauth2server/src/main/resources/data.sql b/lab07/state-param-security/state-oauth2server/src/main/resources/data.sql
new file mode 100644
index 0000000..7ebc76a
--- /dev/null
+++ b/lab07/state-param-security/state-oauth2server/src/main/resources/data.sql
@@ -0,0 +1,2 @@
+insert into userinfo (username, password) values ('bobo', 'xyz');
+insert into userinfo (username, password) values ('attacker', 'xyz');