[更新]一份包含: 采用RSA JWT(Json Web Token, RSA加密)的OAUTH2.0,HTTP BASIC,本地数据库验证,Windows域验证,单点登录的Spring Security配置文件
没有任何注释,表怪我(¬_¬)
更新:
2016.05.29: 将AuthorizationServer和ResourceServer分开配置
2016.05.29: Token获取采用Http Basic认证以符合RFC6749标准
2016.05.29: grant_type支持authorization_code, password, refresh_token
2016.05.27: 增加用于REST服务的安全配置
2016.05.27: 可选采用RSA JWT(Json Web Token, RSA加密)的OAUTH2.0或者HTTP BASIC
2016.05.27: REST安全验证和WEB安全验证均可通过配置文件关闭
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2.xsd"> <global-method-security pre-post-annotations="enabled" order="0"
proxy-target-class="true">
</global-method-security> <beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" /> <http security="none" pattern="/resources/**" />
<http security="none" pattern="/favicon.ico" /> <beans:beans profile="oauth-authorization-server">
<beans:bean id="oauth2AuthorizationServerJwtAccessTokenConverter" class="org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter" >
<beans:property name="signingKey" ref="jwtSigningKey"/>
<beans:property name="verifierKey" ref="jwtVerifierKey"/>
</beans:bean> <beans:bean id="oauth2AuthorizationServerTokenStore" class="org.springframework.security.oauth2.provider.token.store.JwtTokenStore" >
<beans:constructor-arg ref="oauth2AuthorizationServerJwtAccessTokenConverter"/>
</beans:bean> <beans:bean id="oauth2AuthorizationServerTokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<beans:property name="tokenStore" ref="oauth2AuthorizationServerTokenStore" />
<beans:property name="clientDetailsService" ref="clientDetailsService" />
<beans:property name="tokenEnhancer" ref="oauth2AuthorizationServerJwtAccessTokenConverter" />
<beans:property name="supportRefreshToken" value="true" />
</beans:bean> <beans:bean id="oauth2AuthorizationServerClientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<beans:constructor-arg ref="clientDetailsService"/>
<beans:property name="passwordEncoder" ref="passwordEncoder"/>
</beans:bean> <beans:bean id="oauth2AuthorizationServerAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" /> <authentication-manager id="oauth2AuthorizationServerAuthenticationManager">
<authentication-provider user-service-ref="oauth2AuthorizationServerClientDetailsUserService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager> <beans:bean id="oauth2AuthorizationServerUserApprovalHandler"
class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler" >
<beans:property name="tokenStore" ref="oauth2AuthorizationServerTokenStore" />
<beans:property name="clientDetailsService" ref="clientDetailsService" />
<beans:property name="requestFactory">
<beans:bean class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
<beans:constructor-arg ref="clientDetailsService"/>
</beans:bean>
</beans:property>
</beans:bean> <beans:bean id="oauth2AuthorizationServerAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" /> <oauth2:authorization-server
token-services-ref="oauth2AuthorizationServerTokenServices"
client-details-service-ref="clientDetailsService"
user-approval-handler-ref="oauth2AuthorizationServerUserApprovalHandler"
user-approval-page="oauth/authorize"
error-page="oauth/error" >
<oauth2:authorization-code />
<!--<oauth2:implicit />-->
<oauth2:refresh-token />
<!--<oauth2:client-credentials />-->
<oauth2:password />
</oauth2:authorization-server> <http pattern="/oauth/token" use-expressions="true" create-session="stateless"
authentication-manager-ref="oauth2AuthorizationServerAuthenticationManager"
entry-point-ref="oauth2AuthorizationServerAuthenticationEntryPoint">
<intercept-url pattern="/oauth/token" access="isFullyAuthenticated()"/>
<http-basic />
<access-denied-handler ref="oauth2AuthorizationServerAccessDeniedHandler"/>
<csrf disabled="true"/>
</http>
</beans:beans> <beans:beans profile="rest-security-oauth,oauth-resource-server">
<beans:bean id="oauth2ResourceServerJwtAccessTokenConverter" class="org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter" >
<beans:property name="verifierKey" ref="jwtVerifierKey"/>
</beans:bean> <beans:bean id="oauth2ResourceServerTokenStore" class="org.springframework.security.oauth2.provider.token.store.JwtTokenStore" >
<beans:constructor-arg ref="oauth2ResourceServerJwtAccessTokenConverter"/>
</beans:bean> <beans:bean id="oauth2ResourceServerTokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<beans:property name="tokenStore" ref="oauth2ResourceServerTokenStore" />
<beans:property name="clientDetailsService" ref="clientDetailsService" />
<beans:property name="tokenEnhancer" ref="oauth2ResourceServerJwtAccessTokenConverter" />
<beans:property name="supportRefreshToken" value="true" />
</beans:bean> <beans:bean id="oauth2ResourceServerAccessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/>
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</beans:list>
</beans:constructor-arg>
</beans:bean> <beans:bean id="oauth2ResourceServerAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" /> <beans:bean id="oauth2ResourceServerAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" /> <oauth2:resource-server id="oauth2ResourceServerFilter" resource-id="${oauth.resourceId}" token-services-ref="oauth2ResourceServerTokenServices" /> <http pattern="${rest.rooturl}/**" use-expressions="false" create-session="stateless"
entry-point-ref="oauth2ResourceServerAuthenticationEntryPoint"
access-decision-manager-ref="oauth2ResourceServerAccessDecisionManager"> <intercept-url pattern="${rest.rooturl}/security/**" access="SCOPE_SECURITY"/>
<intercept-url pattern="${rest.rooturl}/demo/**" access="IS_AUTHENTICATED_FULLY"/>
<intercept-url pattern="${rest.rooturl}/**" access="DENY_OAUTH"/> <custom-filter ref="oauth2ResourceServerFilter" before="PRE_AUTH_FILTER"/>
<access-denied-handler ref="oauth2ResourceServerAccessDeniedHandler"/>
<csrf disabled="true"/>
</http>
</beans:beans> <beans:beans profile="rest-security-basic">
<http pattern="${rest.rooturl}/**" use-expressions="true" create-session="stateless">
<intercept-url pattern="${rest.rooturl}/**" access="isFullyAuthenticated()"/>
<http-basic />
<csrf disabled="true"/>
</http>
</beans:beans> <beans:beans profile="rest-security-none">
<http security="none" pattern="${rest.rooturl}/**" />
</beans:beans> <beans:beans profile="web-security-none">
<http security="none" pattern="/**" />
</beans:beans> <beans:beans profile="web-security-local,web-security-ldap">
<http use-expressions="true"> <intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/login/**" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/oauth/**" access="isFullyAuthenticated()" />
<intercept-url pattern="/**" access="isFullyAuthenticated()" />
<form-login login-page="/login" login-processing-url="/login"
authentication-failure-url="/login?error"
default-target-url="/" username-parameter="username"
password-parameter="password" />
<logout logout-url="/logout" logout-success-url="/login?loggedOut"
invalidate-session="true" delete-cookies="JSESSIONID" /> <session-management invalid-session-url="/login"
session-fixation-protection="migrateSession">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="false"
session-registry-ref="sessionRegistry" />
</session-management> <csrf disabled="true" /> </http>
</beans:beans> <beans:beans profile="web-security-local">
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
</beans:beans> <beans:beans profile="web-security-ldap">
<authentication-manager>
<authentication-provider ref="ldapAuthenticationProvider" />
</authentication-manager> <beans:bean id="ldapAuthenticationProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg index="0"
ref="ldapAuthenticator" />
<beans:constructor-arg index="1"
ref="ldapAuthoritiesPopulator" />
</beans:bean> <beans:bean id="ldapAuthenticator"
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="ldapContextSource" />
<beans:property name="userSearch" ref="ldapUserSearch" />
</beans:bean> <beans:bean id="ldapUserSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0"
value="${ldap.searchBase}" />
<beans:constructor-arg index="1"
value="${ldap.searchFilter}" />
<beans:constructor-arg index="2"
ref="ldapContextSource" />
</beans:bean> <beans:bean id="ldapContextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="${ldap.url}" />
<beans:property name="userDn" value="${ldap.userDN}" />
<beans:property name="password" value="${ldap.password}" />
</beans:bean> <beans:bean id="ldapAuthoritiesPopulator"
class="org.springframework.security.ldap.authentication.UserDetailsServiceLdapAuthoritiesPopulator">
<beans:constructor-arg ref="userDetailsService" />
</beans:bean>
</beans:beans> <beans:beans profile="web-security-cas">
<http use-expressions="true" auto-config="false" entry-point-ref="casEntryPoint" servlet-api-provision="true">
<intercept-url pattern="${cas.localSystemLoginUrl}" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/**" access="isFullyAuthenticated()" />
<custom-filter position="CAS_FILTER" ref="casFilter"/>
<custom-filter before="CAS_FILTER" ref="singleLogoutFilter" />
<custom-filter before="LOGOUT_FILTER" ref="requestSingleLogoutFilter" />
<logout logout-url="/logout" logout-success-url="/login?loggedOut"
invalidate-session="true" delete-cookies="JSESSIONID" /> <session-management invalid-session-url="/login"
session-fixation-protection="migrateSession">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="false" />
</session-management> <csrf disabled="true" /> </http> <authentication-manager alias="authenticationManager">
<authentication-provider ref="casAuthenticationProvider" />
</authentication-manager> <beans:bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties">
<beans:property name="service"
value="${cas.localSystemUrl}${cas.localSystemLoginUrl}" />
<beans:property name="sendRenew" value="false" />
</beans:bean> <beans:bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<beans:property name="loginUrl" value="${cas.loginUrl}" />
<beans:property name="serviceProperties" ref="serviceProperties" />
</beans:bean> <beans:bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" />
<beans:property name="serviceProperties" ref="serviceProperties" />
<beans:property name="ticketValidator">
<beans:bean
class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<beans:constructor-arg index="0"
value="${cas.url}" />
</beans:bean>
</beans:property>
<beans:property name="key"
value="an_id_for_this_auth_provider_only" />
</beans:bean> <beans:bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="filterProcessesUrl" value="${cas.localSystemLoginUrl}" />
</beans:bean> <beans:bean id="singleLogoutFilter"
class="org.jasig.cas.client.session.SingleSignOutFilter" /> <beans:bean id="requestSingleLogoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="${cas.logoutUrl}" />
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/logout" />
</beans:bean>
</beans:beans> </beans:beans>
随附配置文件内容
#WEB_CONFIG
##Set WEB authenticate type: none || local || ldap || cas
web.authenticationType=local #REST_CONFIG
##Set REST request root url, please DO NOT end with '/' or '*', just like '/webservice/rest' for 'http://example.com/webservice/rest/*'
rest.rooturl=/rs
##Set REST authenticate type: none || oauth || basic
rest.authenticationType=oauth #OAUTH_CONFIG
oauth.resourceId=DEMO
oauth.jwtVerifierKeyFile=jwtPubKey.pem
oauth.jwtSigningKeyFile=jwtPrivKey.pem #CAS_CONFIG
cas.localSystemUrl=http://www.example.com
cas.localSystemLoginUrl=/j_spring_security_cas_check
cas.url=http://cas.server.com/cas
cas.loginUrl=http://cas.server.com/cas/login
cas.logoutUrl=http://cas.server.com/cas/logout?service=http://www.example.com/loggedOutPage #LDAP_CONFIG
ldap.url=ldap://ldap.server.com:389/
ldap.userDN=CN=XXX,OU=XXX,DC=server,DC=com
ldap.password=XXX
ldap.searchBase=OU=XXX,,DC=server,DC=com
ldap.searchFilter=(sAMAccountName={0})
[更新]一份包含: 采用RSA JWT(Json Web Token, RSA加密)的OAUTH2.0,HTTP BASIC,本地数据库验证,Windows域验证,单点登录的Spring Security配置文件的更多相关文章
- Java JWT: JSON Web Token
Java JWT: JSON Web Token for Java and Android JJWT aims to be the easiest to use and understand libr ...
- 深入浅出JWT(JSON Web Token )
1. JWT 介绍 JSON Web Token(JWT)是一个开放式标准(RFC 7519),它定义了一种紧凑且自包含的方式,用于在各方之间以JSON对象安全传输信息. 这些信息可以通过数字签名进行 ...
- 如何在SpringBoot中集成JWT(JSON Web Token)鉴权
这篇博客主要是简单介绍了一下什么是JWT,以及如何在Spring Boot项目中使用JWT(JSON Web Token). 1.关于JWT 1.1 什么是JWT 老生常谈的开头,我们要用这样一种工具 ...
- ( 转 ) 什么是 JWT -- JSON WEB TOKEN
什么是JWT Json web token (JWT), 是为了在网络应用环境间传递声明而执行的一种基于JSON的开放标准((RFC 7519).该token被设计为紧凑且安全的,特别适用于分布式站点 ...
- 什么是JWT(Json Web Token)
什么是 JWT (Json Web Token) 用户认证是计算机安全领域一个永恒的热点话题. JWT 是为了在网络应用环境间传递声明而执行的一种基于JSON的开放标准((RFC 7519). 该to ...
- 温故知新,.Net Core遇见JWT(JSON Web Token)授权机制方案
什么是JWT JWT (JSON Web Token) 是一个开放标准,它定义了一种以紧凑和自包含的方法,用于在双方之间安全地传输编码为JSON对象的信息. 因此,简单来说,它是JSON格式的加密字符 ...
- JWT(JSON Web Token) 【转载】
JWT(JSON Web Token) 什么叫JWTJSON Web Token(JWT)是目前最流行的跨域身份验证解决方案. 一般来说,互联网用户认证是这样子的. 1.用户向服务器发送用户名和密码. ...
- 5分钟搞懂:JWT(Json Web Token)
https://www.qikegu.com/easy-understanding/892 JWT 基于token的用户认证原理:让用户输入账号和密码,认证通过后获得一个token(令牌),在toke ...
- 关于JWT(Json Web Token)的思考及使用心得
什么是JWT? JWT(Json Web Token)是一个开放的数据交换验证标准rfc7519(php 后端实现JWT认证方法一般用来做轻量级的API鉴权.由于许多API接口设计是遵循无状态的(比如 ...
随机推荐
- BZOJ1815 SHOI2006有色图(Polya定理)
置换数量是阶乘级别的,但容易发现本质不同的点的置换数量仅仅是n的整数拆分个数,OEIS(或者写个dp或者暴力)一下会发现不是很大,当n=53时约在3e5左右. 于是暴力枚举点的置换,并且发现根据点的置 ...
- poj 1511 Invitation Cards(最短路中等题)
In the age of television, not many people attend theater performances. Antique Comedians of Malidine ...
- MySQL的group_concat()函数合并多行数据
一个很有用的函数 group_concat(),手册上说明:该函数返回带有来自一个组的连接的非NULL值的字符串结果. 通俗点理解,其实是这样的:group_concat()会计算哪些行属于同一组,将 ...
- 本地开启apache虚拟服务器
一般来说,服务器是可以托管多个网站的,只要服务器开启虚拟主机的功能,原理是根据来源的host进行判断,不同的域名实现不同的文件访问,这样就可以实现一个服务器托管不同网站了,只要服务器的性能和带宽足够强 ...
- c++ 使用PI
#define _USE_MATH_DEFINES #include<cmath> 加上上面这个就可以使用 M_PI 了,不行就使用下面这个: #define _USE_MATH_DEFI ...
- PostgreSQL(一)教程 -----从头开始
一.安装 自然,在你能开始使用PostgreSQL之前, 你必须安装它.PostgreSQL很有可能已经安装到你的节点上了, 因为它可能包含在你的操作系统的发布里, 或者是系统管理员已经安装了它.如果 ...
- ASP.Net执行cmd命令的实现代码
using System; using System.Collections; using System.Configuration; using System.Data; using System. ...
- [收藏]:[算法]LRU和LFU的区别
LRU和LFU是不同的! LRU是最近最少使用页面置换算法(Least Recently Used),也就是首先淘汰最长时间未被使用的页面! LFU是最近最不常用页面置换算法(Least Freque ...
- Dubbo学习笔记5:Dubbo整体框架分析
Dubbo的分层架构 本文将简单介绍Dubbo的分层架构设计,如下图是Dubbo官方的整体架构图: Dubbo官方提供的该架构图很复杂,一开始我们没必要深入细节,下面我们简单介绍下其中的主要模块. 其 ...
- Java技术体系总结
PC前端:Javascript.JQuery.Angularjs.Reactjs.TypeScript 移动前端:Vue.js.Zepto WebJars spring:spring mvc.spri ...