[更新]一份包含: 采用RSA JWT(Json Web Token, RSA加密)的OAUTH2.0,HTTP BASIC,本地数据库验证,Windows域验证,单点登录的Spring Security配置文件
没有任何注释,表怪我(¬_¬)
更新:
2016.05.29: 将AuthorizationServer和ResourceServer分开配置
2016.05.29: Token获取采用Http Basic认证以符合RFC6749标准
2016.05.29: grant_type支持authorization_code, password, refresh_token
2016.05.27: 增加用于REST服务的安全配置
2016.05.27: 可选采用RSA JWT(Json Web Token, RSA加密)的OAUTH2.0或者HTTP BASIC
2016.05.27: REST安全验证和WEB安全验证均可通过配置文件关闭
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2.xsd"> <global-method-security pre-post-annotations="enabled" order="0"
proxy-target-class="true">
</global-method-security> <beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" /> <http security="none" pattern="/resources/**" />
<http security="none" pattern="/favicon.ico" /> <beans:beans profile="oauth-authorization-server">
<beans:bean id="oauth2AuthorizationServerJwtAccessTokenConverter" class="org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter" >
<beans:property name="signingKey" ref="jwtSigningKey"/>
<beans:property name="verifierKey" ref="jwtVerifierKey"/>
</beans:bean> <beans:bean id="oauth2AuthorizationServerTokenStore" class="org.springframework.security.oauth2.provider.token.store.JwtTokenStore" >
<beans:constructor-arg ref="oauth2AuthorizationServerJwtAccessTokenConverter"/>
</beans:bean> <beans:bean id="oauth2AuthorizationServerTokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<beans:property name="tokenStore" ref="oauth2AuthorizationServerTokenStore" />
<beans:property name="clientDetailsService" ref="clientDetailsService" />
<beans:property name="tokenEnhancer" ref="oauth2AuthorizationServerJwtAccessTokenConverter" />
<beans:property name="supportRefreshToken" value="true" />
</beans:bean> <beans:bean id="oauth2AuthorizationServerClientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<beans:constructor-arg ref="clientDetailsService"/>
<beans:property name="passwordEncoder" ref="passwordEncoder"/>
</beans:bean> <beans:bean id="oauth2AuthorizationServerAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" /> <authentication-manager id="oauth2AuthorizationServerAuthenticationManager">
<authentication-provider user-service-ref="oauth2AuthorizationServerClientDetailsUserService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager> <beans:bean id="oauth2AuthorizationServerUserApprovalHandler"
class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler" >
<beans:property name="tokenStore" ref="oauth2AuthorizationServerTokenStore" />
<beans:property name="clientDetailsService" ref="clientDetailsService" />
<beans:property name="requestFactory">
<beans:bean class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
<beans:constructor-arg ref="clientDetailsService"/>
</beans:bean>
</beans:property>
</beans:bean> <beans:bean id="oauth2AuthorizationServerAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" /> <oauth2:authorization-server
token-services-ref="oauth2AuthorizationServerTokenServices"
client-details-service-ref="clientDetailsService"
user-approval-handler-ref="oauth2AuthorizationServerUserApprovalHandler"
user-approval-page="oauth/authorize"
error-page="oauth/error" >
<oauth2:authorization-code />
<!--<oauth2:implicit />-->
<oauth2:refresh-token />
<!--<oauth2:client-credentials />-->
<oauth2:password />
</oauth2:authorization-server> <http pattern="/oauth/token" use-expressions="true" create-session="stateless"
authentication-manager-ref="oauth2AuthorizationServerAuthenticationManager"
entry-point-ref="oauth2AuthorizationServerAuthenticationEntryPoint">
<intercept-url pattern="/oauth/token" access="isFullyAuthenticated()"/>
<http-basic />
<access-denied-handler ref="oauth2AuthorizationServerAccessDeniedHandler"/>
<csrf disabled="true"/>
</http>
</beans:beans> <beans:beans profile="rest-security-oauth,oauth-resource-server">
<beans:bean id="oauth2ResourceServerJwtAccessTokenConverter" class="org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter" >
<beans:property name="verifierKey" ref="jwtVerifierKey"/>
</beans:bean> <beans:bean id="oauth2ResourceServerTokenStore" class="org.springframework.security.oauth2.provider.token.store.JwtTokenStore" >
<beans:constructor-arg ref="oauth2ResourceServerJwtAccessTokenConverter"/>
</beans:bean> <beans:bean id="oauth2ResourceServerTokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<beans:property name="tokenStore" ref="oauth2ResourceServerTokenStore" />
<beans:property name="clientDetailsService" ref="clientDetailsService" />
<beans:property name="tokenEnhancer" ref="oauth2ResourceServerJwtAccessTokenConverter" />
<beans:property name="supportRefreshToken" value="true" />
</beans:bean> <beans:bean id="oauth2ResourceServerAccessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/>
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</beans:list>
</beans:constructor-arg>
</beans:bean> <beans:bean id="oauth2ResourceServerAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" /> <beans:bean id="oauth2ResourceServerAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" /> <oauth2:resource-server id="oauth2ResourceServerFilter" resource-id="${oauth.resourceId}" token-services-ref="oauth2ResourceServerTokenServices" /> <http pattern="${rest.rooturl}/**" use-expressions="false" create-session="stateless"
entry-point-ref="oauth2ResourceServerAuthenticationEntryPoint"
access-decision-manager-ref="oauth2ResourceServerAccessDecisionManager"> <intercept-url pattern="${rest.rooturl}/security/**" access="SCOPE_SECURITY"/>
<intercept-url pattern="${rest.rooturl}/demo/**" access="IS_AUTHENTICATED_FULLY"/>
<intercept-url pattern="${rest.rooturl}/**" access="DENY_OAUTH"/> <custom-filter ref="oauth2ResourceServerFilter" before="PRE_AUTH_FILTER"/>
<access-denied-handler ref="oauth2ResourceServerAccessDeniedHandler"/>
<csrf disabled="true"/>
</http>
</beans:beans> <beans:beans profile="rest-security-basic">
<http pattern="${rest.rooturl}/**" use-expressions="true" create-session="stateless">
<intercept-url pattern="${rest.rooturl}/**" access="isFullyAuthenticated()"/>
<http-basic />
<csrf disabled="true"/>
</http>
</beans:beans> <beans:beans profile="rest-security-none">
<http security="none" pattern="${rest.rooturl}/**" />
</beans:beans> <beans:beans profile="web-security-none">
<http security="none" pattern="/**" />
</beans:beans> <beans:beans profile="web-security-local,web-security-ldap">
<http use-expressions="true"> <intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/login/**" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/oauth/**" access="isFullyAuthenticated()" />
<intercept-url pattern="/**" access="isFullyAuthenticated()" />
<form-login login-page="/login" login-processing-url="/login"
authentication-failure-url="/login?error"
default-target-url="/" username-parameter="username"
password-parameter="password" />
<logout logout-url="/logout" logout-success-url="/login?loggedOut"
invalidate-session="true" delete-cookies="JSESSIONID" /> <session-management invalid-session-url="/login"
session-fixation-protection="migrateSession">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="false"
session-registry-ref="sessionRegistry" />
</session-management> <csrf disabled="true" /> </http>
</beans:beans> <beans:beans profile="web-security-local">
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
</beans:beans> <beans:beans profile="web-security-ldap">
<authentication-manager>
<authentication-provider ref="ldapAuthenticationProvider" />
</authentication-manager> <beans:bean id="ldapAuthenticationProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg index="0"
ref="ldapAuthenticator" />
<beans:constructor-arg index="1"
ref="ldapAuthoritiesPopulator" />
</beans:bean> <beans:bean id="ldapAuthenticator"
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="ldapContextSource" />
<beans:property name="userSearch" ref="ldapUserSearch" />
</beans:bean> <beans:bean id="ldapUserSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0"
value="${ldap.searchBase}" />
<beans:constructor-arg index="1"
value="${ldap.searchFilter}" />
<beans:constructor-arg index="2"
ref="ldapContextSource" />
</beans:bean> <beans:bean id="ldapContextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="${ldap.url}" />
<beans:property name="userDn" value="${ldap.userDN}" />
<beans:property name="password" value="${ldap.password}" />
</beans:bean> <beans:bean id="ldapAuthoritiesPopulator"
class="org.springframework.security.ldap.authentication.UserDetailsServiceLdapAuthoritiesPopulator">
<beans:constructor-arg ref="userDetailsService" />
</beans:bean>
</beans:beans> <beans:beans profile="web-security-cas">
<http use-expressions="true" auto-config="false" entry-point-ref="casEntryPoint" servlet-api-provision="true">
<intercept-url pattern="${cas.localSystemLoginUrl}" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/**" access="isFullyAuthenticated()" />
<custom-filter position="CAS_FILTER" ref="casFilter"/>
<custom-filter before="CAS_FILTER" ref="singleLogoutFilter" />
<custom-filter before="LOGOUT_FILTER" ref="requestSingleLogoutFilter" />
<logout logout-url="/logout" logout-success-url="/login?loggedOut"
invalidate-session="true" delete-cookies="JSESSIONID" /> <session-management invalid-session-url="/login"
session-fixation-protection="migrateSession">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="false" />
</session-management> <csrf disabled="true" /> </http> <authentication-manager alias="authenticationManager">
<authentication-provider ref="casAuthenticationProvider" />
</authentication-manager> <beans:bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties">
<beans:property name="service"
value="${cas.localSystemUrl}${cas.localSystemLoginUrl}" />
<beans:property name="sendRenew" value="false" />
</beans:bean> <beans:bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<beans:property name="loginUrl" value="${cas.loginUrl}" />
<beans:property name="serviceProperties" ref="serviceProperties" />
</beans:bean> <beans:bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" />
<beans:property name="serviceProperties" ref="serviceProperties" />
<beans:property name="ticketValidator">
<beans:bean
class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<beans:constructor-arg index="0"
value="${cas.url}" />
</beans:bean>
</beans:property>
<beans:property name="key"
value="an_id_for_this_auth_provider_only" />
</beans:bean> <beans:bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="filterProcessesUrl" value="${cas.localSystemLoginUrl}" />
</beans:bean> <beans:bean id="singleLogoutFilter"
class="org.jasig.cas.client.session.SingleSignOutFilter" /> <beans:bean id="requestSingleLogoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="${cas.logoutUrl}" />
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/logout" />
</beans:bean>
</beans:beans> </beans:beans>
随附配置文件内容
#WEB_CONFIG
##Set WEB authenticate type: none || local || ldap || cas
web.authenticationType=local #REST_CONFIG
##Set REST request root url, please DO NOT end with '/' or '*', just like '/webservice/rest' for 'http://example.com/webservice/rest/*'
rest.rooturl=/rs
##Set REST authenticate type: none || oauth || basic
rest.authenticationType=oauth #OAUTH_CONFIG
oauth.resourceId=DEMO
oauth.jwtVerifierKeyFile=jwtPubKey.pem
oauth.jwtSigningKeyFile=jwtPrivKey.pem #CAS_CONFIG
cas.localSystemUrl=http://www.example.com
cas.localSystemLoginUrl=/j_spring_security_cas_check
cas.url=http://cas.server.com/cas
cas.loginUrl=http://cas.server.com/cas/login
cas.logoutUrl=http://cas.server.com/cas/logout?service=http://www.example.com/loggedOutPage #LDAP_CONFIG
ldap.url=ldap://ldap.server.com:389/
ldap.userDN=CN=XXX,OU=XXX,DC=server,DC=com
ldap.password=XXX
ldap.searchBase=OU=XXX,,DC=server,DC=com
ldap.searchFilter=(sAMAccountName={0})
[更新]一份包含: 采用RSA JWT(Json Web Token, RSA加密)的OAUTH2.0,HTTP BASIC,本地数据库验证,Windows域验证,单点登录的Spring Security配置文件的更多相关文章
- Java JWT: JSON Web Token
Java JWT: JSON Web Token for Java and Android JJWT aims to be the easiest to use and understand libr ...
- 深入浅出JWT(JSON Web Token )
1. JWT 介绍 JSON Web Token(JWT)是一个开放式标准(RFC 7519),它定义了一种紧凑且自包含的方式,用于在各方之间以JSON对象安全传输信息. 这些信息可以通过数字签名进行 ...
- 如何在SpringBoot中集成JWT(JSON Web Token)鉴权
这篇博客主要是简单介绍了一下什么是JWT,以及如何在Spring Boot项目中使用JWT(JSON Web Token). 1.关于JWT 1.1 什么是JWT 老生常谈的开头,我们要用这样一种工具 ...
- ( 转 ) 什么是 JWT -- JSON WEB TOKEN
什么是JWT Json web token (JWT), 是为了在网络应用环境间传递声明而执行的一种基于JSON的开放标准((RFC 7519).该token被设计为紧凑且安全的,特别适用于分布式站点 ...
- 什么是JWT(Json Web Token)
什么是 JWT (Json Web Token) 用户认证是计算机安全领域一个永恒的热点话题. JWT 是为了在网络应用环境间传递声明而执行的一种基于JSON的开放标准((RFC 7519). 该to ...
- 温故知新,.Net Core遇见JWT(JSON Web Token)授权机制方案
什么是JWT JWT (JSON Web Token) 是一个开放标准,它定义了一种以紧凑和自包含的方法,用于在双方之间安全地传输编码为JSON对象的信息. 因此,简单来说,它是JSON格式的加密字符 ...
- JWT(JSON Web Token) 【转载】
JWT(JSON Web Token) 什么叫JWTJSON Web Token(JWT)是目前最流行的跨域身份验证解决方案. 一般来说,互联网用户认证是这样子的. 1.用户向服务器发送用户名和密码. ...
- 5分钟搞懂:JWT(Json Web Token)
https://www.qikegu.com/easy-understanding/892 JWT 基于token的用户认证原理:让用户输入账号和密码,认证通过后获得一个token(令牌),在toke ...
- 关于JWT(Json Web Token)的思考及使用心得
什么是JWT? JWT(Json Web Token)是一个开放的数据交换验证标准rfc7519(php 后端实现JWT认证方法一般用来做轻量级的API鉴权.由于许多API接口设计是遵循无状态的(比如 ...
随机推荐
- 【题解】 Test 买水的ACX(套路)
题目描述: ACX在××信竞组学会信息竞赛,但是他的同学都很巨,于是要他去买水,结果来到某个买水的商店(奇奇怪怪的商店). 一天,ACX买了 N 个容量可以认为是无限大的瓶子,初始时每个瓶子里有 1 ...
- suoi31 最近公共祖先2 (倍增lca)
根为r时x.y的公共祖先,就是lca(x,r),lca(x,y),lca(r,y)中深度最大的那一个,不要再在倍增的时候判来判去还判不对了... #include<bits/stdc++.h&g ...
- CF1027E Inverse Coloring
题意:n × n的矩阵,每个位置可以被染成黑/白色. 一种gay的染色是任意相邻两行的元素,每两个要么都相同,要么都不同.列同理. 一种gaygay的染色是一种gay的染色,其中没有哪个颜色的子矩阵大 ...
- LeetCode 9 合并两个有序列表
将两个有序链表合并为一个新的有序链表并返回.新链表是通过拼接给定的两个链表的所有节点组成的. 示例: 输入:1->2->4, 1->3->4 输出:1->1->2- ...
- Hadoop生态圈-Azkaban部署实战
Hadoop生态圈-Azkaban部署实战 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.Azkaban部署流程 1>.上传azkaban程序并创建解压目录 [yinz ...
- angularJs实现下拉框多选
话不多说,直接上干货. 肯定需要下拉选插件.必须引入的是 注意 先后顺序 select2.css select2-bootstrap.css select2.min.js angular.min. ...
- influxdb简单使用
之前对influxdb有一个简单的了解和入门的使用,近期由于想使用influxdb做一点东西玩玩,又要捡起influxdb.本篇就针对influxdb的数据库.表的概念,增删改查操作.RESTful操 ...
- htm、html、shtml网页区别
htm.html.shtml网页区别 html或者htm是一种静态的页面格式,也就是说不需要服务器解析其中的脚本,或者说里面没有服务器端执行的脚本,而shtml或者shtm由于它基于SSI技术,当有服 ...
- 用到的设计模式总结--单例模式+工厂方法模式+Builder模式
一,工厂方法模式和单例模式 工厂方法模式中有一个抽象的工厂接口和一个抽象的产品接口.然后,具体的工厂实现抽象工厂并负责生产具体的产品.由客户端决定 new 哪个具体的工厂,从而生产哪种产品. 因此,与 ...
- nodejs安装zmq出错
想用zmq来做进程间通信,在Windows下.Centos下安装成功.记录如下: 一.Windows安装zmq 直接 npm install zmq 成功就成功. 不成功的话估计是报"未能 ...