spring-security-oauth2支持的注解有:

1.EnableOAuth2Client

适用于使用spring security,并且想从Oauth2认证服务器来获取授权的web应用环境代码中,它启用了一个Oauth2 客户端配置。为了更好的利用这个特性,需要在客户端应用中的DelegatingFilterProxy(代理一个名为oauth2ClientContextFilter)增加一个servlet filter。当filter配置到client app时,可以使用注解@AccessTokenRequest提供的另一个bean来创建一个Oauth2RequestTemplate。示例:

  @Configuration

  @EnableOAuth2Client

  public class RemoteResourceConfiguration {

   @Bean

   public OAuth2RestOperations restTemplate(OAuth2ClientContext oauth2ClientContext) {

          return new OAuth2RestTemplate(remote(), oauth2ClientContext);

      }

  }

Client App使用client credential授权,不需要AccessTokenRequest或者域内RestOperation(对app来说,状态是全局的),但在需要时仍然使用filter来触发OAuth2RestOperation来获取token。使用密码授权的app需要在RestOperation动作之前为OAuth2ProtectedResouceDetail设置认证属性,这就是说,resouce detail 本身也需要session(假设系统中有多个用户)。

@Target(ElementType.TYPE)

@Retention(RetentionPolicy.RUNTIME)

@Documented

@Import(OAuth2ClientConfiguration.class)

public @interface EnableOAuth2Client {

}

实现OAuth2ClientConfiguration

@Configuration

public class OAuth2ClientConfiguration {

    @Bean

    public OAuth2ClientContextFilter oauth2ClientContextFilter() {

        OAuth2ClientContextFilter filter = new OAuth2ClientContextFilter();

        return filter;

    }

    @Bean

    @Scope(value = "request", proxyMode = ScopedProxyMode.INTERFACES)

    protected AccessTokenRequest accessTokenRequest(@Value("#{request.parameterMap}")

    Map<String, String[]> parameters, @Value("#{request.getAttribute('currentUri')}")

    String currentUri) {

        DefaultAccessTokenRequest request = new DefaultAccessTokenRequest(parameters);

        request.setCurrentUri(currentUri);

        return request;

    }

    @Configuration

    protected static class OAuth2ClientContextConfiguration {

        @Resource

        @Qualifier("accessTokenRequest")

        private AccessTokenRequest accessTokenRequest;

        @Bean

        @Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES)

        public OAuth2ClientContext oauth2ClientContext() {

            return new DefaultOAuth2ClientContext(accessTokenRequest);

        }

    }

}

2. EnableAuthorizationServer

工具方法,用来在当前应用context里(必须是一个DispatcherServlet context)开启一个授权server(例如AuthorizationEndpoint)和一个TokenEndpoint。server的多个属性可以通过自定义AuthorizationServerConfigurer类型(如AuthorizationServerConfigurerAdapter的扩展)的Bean来定制。通过正常使用spring security的特色EnableWebSecurity,用户负责保证授权Endpoint(/oauth/authorize)的安全,但Token Endpoint(/oauth/token)将自动使用http basic的客户端凭证来保证安全。通过一个或者多个AuthorizationServerConfigurer提供一个ClientDetailService来注册client(必须)。

@Target(ElementType.TYPE)

@Retention(RetentionPolicy.RUNTIME)

@Documented

@Import({AuthorizationServerEndpointsConfiguration.class, AuthorizationServerSecurityConfiguration.class})

public @interface EnableAuthorizationServer {

}

2.1 AuthorizationServerEndpointsConfiguration

    private AuthorizationServerEndpointsConfigurer endpoints = new AuthorizationServerEndpointsConfigurer();

    @Autowired

    private ClientDetailsService clientDetailsService;

    @Autowired

    private List<AuthorizationServerConfigurer> configurers = Collections.emptyList();

    @PostConstruct

    public void init() {

        for (AuthorizationServerConfigurer configurer : configurers) {

            try {

                configurer.configure(endpoints);

            } catch (Exception e) {

                throw new IllegalStateException("Cannot configure enpdoints", e);

            }

        }

        endpoints.setClientDetailsService(clientDetailsService);

    }
    @Component

    protected static class TokenKeyEndpointRegistrar implements BeanDefinitionRegistryPostProcessor {

        private BeanDefinitionRegistry registry;

        @Override

        public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {

            String[] names = BeanFactoryUtils.beanNamesForTypeIncludingAncestors(beanFactory,

                    JwtAccessTokenConverter.class, false, false);

            if (names.length > 0) {

                BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(TokenKeyEndpoint.class);

                builder.addConstructorArgReference(names[0]);

                registry.registerBeanDefinition(TokenKeyEndpoint.class.getName(), builder.getBeanDefinition());

            }

        }

        @Override

        public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry registry) throws BeansException {

            this.registry = registry;

        }

    }

2.2 AuthorizationServerSecurityConfiguration

@Configuration

@Order(0)

@Import({ ClientDetailsServiceConfiguration.class, AuthorizationServerEndpointsConfiguration.class })

public class AuthorizationServerSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired

    private List<AuthorizationServerConfigurer> configurers = Collections.emptyList();

    @Autowired

    private ClientDetailsService clientDetailsService;

    @Autowired

    private AuthorizationServerEndpointsConfiguration endpoints;

    @Autowired

    public void configure(ClientDetailsServiceConfigurer clientDetails) throws Exception {

        for (AuthorizationServerConfigurer configurer : configurers) {

            configurer.configure(clientDetails);

        }

    }

    @Override

    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        // Over-riding to make sure this.disableLocalConfigureAuthenticationBldr = false

        // This will ensure that when this configurer builds the AuthenticationManager it will not attempt

        // to find another 'Global' AuthenticationManager in the ApplicationContext (if available),

        // and set that as the parent of this 'Local' AuthenticationManager.

        // This AuthenticationManager should only be wired up with an AuthenticationProvider

        // composed of the ClientDetailsService (wired in this configuration) for authenticating 'clients' only.

    }

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        AuthorizationServerSecurityConfigurer configurer = new AuthorizationServerSecurityConfigurer();

        FrameworkEndpointHandlerMapping handlerMapping = endpoints.oauth2EndpointHandlerMapping();

        http.setSharedObject(FrameworkEndpointHandlerMapping.class, handlerMapping);

        configure(configurer);

        http.apply(configurer);

        String tokenEndpointPath = handlerMapping.getServletPath("/oauth/token");

        String tokenKeyPath = handlerMapping.getServletPath("/oauth/token_key");

        String checkTokenPath = handlerMapping.getServletPath("/oauth/check_token");

        if (!endpoints.getEndpointsConfigurer().isUserDetailsServiceOverride()) {

            UserDetailsService userDetailsService = http.getSharedObject(UserDetailsService.class);

            endpoints.getEndpointsConfigurer().userDetailsService(userDetailsService);

        }

        // @formatter:off

        http

            .authorizeRequests()

                .antMatchers(tokenEndpointPath).fullyAuthenticated()

                .antMatchers(tokenKeyPath).access(configurer.getTokenKeyAccess())

                .antMatchers(checkTokenPath).access(configurer.getCheckTokenAccess())

        .and()

            .requestMatchers()

                .antMatchers(tokenEndpointPath, tokenKeyPath, checkTokenPath)

        .and()

            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);

        // @formatter:on

        http.setSharedObject(ClientDetailsService.class, clientDetailsService);

    }

    protected void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {

        for (AuthorizationServerConfigurer configurer : configurers) {

            configurer.configure(oauthServer);

        }

    }

}

3. EnableResourceServer

Oauth2 资源服务器的便利方法,开启了一个spring security的filter,这个filter通过一个Oauth2的token进行认证请求。使用者应该增加这个注解,并提供一个ResourceServerConfigurer类型的Bean(例如通过ResouceServerConfigurerAdapter)来指定资源(url路径和资源id)的细节。为了利用这个filter,你必须在你的应用中的某些地方EnableWebSecurity,或者使用这个注解的地方,或者其他别的地方。

这个注解创建了一个WebSecurityConfigurerAdapter,且自带了硬编码的order=3.在spring中,由于技术原因不能立即改变order的顺序,因此你必须在你的spring应用中避免使用order=3的其他WebSecurityConfigurerAdapter。

@Target(ElementType.TYPE)

@Retention(RetentionPolicy.RUNTIME)

@Documented

@Import(ResourceServerConfiguration.class)

public @interface EnableResourceServer {

}

ResourceServerConfiguration

@Override

    protected void configure(HttpSecurity http) throws Exception {

        ResourceServerSecurityConfigurer resources = new ResourceServerSecurityConfigurer();

        ResourceServerTokenServices services = resolveTokenServices();

        if (services != null) {

            resources.tokenServices(services);

        }

        else {

            if (tokenStore != null) {

                resources.tokenStore(tokenStore);

            }

            else if (endpoints != null) {

                resources.tokenStore(endpoints.getEndpointsConfigurer().getTokenStore());

            }

        }

        if (eventPublisher != null) {

            resources.eventPublisher(eventPublisher);

        }

        for (ResourceServerConfigurer configurer : configurers) {

            configurer.configure(resources);

        }

        // @formatter:off

        http.authenticationProvider(new AnonymousAuthenticationProvider("default"))

        // N.B. exceptionHandling is duplicated in resources.configure() so that

        // it works

        .exceptionHandling()

                .accessDeniedHandler(resources.getAccessDeniedHandler()).and()

                .sessionManagement()

                .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()

                .csrf().disable();

        // @formatter:on

        http.apply(resources);

        if (endpoints != null) {

            // Assume we are in an Authorization Server

            http.requestMatcher(new NotOAuthRequestMatcher(endpoints.oauth2EndpointHandlerMapping()));

        }

        for (ResourceServerConfigurer configurer : configurers) {

            // Delegates can add authorizeRequests() here

            configurer.configure(http);

        }

        if (configurers.isEmpty()) {

            // Add anyRequest() last as a fall back. Spring Security would

            // replace an existing anyRequest() matcher with this one, so to

            // avoid that we only add it if the user hasn't configured anything.

            http.authorizeRequests().anyRequest().authenticated();

        }

    }

ResourceServerSecurityConfigurer

重新的两个方法

1.init

@Override

    public void init(HttpSecurity http) throws Exception {

        registerDefaultAuthenticationEntryPoint(http);

    }

    @SuppressWarnings("unchecked")

    private void registerDefaultAuthenticationEntryPoint(HttpSecurity http) {

        ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling = http

                .getConfigurer(ExceptionHandlingConfigurer.class);

        if (exceptionHandling == null) {

            return;

        }

        ContentNegotiationStrategy contentNegotiationStrategy = http.getSharedObject(ContentNegotiationStrategy.class);

        if (contentNegotiationStrategy == null) {

            contentNegotiationStrategy = new HeaderContentNegotiationStrategy();

        }

        MediaTypeRequestMatcher preferredMatcher = new MediaTypeRequestMatcher(contentNegotiationStrategy,

                MediaType.APPLICATION_ATOM_XML, MediaType.APPLICATION_FORM_URLENCODED, MediaType.APPLICATION_JSON,

                MediaType.APPLICATION_OCTET_STREAM, MediaType.APPLICATION_XML, MediaType.MULTIPART_FORM_DATA,

                MediaType.TEXT_XML);

        preferredMatcher.setIgnoredMediaTypes(Collections.singleton(MediaType.ALL));

        exceptionHandling.defaultAuthenticationEntryPointFor(postProcess(authenticationEntryPoint), preferredMatcher);

    }

2.configure

@Override

    public void configure(HttpSecurity http) throws Exception {

        AuthenticationManager oauthAuthenticationManager = oauthAuthenticationManager(http);

        resourcesServerFilter = new OAuth2AuthenticationProcessingFilter();

        resourcesServerFilter.setAuthenticationEntryPoint(authenticationEntryPoint);

        resourcesServerFilter.setAuthenticationManager(oauthAuthenticationManager);

        if (eventPublisher != null) {

            resourcesServerFilter.setAuthenticationEventPublisher(eventPublisher);

        }

        if (tokenExtractor != null) {

            resourcesServerFilter.setTokenExtractor(tokenExtractor);

        }

        resourcesServerFilter = postProcess(resourcesServerFilter);

        resourcesServerFilter.setStateless(stateless);

        // @formatter:off

        http

            .authorizeRequests().expressionHandler(expressionHandler)

        .and()

            .addFilterBefore(resourcesServerFilter, AbstractPreAuthenticatedProcessingFilter.class)

            .exceptionHandling()

                .accessDeniedHandler(accessDeniedHandler)

                .authenticationEntryPoint(authenticationEntryPoint);

        // @formatter:on

    }

其中OAuth2AuthenticationProcessingFilter:A pre-authentication filter for OAuth2 protected resources. Extracts an OAuth2 token from the incoming request and uses it to populate the Spring Security context with an {@link OAuth2Authentication} (if used in conjunction with an{@link OAuth2AuthenticationManager}).

spring-security-oauth2注解详解的更多相关文章

  1. Spring IoC 公共注解详解

    前言 本系列全部基于 Spring 5.2.2.BUILD-SNAPSHOT 版本.因为 Spring 整个体系太过于庞大,所以只会进行关键部分的源码解析. 什么是公共注解?公共注解就是常见的Java ...

  2. Spring IoC @Autowired 注解详解

    前言 本系列全部基于 Spring 5.2.2.BUILD-SNAPSHOT 版本.因为 Spring 整个体系太过于庞大,所以只会进行关键部分的源码解析. 我们平时使用 Spring 时,想要 依赖 ...

  3. Spring MVC @RequestMapping注解详解

    @RequestMapping 参数说明 value:定义处理方法的请求的 URL 地址.(重点) method:定义处理方法的 http method 类型,如 GET.POST 等.(重点) pa ...

  4. Spring MVC @RequestMapping注解详解(2)

    @RequestMapping 参数说明 value:定义处理方法的请求的 URL 地址.(重点) method:定义处理方法的 http method 类型,如 GET.POST 等.(重点) pa ...

  5. 27. Spring Boot 缓存注解详解: @Cacheable、@CachePut、 @CacheEvict、@Caching、@CacheConfig

     1.使用OGNL的命名规则来定义Key的值 @Cacheable(cacheNames = {"user"},key = "#root.methodName + '[' ...

  6. spring security xml配置详解

    security 3.x <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns= ...

  7. Spring @Column的注解详解

    就像@Table注解用来标识实体类与数据表的对应关系类似,@Column注解来标识实体类中属性与数据表中字段的对应关系. 该注解的定义如下: @Target({METHOD, FIELD}) @Ret ...

  8. Spring Boot 最核心的 3 个注解详解

    最近面试一些 Java 开发者,他们其中有些在公司实际用过 Spring Boot, 有些是自己兴趣爱好在业余自己学习过.然而,当我问他们 Spring Boot 最核心的 3 个注解是什么,令我失望 ...

  9. Spring中的注入方式 和使用的注解 详解

    注解:http://www.cnblogs.com/liangxiaofeng/p/6390868.html 注入方式:http://www.cnblogs.com/java-class/p/4727 ...

  10. Spring Boot 2.x基础教程:进程内缓存的使用与Cache注解详解

    随着时间的积累,应用的使用用户不断增加,数据规模也越来越大,往往数据库查询操作会成为影响用户使用体验的瓶颈,此时使用缓存往往是解决这一问题非常好的手段之一.Spring 3开始提供了强大的基于注解的缓 ...

随机推荐

  1. 紫书 习题 11-12 UVa 1665 (并查集维护联通分量)

    这道题要逆向思维 反过来从大到小枚举, 就是在矩阵中一点一点加进去数字,这样比较 好操作, 如果正着做就要一点一点删除数字, 不好做. 我们需要在这个过程中维护联通块的个数, 这里用到了并查集. 首先 ...

  2. Mysql学习总结(23)——MySQL统计函数和分组查询

    1.使用count统计条数:select count(字段名...) from tablename; 2.使用avg计算字段的平均值:select avg(字段名) from tablename: 这 ...

  3. 2015 Multi-University Training Contest 1 hdu 5290 Bombing plan

    Bombing plan Time Limit: 8000/4000 MS (Java/Others)    Memory Limit: 262144/262144 K (Java/Others)To ...

  4. nginx和apache作为webserver的差别

    1.两者所用的驱动模式不同. nginx使用的是epoll的非堵塞模式事件驱动. apache使用的是select的堵塞模式事件驱动. 2.fastcgi和cgi的差别 当用户请求web服务的时候.w ...

  5. Codeforces Round #256 (Div. 2) B. Suffix Structures(模拟)

    题目链接:http://codeforces.com/contest/448/problem/B --------------------------------------------------- ...

  6. OpenCASCADE直线与平面求交

    OpenCASCADE直线与平面求交 在<解析几何>相关的书中都给出了直线和平面的一般方程和参数方程.其中直线的一般方程有点向式形式的. 由于过空间一点可作且只能作一条直线平行于已知直线, ...

  7. struts2 异常页面乱码问题

    在 struts.xml 或者 struts.properties 文件里添加 <constant name="struts.locale" value="zh_C ...

  8. BAPC2014 K&amp;&amp;HUNNU11591:Key to Knowledge(中途相遇法)

    题意: 有N个学生.有M题目 然后相应N行分别有一个二进制和一个整数 二进制代表该同学给出的每道题的答案.整数代表该同学的答案与标准答案相符的个数 要求推断标准答案有几个,假设标准答案仅仅有一种.则输 ...

  9. List methods

    Python provides methods that operate on lists. For example, append adds a new element to the end of ...

  10. P3227 [HNOI2013]切糕

    题目描述 经过千辛万苦小 A 得到了一块切糕,切糕的形状是长方体,小 A 打算拦腰将切糕切成两半分给小 B.出于美观考虑,小 A 希望切面能尽量光滑且和谐.于是她找到你,希望你能帮她找出最好的切割方案 ...