spring-security-oauth2支持的注解有:

1.EnableOAuth2Client

适用于使用spring security,并且想从Oauth2认证服务器来获取授权的web应用环境代码中,它启用了一个Oauth2 客户端配置。为了更好的利用这个特性,需要在客户端应用中的DelegatingFilterProxy(代理一个名为oauth2ClientContextFilter)增加一个servlet filter。当filter配置到client app时,可以使用注解@AccessTokenRequest提供的另一个bean来创建一个Oauth2RequestTemplate。示例:

  @Configuration

  @EnableOAuth2Client

  public class RemoteResourceConfiguration {

   @Bean

   public OAuth2RestOperations restTemplate(OAuth2ClientContext oauth2ClientContext) {

          return new OAuth2RestTemplate(remote(), oauth2ClientContext);

      }

  }

Client App使用client credential授权,不需要AccessTokenRequest或者域内RestOperation(对app来说,状态是全局的),但在需要时仍然使用filter来触发OAuth2RestOperation来获取token。使用密码授权的app需要在RestOperation动作之前为OAuth2ProtectedResouceDetail设置认证属性,这就是说,resouce detail 本身也需要session(假设系统中有多个用户)。

@Target(ElementType.TYPE)

@Retention(RetentionPolicy.RUNTIME)

@Documented

@Import(OAuth2ClientConfiguration.class)

public @interface EnableOAuth2Client {

}

实现OAuth2ClientConfiguration

@Configuration

public class OAuth2ClientConfiguration {

    @Bean

    public OAuth2ClientContextFilter oauth2ClientContextFilter() {

        OAuth2ClientContextFilter filter = new OAuth2ClientContextFilter();

        return filter;

    }

    @Bean

    @Scope(value = "request", proxyMode = ScopedProxyMode.INTERFACES)

    protected AccessTokenRequest accessTokenRequest(@Value("#{request.parameterMap}")

    Map<String, String[]> parameters, @Value("#{request.getAttribute('currentUri')}")

    String currentUri) {

        DefaultAccessTokenRequest request = new DefaultAccessTokenRequest(parameters);

        request.setCurrentUri(currentUri);

        return request;

    }

    @Configuration

    protected static class OAuth2ClientContextConfiguration {

        @Resource

        @Qualifier("accessTokenRequest")

        private AccessTokenRequest accessTokenRequest;

        @Bean

        @Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES)

        public OAuth2ClientContext oauth2ClientContext() {

            return new DefaultOAuth2ClientContext(accessTokenRequest);

        }

    }

}

2. EnableAuthorizationServer

工具方法,用来在当前应用context里(必须是一个DispatcherServlet context)开启一个授权server(例如AuthorizationEndpoint)和一个TokenEndpoint。server的多个属性可以通过自定义AuthorizationServerConfigurer类型(如AuthorizationServerConfigurerAdapter的扩展)的Bean来定制。通过正常使用spring security的特色EnableWebSecurity,用户负责保证授权Endpoint(/oauth/authorize)的安全,但Token Endpoint(/oauth/token)将自动使用http basic的客户端凭证来保证安全。通过一个或者多个AuthorizationServerConfigurer提供一个ClientDetailService来注册client(必须)。

@Target(ElementType.TYPE)

@Retention(RetentionPolicy.RUNTIME)

@Documented

@Import({AuthorizationServerEndpointsConfiguration.class, AuthorizationServerSecurityConfiguration.class})

public @interface EnableAuthorizationServer {

}

2.1 AuthorizationServerEndpointsConfiguration

    private AuthorizationServerEndpointsConfigurer endpoints = new AuthorizationServerEndpointsConfigurer();

    @Autowired

    private ClientDetailsService clientDetailsService;

    @Autowired

    private List<AuthorizationServerConfigurer> configurers = Collections.emptyList();

    @PostConstruct

    public void init() {

        for (AuthorizationServerConfigurer configurer : configurers) {

            try {

                configurer.configure(endpoints);

            } catch (Exception e) {

                throw new IllegalStateException("Cannot configure enpdoints", e);

            }

        }

        endpoints.setClientDetailsService(clientDetailsService);

    }
    @Component

    protected static class TokenKeyEndpointRegistrar implements BeanDefinitionRegistryPostProcessor {

        private BeanDefinitionRegistry registry;

        @Override

        public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {

            String[] names = BeanFactoryUtils.beanNamesForTypeIncludingAncestors(beanFactory,

                    JwtAccessTokenConverter.class, false, false);

            if (names.length > 0) {

                BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(TokenKeyEndpoint.class);

                builder.addConstructorArgReference(names[0]);

                registry.registerBeanDefinition(TokenKeyEndpoint.class.getName(), builder.getBeanDefinition());

            }

        }

        @Override

        public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry registry) throws BeansException {

            this.registry = registry;

        }

    }

2.2 AuthorizationServerSecurityConfiguration

@Configuration

@Order(0)

@Import({ ClientDetailsServiceConfiguration.class, AuthorizationServerEndpointsConfiguration.class })

public class AuthorizationServerSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired

    private List<AuthorizationServerConfigurer> configurers = Collections.emptyList();

    @Autowired

    private ClientDetailsService clientDetailsService;

    @Autowired

    private AuthorizationServerEndpointsConfiguration endpoints;

    @Autowired

    public void configure(ClientDetailsServiceConfigurer clientDetails) throws Exception {

        for (AuthorizationServerConfigurer configurer : configurers) {

            configurer.configure(clientDetails);

        }

    }

    @Override

    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        // Over-riding to make sure this.disableLocalConfigureAuthenticationBldr = false

        // This will ensure that when this configurer builds the AuthenticationManager it will not attempt

        // to find another 'Global' AuthenticationManager in the ApplicationContext (if available),

        // and set that as the parent of this 'Local' AuthenticationManager.

        // This AuthenticationManager should only be wired up with an AuthenticationProvider

        // composed of the ClientDetailsService (wired in this configuration) for authenticating 'clients' only.

    }

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        AuthorizationServerSecurityConfigurer configurer = new AuthorizationServerSecurityConfigurer();

        FrameworkEndpointHandlerMapping handlerMapping = endpoints.oauth2EndpointHandlerMapping();

        http.setSharedObject(FrameworkEndpointHandlerMapping.class, handlerMapping);

        configure(configurer);

        http.apply(configurer);

        String tokenEndpointPath = handlerMapping.getServletPath("/oauth/token");

        String tokenKeyPath = handlerMapping.getServletPath("/oauth/token_key");

        String checkTokenPath = handlerMapping.getServletPath("/oauth/check_token");

        if (!endpoints.getEndpointsConfigurer().isUserDetailsServiceOverride()) {

            UserDetailsService userDetailsService = http.getSharedObject(UserDetailsService.class);

            endpoints.getEndpointsConfigurer().userDetailsService(userDetailsService);

        }

        // @formatter:off

        http

            .authorizeRequests()

                .antMatchers(tokenEndpointPath).fullyAuthenticated()

                .antMatchers(tokenKeyPath).access(configurer.getTokenKeyAccess())

                .antMatchers(checkTokenPath).access(configurer.getCheckTokenAccess())

        .and()

            .requestMatchers()

                .antMatchers(tokenEndpointPath, tokenKeyPath, checkTokenPath)

        .and()

            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);

        // @formatter:on

        http.setSharedObject(ClientDetailsService.class, clientDetailsService);

    }

    protected void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {

        for (AuthorizationServerConfigurer configurer : configurers) {

            configurer.configure(oauthServer);

        }

    }

}

3. EnableResourceServer

Oauth2 资源服务器的便利方法,开启了一个spring security的filter,这个filter通过一个Oauth2的token进行认证请求。使用者应该增加这个注解,并提供一个ResourceServerConfigurer类型的Bean(例如通过ResouceServerConfigurerAdapter)来指定资源(url路径和资源id)的细节。为了利用这个filter,你必须在你的应用中的某些地方EnableWebSecurity,或者使用这个注解的地方,或者其他别的地方。

这个注解创建了一个WebSecurityConfigurerAdapter,且自带了硬编码的order=3.在spring中,由于技术原因不能立即改变order的顺序,因此你必须在你的spring应用中避免使用order=3的其他WebSecurityConfigurerAdapter。

@Target(ElementType.TYPE)

@Retention(RetentionPolicy.RUNTIME)

@Documented

@Import(ResourceServerConfiguration.class)

public @interface EnableResourceServer {

}

ResourceServerConfiguration

@Override

    protected void configure(HttpSecurity http) throws Exception {

        ResourceServerSecurityConfigurer resources = new ResourceServerSecurityConfigurer();

        ResourceServerTokenServices services = resolveTokenServices();

        if (services != null) {

            resources.tokenServices(services);

        }

        else {

            if (tokenStore != null) {

                resources.tokenStore(tokenStore);

            }

            else if (endpoints != null) {

                resources.tokenStore(endpoints.getEndpointsConfigurer().getTokenStore());

            }

        }

        if (eventPublisher != null) {

            resources.eventPublisher(eventPublisher);

        }

        for (ResourceServerConfigurer configurer : configurers) {

            configurer.configure(resources);

        }

        // @formatter:off

        http.authenticationProvider(new AnonymousAuthenticationProvider("default"))

        // N.B. exceptionHandling is duplicated in resources.configure() so that

        // it works

        .exceptionHandling()

                .accessDeniedHandler(resources.getAccessDeniedHandler()).and()

                .sessionManagement()

                .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()

                .csrf().disable();

        // @formatter:on

        http.apply(resources);

        if (endpoints != null) {

            // Assume we are in an Authorization Server

            http.requestMatcher(new NotOAuthRequestMatcher(endpoints.oauth2EndpointHandlerMapping()));

        }

        for (ResourceServerConfigurer configurer : configurers) {

            // Delegates can add authorizeRequests() here

            configurer.configure(http);

        }

        if (configurers.isEmpty()) {

            // Add anyRequest() last as a fall back. Spring Security would

            // replace an existing anyRequest() matcher with this one, so to

            // avoid that we only add it if the user hasn't configured anything.

            http.authorizeRequests().anyRequest().authenticated();

        }

    }

ResourceServerSecurityConfigurer

重新的两个方法

1.init

@Override

    public void init(HttpSecurity http) throws Exception {

        registerDefaultAuthenticationEntryPoint(http);

    }

    @SuppressWarnings("unchecked")

    private void registerDefaultAuthenticationEntryPoint(HttpSecurity http) {

        ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling = http

                .getConfigurer(ExceptionHandlingConfigurer.class);

        if (exceptionHandling == null) {

            return;

        }

        ContentNegotiationStrategy contentNegotiationStrategy = http.getSharedObject(ContentNegotiationStrategy.class);

        if (contentNegotiationStrategy == null) {

            contentNegotiationStrategy = new HeaderContentNegotiationStrategy();

        }

        MediaTypeRequestMatcher preferredMatcher = new MediaTypeRequestMatcher(contentNegotiationStrategy,

                MediaType.APPLICATION_ATOM_XML, MediaType.APPLICATION_FORM_URLENCODED, MediaType.APPLICATION_JSON,

                MediaType.APPLICATION_OCTET_STREAM, MediaType.APPLICATION_XML, MediaType.MULTIPART_FORM_DATA,

                MediaType.TEXT_XML);

        preferredMatcher.setIgnoredMediaTypes(Collections.singleton(MediaType.ALL));

        exceptionHandling.defaultAuthenticationEntryPointFor(postProcess(authenticationEntryPoint), preferredMatcher);

    }

2.configure

@Override

    public void configure(HttpSecurity http) throws Exception {

        AuthenticationManager oauthAuthenticationManager = oauthAuthenticationManager(http);

        resourcesServerFilter = new OAuth2AuthenticationProcessingFilter();

        resourcesServerFilter.setAuthenticationEntryPoint(authenticationEntryPoint);

        resourcesServerFilter.setAuthenticationManager(oauthAuthenticationManager);

        if (eventPublisher != null) {

            resourcesServerFilter.setAuthenticationEventPublisher(eventPublisher);

        }

        if (tokenExtractor != null) {

            resourcesServerFilter.setTokenExtractor(tokenExtractor);

        }

        resourcesServerFilter = postProcess(resourcesServerFilter);

        resourcesServerFilter.setStateless(stateless);

        // @formatter:off

        http

            .authorizeRequests().expressionHandler(expressionHandler)

        .and()

            .addFilterBefore(resourcesServerFilter, AbstractPreAuthenticatedProcessingFilter.class)

            .exceptionHandling()

                .accessDeniedHandler(accessDeniedHandler)

                .authenticationEntryPoint(authenticationEntryPoint);

        // @formatter:on

    }

其中OAuth2AuthenticationProcessingFilter:A pre-authentication filter for OAuth2 protected resources. Extracts an OAuth2 token from the incoming request and uses it to populate the Spring Security context with an {@link OAuth2Authentication} (if used in conjunction with an{@link OAuth2AuthenticationManager}).

spring-security-oauth2注解详解的更多相关文章

  1. Spring IoC 公共注解详解

    前言 本系列全部基于 Spring 5.2.2.BUILD-SNAPSHOT 版本.因为 Spring 整个体系太过于庞大,所以只会进行关键部分的源码解析. 什么是公共注解?公共注解就是常见的Java ...

  2. Spring IoC @Autowired 注解详解

    前言 本系列全部基于 Spring 5.2.2.BUILD-SNAPSHOT 版本.因为 Spring 整个体系太过于庞大,所以只会进行关键部分的源码解析. 我们平时使用 Spring 时,想要 依赖 ...

  3. Spring MVC @RequestMapping注解详解

    @RequestMapping 参数说明 value:定义处理方法的请求的 URL 地址.(重点) method:定义处理方法的 http method 类型,如 GET.POST 等.(重点) pa ...

  4. Spring MVC @RequestMapping注解详解(2)

    @RequestMapping 参数说明 value:定义处理方法的请求的 URL 地址.(重点) method:定义处理方法的 http method 类型,如 GET.POST 等.(重点) pa ...

  5. 27. Spring Boot 缓存注解详解: @Cacheable、@CachePut、 @CacheEvict、@Caching、@CacheConfig

     1.使用OGNL的命名规则来定义Key的值 @Cacheable(cacheNames = {"user"},key = "#root.methodName + '[' ...

  6. spring security xml配置详解

    security 3.x <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns= ...

  7. Spring @Column的注解详解

    就像@Table注解用来标识实体类与数据表的对应关系类似,@Column注解来标识实体类中属性与数据表中字段的对应关系. 该注解的定义如下: @Target({METHOD, FIELD}) @Ret ...

  8. Spring Boot 最核心的 3 个注解详解

    最近面试一些 Java 开发者,他们其中有些在公司实际用过 Spring Boot, 有些是自己兴趣爱好在业余自己学习过.然而,当我问他们 Spring Boot 最核心的 3 个注解是什么,令我失望 ...

  9. Spring中的注入方式 和使用的注解 详解

    注解:http://www.cnblogs.com/liangxiaofeng/p/6390868.html 注入方式:http://www.cnblogs.com/java-class/p/4727 ...

  10. Spring Boot 2.x基础教程:进程内缓存的使用与Cache注解详解

    随着时间的积累,应用的使用用户不断增加,数据规模也越来越大,往往数据库查询操作会成为影响用户使用体验的瓶颈,此时使用缓存往往是解决这一问题非常好的手段之一.Spring 3开始提供了强大的基于注解的缓 ...

随机推荐

  1. iOS技术栈-Swift版

    在网上没找到基于Swift的技术栈介绍,或者技术已经不适用,所以自己画了一个,后面的博客中会重新整理基于Swfit的UI控件介绍和常用第三方库地图

  2. 2015 Multi-University Training Contest 4 hdu 5335 Walk Out

    Walk Out Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 65536/65536 K (Java/Others)Total Su ...

  3. 2.Maven特点,Maven约定,建立第一个Maven项目

     1 Maven是跨平台的项目管理工具.主要服务于基于java平台的项目构建,依赖管理和项目信息管理. 项目构建 清理à编译à測试à报告à打包à部署 理想的项目构建: 高度自己主动化 跨平台 可重 ...

  4. QUERY_REWRITE_ENABLED

    官方文档中: QUERY_REWRITE_ENABLED Property Description Parameter type String Syntax QUERY_REWRITE_ENABLED ...

  5. A. Ilya and Diplomas( Codeforces Round #311 (Div. 2) )

    A. Ilya and Diplomas time limit per test 1 second memory limit per test 256 megabytes input standard ...

  6. matplotlib 可视化 —— 定制画布风格 Customizing plots with style sheets(plt.style)

    Customizing plots with style sheets - Matplotlib 1.5.1 documentation 1. 使用和显示其他画布风格 >> import ...

  7. centos 服务器配置注意项

    Mysql 出现Table‘xxx’is read only问题 Mysql数据库在由Mssql数据库导入数据文件后出现“ERROR 1036 (HY000): Table 'xxxx' is rea ...

  8. POJ 3671 DP or 乱搞

    思路: 1.DP f[i][j]:前i个数 最后一个数是j的最小花费 f[i][j]=min(f[i][j],f[i-1][k]+(a[i]!=j));1<=k<=j 这种做法比较有普遍性 ...

  9. SSRS 报表 日期类表达式

    一.如何填写表达式 右键点击单元格-表达式 二.表达式 当月1号 =DateSerial(DatePart("yyyy",Now()), DatePart("m" ...

  10. Java Web应用定制404错误页面

    Http响应状态码404的含义是服务器端没有找到客户端请求的资源,定制404错误页面至少有以下两个好处: 1.向客户端隐藏服务器信息,服务器提供的默认404错误页面上一般都包含当前应用使用的是什么服务 ...