spring-security-oauth2支持的注解有:

1.EnableOAuth2Client

适用于使用spring security,并且想从Oauth2认证服务器来获取授权的web应用环境代码中,它启用了一个Oauth2 客户端配置。为了更好的利用这个特性,需要在客户端应用中的DelegatingFilterProxy(代理一个名为oauth2ClientContextFilter)增加一个servlet filter。当filter配置到client app时,可以使用注解@AccessTokenRequest提供的另一个bean来创建一个Oauth2RequestTemplate。示例:

  @Configuration

  @EnableOAuth2Client

  public class RemoteResourceConfiguration {

   @Bean

   public OAuth2RestOperations restTemplate(OAuth2ClientContext oauth2ClientContext) {

          return new OAuth2RestTemplate(remote(), oauth2ClientContext);

      }

  }

Client App使用client credential授权,不需要AccessTokenRequest或者域内RestOperation(对app来说,状态是全局的),但在需要时仍然使用filter来触发OAuth2RestOperation来获取token。使用密码授权的app需要在RestOperation动作之前为OAuth2ProtectedResouceDetail设置认证属性,这就是说,resouce detail 本身也需要session(假设系统中有多个用户)。

@Target(ElementType.TYPE)

@Retention(RetentionPolicy.RUNTIME)

@Documented

@Import(OAuth2ClientConfiguration.class)

public @interface EnableOAuth2Client {

}

实现OAuth2ClientConfiguration

@Configuration

public class OAuth2ClientConfiguration {

    @Bean

    public OAuth2ClientContextFilter oauth2ClientContextFilter() {

        OAuth2ClientContextFilter filter = new OAuth2ClientContextFilter();

        return filter;

    }

    @Bean

    @Scope(value = "request", proxyMode = ScopedProxyMode.INTERFACES)

    protected AccessTokenRequest accessTokenRequest(@Value("#{request.parameterMap}")

    Map<String, String[]> parameters, @Value("#{request.getAttribute('currentUri')}")

    String currentUri) {

        DefaultAccessTokenRequest request = new DefaultAccessTokenRequest(parameters);

        request.setCurrentUri(currentUri);

        return request;

    }

    @Configuration

    protected static class OAuth2ClientContextConfiguration {

        @Resource

        @Qualifier("accessTokenRequest")

        private AccessTokenRequest accessTokenRequest;

        @Bean

        @Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES)

        public OAuth2ClientContext oauth2ClientContext() {

            return new DefaultOAuth2ClientContext(accessTokenRequest);

        }

    }

}

2. EnableAuthorizationServer

工具方法,用来在当前应用context里(必须是一个DispatcherServlet context)开启一个授权server(例如AuthorizationEndpoint)和一个TokenEndpoint。server的多个属性可以通过自定义AuthorizationServerConfigurer类型(如AuthorizationServerConfigurerAdapter的扩展)的Bean来定制。通过正常使用spring security的特色EnableWebSecurity,用户负责保证授权Endpoint(/oauth/authorize)的安全,但Token Endpoint(/oauth/token)将自动使用http basic的客户端凭证来保证安全。通过一个或者多个AuthorizationServerConfigurer提供一个ClientDetailService来注册client(必须)。

@Target(ElementType.TYPE)

@Retention(RetentionPolicy.RUNTIME)

@Documented

@Import({AuthorizationServerEndpointsConfiguration.class, AuthorizationServerSecurityConfiguration.class})

public @interface EnableAuthorizationServer {

}

2.1 AuthorizationServerEndpointsConfiguration

    private AuthorizationServerEndpointsConfigurer endpoints = new AuthorizationServerEndpointsConfigurer();

    @Autowired

    private ClientDetailsService clientDetailsService;

    @Autowired

    private List<AuthorizationServerConfigurer> configurers = Collections.emptyList();

    @PostConstruct

    public void init() {

        for (AuthorizationServerConfigurer configurer : configurers) {

            try {

                configurer.configure(endpoints);

            } catch (Exception e) {

                throw new IllegalStateException("Cannot configure enpdoints", e);

            }

        }

        endpoints.setClientDetailsService(clientDetailsService);

    }
    @Component

    protected static class TokenKeyEndpointRegistrar implements BeanDefinitionRegistryPostProcessor {

        private BeanDefinitionRegistry registry;

        @Override

        public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {

            String[] names = BeanFactoryUtils.beanNamesForTypeIncludingAncestors(beanFactory,

                    JwtAccessTokenConverter.class, false, false);

            if (names.length > 0) {

                BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(TokenKeyEndpoint.class);

                builder.addConstructorArgReference(names[0]);

                registry.registerBeanDefinition(TokenKeyEndpoint.class.getName(), builder.getBeanDefinition());

            }

        }

        @Override

        public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry registry) throws BeansException {

            this.registry = registry;

        }

    }

2.2 AuthorizationServerSecurityConfiguration

@Configuration

@Order(0)

@Import({ ClientDetailsServiceConfiguration.class, AuthorizationServerEndpointsConfiguration.class })

public class AuthorizationServerSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired

    private List<AuthorizationServerConfigurer> configurers = Collections.emptyList();

    @Autowired

    private ClientDetailsService clientDetailsService;

    @Autowired

    private AuthorizationServerEndpointsConfiguration endpoints;

    @Autowired

    public void configure(ClientDetailsServiceConfigurer clientDetails) throws Exception {

        for (AuthorizationServerConfigurer configurer : configurers) {

            configurer.configure(clientDetails);

        }

    }

    @Override

    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        // Over-riding to make sure this.disableLocalConfigureAuthenticationBldr = false

        // This will ensure that when this configurer builds the AuthenticationManager it will not attempt

        // to find another 'Global' AuthenticationManager in the ApplicationContext (if available),

        // and set that as the parent of this 'Local' AuthenticationManager.

        // This AuthenticationManager should only be wired up with an AuthenticationProvider

        // composed of the ClientDetailsService (wired in this configuration) for authenticating 'clients' only.

    }

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        AuthorizationServerSecurityConfigurer configurer = new AuthorizationServerSecurityConfigurer();

        FrameworkEndpointHandlerMapping handlerMapping = endpoints.oauth2EndpointHandlerMapping();

        http.setSharedObject(FrameworkEndpointHandlerMapping.class, handlerMapping);

        configure(configurer);

        http.apply(configurer);

        String tokenEndpointPath = handlerMapping.getServletPath("/oauth/token");

        String tokenKeyPath = handlerMapping.getServletPath("/oauth/token_key");

        String checkTokenPath = handlerMapping.getServletPath("/oauth/check_token");

        if (!endpoints.getEndpointsConfigurer().isUserDetailsServiceOverride()) {

            UserDetailsService userDetailsService = http.getSharedObject(UserDetailsService.class);

            endpoints.getEndpointsConfigurer().userDetailsService(userDetailsService);

        }

        // @formatter:off

        http

            .authorizeRequests()

                .antMatchers(tokenEndpointPath).fullyAuthenticated()

                .antMatchers(tokenKeyPath).access(configurer.getTokenKeyAccess())

                .antMatchers(checkTokenPath).access(configurer.getCheckTokenAccess())

        .and()

            .requestMatchers()

                .antMatchers(tokenEndpointPath, tokenKeyPath, checkTokenPath)

        .and()

            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);

        // @formatter:on

        http.setSharedObject(ClientDetailsService.class, clientDetailsService);

    }

    protected void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {

        for (AuthorizationServerConfigurer configurer : configurers) {

            configurer.configure(oauthServer);

        }

    }

}

3. EnableResourceServer

Oauth2 资源服务器的便利方法,开启了一个spring security的filter,这个filter通过一个Oauth2的token进行认证请求。使用者应该增加这个注解,并提供一个ResourceServerConfigurer类型的Bean(例如通过ResouceServerConfigurerAdapter)来指定资源(url路径和资源id)的细节。为了利用这个filter,你必须在你的应用中的某些地方EnableWebSecurity,或者使用这个注解的地方,或者其他别的地方。

这个注解创建了一个WebSecurityConfigurerAdapter,且自带了硬编码的order=3.在spring中,由于技术原因不能立即改变order的顺序,因此你必须在你的spring应用中避免使用order=3的其他WebSecurityConfigurerAdapter。

@Target(ElementType.TYPE)

@Retention(RetentionPolicy.RUNTIME)

@Documented

@Import(ResourceServerConfiguration.class)

public @interface EnableResourceServer {

}

ResourceServerConfiguration

@Override

    protected void configure(HttpSecurity http) throws Exception {

        ResourceServerSecurityConfigurer resources = new ResourceServerSecurityConfigurer();

        ResourceServerTokenServices services = resolveTokenServices();

        if (services != null) {

            resources.tokenServices(services);

        }

        else {

            if (tokenStore != null) {

                resources.tokenStore(tokenStore);

            }

            else if (endpoints != null) {

                resources.tokenStore(endpoints.getEndpointsConfigurer().getTokenStore());

            }

        }

        if (eventPublisher != null) {

            resources.eventPublisher(eventPublisher);

        }

        for (ResourceServerConfigurer configurer : configurers) {

            configurer.configure(resources);

        }

        // @formatter:off

        http.authenticationProvider(new AnonymousAuthenticationProvider("default"))

        // N.B. exceptionHandling is duplicated in resources.configure() so that

        // it works

        .exceptionHandling()

                .accessDeniedHandler(resources.getAccessDeniedHandler()).and()

                .sessionManagement()

                .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()

                .csrf().disable();

        // @formatter:on

        http.apply(resources);

        if (endpoints != null) {

            // Assume we are in an Authorization Server

            http.requestMatcher(new NotOAuthRequestMatcher(endpoints.oauth2EndpointHandlerMapping()));

        }

        for (ResourceServerConfigurer configurer : configurers) {

            // Delegates can add authorizeRequests() here

            configurer.configure(http);

        }

        if (configurers.isEmpty()) {

            // Add anyRequest() last as a fall back. Spring Security would

            // replace an existing anyRequest() matcher with this one, so to

            // avoid that we only add it if the user hasn't configured anything.

            http.authorizeRequests().anyRequest().authenticated();

        }

    }

ResourceServerSecurityConfigurer

重新的两个方法

1.init

@Override

    public void init(HttpSecurity http) throws Exception {

        registerDefaultAuthenticationEntryPoint(http);

    }

    @SuppressWarnings("unchecked")

    private void registerDefaultAuthenticationEntryPoint(HttpSecurity http) {

        ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling = http

                .getConfigurer(ExceptionHandlingConfigurer.class);

        if (exceptionHandling == null) {

            return;

        }

        ContentNegotiationStrategy contentNegotiationStrategy = http.getSharedObject(ContentNegotiationStrategy.class);

        if (contentNegotiationStrategy == null) {

            contentNegotiationStrategy = new HeaderContentNegotiationStrategy();

        }

        MediaTypeRequestMatcher preferredMatcher = new MediaTypeRequestMatcher(contentNegotiationStrategy,

                MediaType.APPLICATION_ATOM_XML, MediaType.APPLICATION_FORM_URLENCODED, MediaType.APPLICATION_JSON,

                MediaType.APPLICATION_OCTET_STREAM, MediaType.APPLICATION_XML, MediaType.MULTIPART_FORM_DATA,

                MediaType.TEXT_XML);

        preferredMatcher.setIgnoredMediaTypes(Collections.singleton(MediaType.ALL));

        exceptionHandling.defaultAuthenticationEntryPointFor(postProcess(authenticationEntryPoint), preferredMatcher);

    }

2.configure

@Override

    public void configure(HttpSecurity http) throws Exception {

        AuthenticationManager oauthAuthenticationManager = oauthAuthenticationManager(http);

        resourcesServerFilter = new OAuth2AuthenticationProcessingFilter();

        resourcesServerFilter.setAuthenticationEntryPoint(authenticationEntryPoint);

        resourcesServerFilter.setAuthenticationManager(oauthAuthenticationManager);

        if (eventPublisher != null) {

            resourcesServerFilter.setAuthenticationEventPublisher(eventPublisher);

        }

        if (tokenExtractor != null) {

            resourcesServerFilter.setTokenExtractor(tokenExtractor);

        }

        resourcesServerFilter = postProcess(resourcesServerFilter);

        resourcesServerFilter.setStateless(stateless);

        // @formatter:off

        http

            .authorizeRequests().expressionHandler(expressionHandler)

        .and()

            .addFilterBefore(resourcesServerFilter, AbstractPreAuthenticatedProcessingFilter.class)

            .exceptionHandling()

                .accessDeniedHandler(accessDeniedHandler)

                .authenticationEntryPoint(authenticationEntryPoint);

        // @formatter:on

    }

其中OAuth2AuthenticationProcessingFilter:A pre-authentication filter for OAuth2 protected resources. Extracts an OAuth2 token from the incoming request and uses it to populate the Spring Security context with an {@link OAuth2Authentication} (if used in conjunction with an{@link OAuth2AuthenticationManager}).

spring-security-oauth2注解详解的更多相关文章

  1. Spring IoC 公共注解详解

    前言 本系列全部基于 Spring 5.2.2.BUILD-SNAPSHOT 版本.因为 Spring 整个体系太过于庞大,所以只会进行关键部分的源码解析. 什么是公共注解?公共注解就是常见的Java ...

  2. Spring IoC @Autowired 注解详解

    前言 本系列全部基于 Spring 5.2.2.BUILD-SNAPSHOT 版本.因为 Spring 整个体系太过于庞大,所以只会进行关键部分的源码解析. 我们平时使用 Spring 时,想要 依赖 ...

  3. Spring MVC @RequestMapping注解详解

    @RequestMapping 参数说明 value:定义处理方法的请求的 URL 地址.(重点) method:定义处理方法的 http method 类型,如 GET.POST 等.(重点) pa ...

  4. Spring MVC @RequestMapping注解详解(2)

    @RequestMapping 参数说明 value:定义处理方法的请求的 URL 地址.(重点) method:定义处理方法的 http method 类型,如 GET.POST 等.(重点) pa ...

  5. 27. Spring Boot 缓存注解详解: @Cacheable、@CachePut、 @CacheEvict、@Caching、@CacheConfig

     1.使用OGNL的命名规则来定义Key的值 @Cacheable(cacheNames = {"user"},key = "#root.methodName + '[' ...

  6. spring security xml配置详解

    security 3.x <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns= ...

  7. Spring @Column的注解详解

    就像@Table注解用来标识实体类与数据表的对应关系类似,@Column注解来标识实体类中属性与数据表中字段的对应关系. 该注解的定义如下: @Target({METHOD, FIELD}) @Ret ...

  8. Spring Boot 最核心的 3 个注解详解

    最近面试一些 Java 开发者,他们其中有些在公司实际用过 Spring Boot, 有些是自己兴趣爱好在业余自己学习过.然而,当我问他们 Spring Boot 最核心的 3 个注解是什么,令我失望 ...

  9. Spring中的注入方式 和使用的注解 详解

    注解:http://www.cnblogs.com/liangxiaofeng/p/6390868.html 注入方式:http://www.cnblogs.com/java-class/p/4727 ...

  10. Spring Boot 2.x基础教程:进程内缓存的使用与Cache注解详解

    随着时间的积累,应用的使用用户不断增加,数据规模也越来越大,往往数据库查询操作会成为影响用户使用体验的瓶颈,此时使用缓存往往是解决这一问题非常好的手段之一.Spring 3开始提供了强大的基于注解的缓 ...

随机推荐

  1. 洛谷 P1855 榨取kkksc03 (二维费用背包)

    加多一维就行了 #include<cstdio> #include<algorithm> #include<cstring> #define REP(i, a, b ...

  2. 洛谷P2870 [USACO07DEC]最佳牛线,黄金Best Cow Line, Gold

    思路大概和其他的题解一样: 从当前字符串最前面,最后面选一个字典序较小的然后拉到一个新的字符串序列中,如果相同就一直往中间扫描直到发现不同为止(一个字符如果被选中之后那么就不可以再次选择了),所以我们 ...

  3. 关于bom ef+bb+bf的问题

    今天在商品详细页头部出现了一行空白,各种尝试无果,最后怀疑是不是bom头的问题,经过断点跟踪调试逐步缩小范围,果然最后发现是一个语言包文件的开头有 ef bb bf样式的字节,用ultraedit另存 ...

  4. Linux的中断和系统调用 & esp、eip等寄存器

    http://www.linuxidc.com/Linux/2012-11/74486.htm 一共三篇 中断一般分为三类: 1.由计算机硬件异常或故障引起的中断,称为内部异常中断: 2.由程序中执行 ...

  5. 小于等于N的全部整数与N关于gcd(i,N)的那些事

    相关问题1: 求小于等于N的与N互质的数的和.即∑ i (gcd(i,N)=1, N>=i>0) 依据N的规模能够有非常多种方法.这里我介绍一个比較经典的方法 先说下这个结论:假设 gcd ...

  6. Android 手机影音 开发过程记录(六)

    前一篇已经将音乐播放及切换的相关逻辑弄好了,今天主要理一下剩余的部分,包含: 1. 自己定义通知栏的布局及逻辑处理 2. 滚动歌词的绘制 3. 歌词解析 效果图 通知栏 自己定义布局: <?xm ...

  7. Android体验高扩展艺术般的适配器

    前言 本篇文章带大家体验一下一种具有扩展性的适配器写法. 这个适配器主要用于Item有多种的情况下.当然仅仅有一种类型也是适用的 实现 毫无疑问我们要继承BaseAdapter,重写getCount, ...

  8. python判断一个单词是否为有效的英文单词?——三种方法

    For (much) more power and flexibility, use a dedicated spellchecking library like PyEnchant. There's ...

  9. 使用OpenCV把二进制mnist数据集转换为图片

    mnist数据集是以二进制形式保存的,这里借助OpenCV把mnist数据集转换成图片格式.转换程序如下: #include <iostream> #include <fstream ...

  10. SVN在vs2013中使用

    http://download.csdn.net/download/show_594/9112963 内包含VisualSVN 5.0.1的官方原版安装包及破解文件VisualSVN.Core.L.d ...