spring-security-oauth2支持的注解有:

1.EnableOAuth2Client

适用于使用spring security,并且想从Oauth2认证服务器来获取授权的web应用环境代码中,它启用了一个Oauth2 客户端配置。为了更好的利用这个特性,需要在客户端应用中的DelegatingFilterProxy(代理一个名为oauth2ClientContextFilter)增加一个servlet filter。当filter配置到client app时,可以使用注解@AccessTokenRequest提供的另一个bean来创建一个Oauth2RequestTemplate。示例:

  @Configuration

  @EnableOAuth2Client

  public class RemoteResourceConfiguration {

   @Bean

   public OAuth2RestOperations restTemplate(OAuth2ClientContext oauth2ClientContext) {

          return new OAuth2RestTemplate(remote(), oauth2ClientContext);

      }

  }

Client App使用client credential授权,不需要AccessTokenRequest或者域内RestOperation(对app来说,状态是全局的),但在需要时仍然使用filter来触发OAuth2RestOperation来获取token。使用密码授权的app需要在RestOperation动作之前为OAuth2ProtectedResouceDetail设置认证属性,这就是说,resouce detail 本身也需要session(假设系统中有多个用户)。

@Target(ElementType.TYPE)

@Retention(RetentionPolicy.RUNTIME)

@Documented

@Import(OAuth2ClientConfiguration.class)

public @interface EnableOAuth2Client {

}

实现OAuth2ClientConfiguration

@Configuration

public class OAuth2ClientConfiguration {

    @Bean

    public OAuth2ClientContextFilter oauth2ClientContextFilter() {

        OAuth2ClientContextFilter filter = new OAuth2ClientContextFilter();

        return filter;

    }

    @Bean

    @Scope(value = "request", proxyMode = ScopedProxyMode.INTERFACES)

    protected AccessTokenRequest accessTokenRequest(@Value("#{request.parameterMap}")

    Map<String, String[]> parameters, @Value("#{request.getAttribute('currentUri')}")

    String currentUri) {

        DefaultAccessTokenRequest request = new DefaultAccessTokenRequest(parameters);

        request.setCurrentUri(currentUri);

        return request;

    }

    @Configuration

    protected static class OAuth2ClientContextConfiguration {

        @Resource

        @Qualifier("accessTokenRequest")

        private AccessTokenRequest accessTokenRequest;

        @Bean

        @Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES)

        public OAuth2ClientContext oauth2ClientContext() {

            return new DefaultOAuth2ClientContext(accessTokenRequest);

        }

    }

}

2. EnableAuthorizationServer

工具方法,用来在当前应用context里(必须是一个DispatcherServlet context)开启一个授权server(例如AuthorizationEndpoint)和一个TokenEndpoint。server的多个属性可以通过自定义AuthorizationServerConfigurer类型(如AuthorizationServerConfigurerAdapter的扩展)的Bean来定制。通过正常使用spring security的特色EnableWebSecurity,用户负责保证授权Endpoint(/oauth/authorize)的安全,但Token Endpoint(/oauth/token)将自动使用http basic的客户端凭证来保证安全。通过一个或者多个AuthorizationServerConfigurer提供一个ClientDetailService来注册client(必须)。

@Target(ElementType.TYPE)

@Retention(RetentionPolicy.RUNTIME)

@Documented

@Import({AuthorizationServerEndpointsConfiguration.class, AuthorizationServerSecurityConfiguration.class})

public @interface EnableAuthorizationServer {

}

2.1 AuthorizationServerEndpointsConfiguration

    private AuthorizationServerEndpointsConfigurer endpoints = new AuthorizationServerEndpointsConfigurer();

    @Autowired

    private ClientDetailsService clientDetailsService;

    @Autowired

    private List<AuthorizationServerConfigurer> configurers = Collections.emptyList();

    @PostConstruct

    public void init() {

        for (AuthorizationServerConfigurer configurer : configurers) {

            try {

                configurer.configure(endpoints);

            } catch (Exception e) {

                throw new IllegalStateException("Cannot configure enpdoints", e);

            }

        }

        endpoints.setClientDetailsService(clientDetailsService);

    }
    @Component

    protected static class TokenKeyEndpointRegistrar implements BeanDefinitionRegistryPostProcessor {

        private BeanDefinitionRegistry registry;

        @Override

        public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {

            String[] names = BeanFactoryUtils.beanNamesForTypeIncludingAncestors(beanFactory,

                    JwtAccessTokenConverter.class, false, false);

            if (names.length > 0) {

                BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(TokenKeyEndpoint.class);

                builder.addConstructorArgReference(names[0]);

                registry.registerBeanDefinition(TokenKeyEndpoint.class.getName(), builder.getBeanDefinition());

            }

        }

        @Override

        public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry registry) throws BeansException {

            this.registry = registry;

        }

    }

2.2 AuthorizationServerSecurityConfiguration

@Configuration

@Order(0)

@Import({ ClientDetailsServiceConfiguration.class, AuthorizationServerEndpointsConfiguration.class })

public class AuthorizationServerSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired

    private List<AuthorizationServerConfigurer> configurers = Collections.emptyList();

    @Autowired

    private ClientDetailsService clientDetailsService;

    @Autowired

    private AuthorizationServerEndpointsConfiguration endpoints;

    @Autowired

    public void configure(ClientDetailsServiceConfigurer clientDetails) throws Exception {

        for (AuthorizationServerConfigurer configurer : configurers) {

            configurer.configure(clientDetails);

        }

    }

    @Override

    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        // Over-riding to make sure this.disableLocalConfigureAuthenticationBldr = false

        // This will ensure that when this configurer builds the AuthenticationManager it will not attempt

        // to find another 'Global' AuthenticationManager in the ApplicationContext (if available),

        // and set that as the parent of this 'Local' AuthenticationManager.

        // This AuthenticationManager should only be wired up with an AuthenticationProvider

        // composed of the ClientDetailsService (wired in this configuration) for authenticating 'clients' only.

    }

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        AuthorizationServerSecurityConfigurer configurer = new AuthorizationServerSecurityConfigurer();

        FrameworkEndpointHandlerMapping handlerMapping = endpoints.oauth2EndpointHandlerMapping();

        http.setSharedObject(FrameworkEndpointHandlerMapping.class, handlerMapping);

        configure(configurer);

        http.apply(configurer);

        String tokenEndpointPath = handlerMapping.getServletPath("/oauth/token");

        String tokenKeyPath = handlerMapping.getServletPath("/oauth/token_key");

        String checkTokenPath = handlerMapping.getServletPath("/oauth/check_token");

        if (!endpoints.getEndpointsConfigurer().isUserDetailsServiceOverride()) {

            UserDetailsService userDetailsService = http.getSharedObject(UserDetailsService.class);

            endpoints.getEndpointsConfigurer().userDetailsService(userDetailsService);

        }

        // @formatter:off

        http

            .authorizeRequests()

                .antMatchers(tokenEndpointPath).fullyAuthenticated()

                .antMatchers(tokenKeyPath).access(configurer.getTokenKeyAccess())

                .antMatchers(checkTokenPath).access(configurer.getCheckTokenAccess())

        .and()

            .requestMatchers()

                .antMatchers(tokenEndpointPath, tokenKeyPath, checkTokenPath)

        .and()

            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);

        // @formatter:on

        http.setSharedObject(ClientDetailsService.class, clientDetailsService);

    }

    protected void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {

        for (AuthorizationServerConfigurer configurer : configurers) {

            configurer.configure(oauthServer);

        }

    }

}

3. EnableResourceServer

Oauth2 资源服务器的便利方法,开启了一个spring security的filter,这个filter通过一个Oauth2的token进行认证请求。使用者应该增加这个注解,并提供一个ResourceServerConfigurer类型的Bean(例如通过ResouceServerConfigurerAdapter)来指定资源(url路径和资源id)的细节。为了利用这个filter,你必须在你的应用中的某些地方EnableWebSecurity,或者使用这个注解的地方,或者其他别的地方。

这个注解创建了一个WebSecurityConfigurerAdapter,且自带了硬编码的order=3.在spring中,由于技术原因不能立即改变order的顺序,因此你必须在你的spring应用中避免使用order=3的其他WebSecurityConfigurerAdapter。

@Target(ElementType.TYPE)

@Retention(RetentionPolicy.RUNTIME)

@Documented

@Import(ResourceServerConfiguration.class)

public @interface EnableResourceServer {

}

ResourceServerConfiguration

@Override

    protected void configure(HttpSecurity http) throws Exception {

        ResourceServerSecurityConfigurer resources = new ResourceServerSecurityConfigurer();

        ResourceServerTokenServices services = resolveTokenServices();

        if (services != null) {

            resources.tokenServices(services);

        }

        else {

            if (tokenStore != null) {

                resources.tokenStore(tokenStore);

            }

            else if (endpoints != null) {

                resources.tokenStore(endpoints.getEndpointsConfigurer().getTokenStore());

            }

        }

        if (eventPublisher != null) {

            resources.eventPublisher(eventPublisher);

        }

        for (ResourceServerConfigurer configurer : configurers) {

            configurer.configure(resources);

        }

        // @formatter:off

        http.authenticationProvider(new AnonymousAuthenticationProvider("default"))

        // N.B. exceptionHandling is duplicated in resources.configure() so that

        // it works

        .exceptionHandling()

                .accessDeniedHandler(resources.getAccessDeniedHandler()).and()

                .sessionManagement()

                .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()

                .csrf().disable();

        // @formatter:on

        http.apply(resources);

        if (endpoints != null) {

            // Assume we are in an Authorization Server

            http.requestMatcher(new NotOAuthRequestMatcher(endpoints.oauth2EndpointHandlerMapping()));

        }

        for (ResourceServerConfigurer configurer : configurers) {

            // Delegates can add authorizeRequests() here

            configurer.configure(http);

        }

        if (configurers.isEmpty()) {

            // Add anyRequest() last as a fall back. Spring Security would

            // replace an existing anyRequest() matcher with this one, so to

            // avoid that we only add it if the user hasn't configured anything.

            http.authorizeRequests().anyRequest().authenticated();

        }

    }

ResourceServerSecurityConfigurer

重新的两个方法

1.init

@Override

    public void init(HttpSecurity http) throws Exception {

        registerDefaultAuthenticationEntryPoint(http);

    }

    @SuppressWarnings("unchecked")

    private void registerDefaultAuthenticationEntryPoint(HttpSecurity http) {

        ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling = http

                .getConfigurer(ExceptionHandlingConfigurer.class);

        if (exceptionHandling == null) {

            return;

        }

        ContentNegotiationStrategy contentNegotiationStrategy = http.getSharedObject(ContentNegotiationStrategy.class);

        if (contentNegotiationStrategy == null) {

            contentNegotiationStrategy = new HeaderContentNegotiationStrategy();

        }

        MediaTypeRequestMatcher preferredMatcher = new MediaTypeRequestMatcher(contentNegotiationStrategy,

                MediaType.APPLICATION_ATOM_XML, MediaType.APPLICATION_FORM_URLENCODED, MediaType.APPLICATION_JSON,

                MediaType.APPLICATION_OCTET_STREAM, MediaType.APPLICATION_XML, MediaType.MULTIPART_FORM_DATA,

                MediaType.TEXT_XML);

        preferredMatcher.setIgnoredMediaTypes(Collections.singleton(MediaType.ALL));

        exceptionHandling.defaultAuthenticationEntryPointFor(postProcess(authenticationEntryPoint), preferredMatcher);

    }

2.configure

@Override

    public void configure(HttpSecurity http) throws Exception {

        AuthenticationManager oauthAuthenticationManager = oauthAuthenticationManager(http);

        resourcesServerFilter = new OAuth2AuthenticationProcessingFilter();

        resourcesServerFilter.setAuthenticationEntryPoint(authenticationEntryPoint);

        resourcesServerFilter.setAuthenticationManager(oauthAuthenticationManager);

        if (eventPublisher != null) {

            resourcesServerFilter.setAuthenticationEventPublisher(eventPublisher);

        }

        if (tokenExtractor != null) {

            resourcesServerFilter.setTokenExtractor(tokenExtractor);

        }

        resourcesServerFilter = postProcess(resourcesServerFilter);

        resourcesServerFilter.setStateless(stateless);

        // @formatter:off

        http

            .authorizeRequests().expressionHandler(expressionHandler)

        .and()

            .addFilterBefore(resourcesServerFilter, AbstractPreAuthenticatedProcessingFilter.class)

            .exceptionHandling()

                .accessDeniedHandler(accessDeniedHandler)

                .authenticationEntryPoint(authenticationEntryPoint);

        // @formatter:on

    }

其中OAuth2AuthenticationProcessingFilter:A pre-authentication filter for OAuth2 protected resources. Extracts an OAuth2 token from the incoming request and uses it to populate the Spring Security context with an {@link OAuth2Authentication} (if used in conjunction with an{@link OAuth2AuthenticationManager}).

spring-security-oauth2注解详解的更多相关文章

  1. Spring IoC 公共注解详解

    前言 本系列全部基于 Spring 5.2.2.BUILD-SNAPSHOT 版本.因为 Spring 整个体系太过于庞大,所以只会进行关键部分的源码解析. 什么是公共注解?公共注解就是常见的Java ...

  2. Spring IoC @Autowired 注解详解

    前言 本系列全部基于 Spring 5.2.2.BUILD-SNAPSHOT 版本.因为 Spring 整个体系太过于庞大,所以只会进行关键部分的源码解析. 我们平时使用 Spring 时,想要 依赖 ...

  3. Spring MVC @RequestMapping注解详解

    @RequestMapping 参数说明 value:定义处理方法的请求的 URL 地址.(重点) method:定义处理方法的 http method 类型,如 GET.POST 等.(重点) pa ...

  4. Spring MVC @RequestMapping注解详解(2)

    @RequestMapping 参数说明 value:定义处理方法的请求的 URL 地址.(重点) method:定义处理方法的 http method 类型,如 GET.POST 等.(重点) pa ...

  5. 27. Spring Boot 缓存注解详解: @Cacheable、@CachePut、 @CacheEvict、@Caching、@CacheConfig

     1.使用OGNL的命名规则来定义Key的值 @Cacheable(cacheNames = {"user"},key = "#root.methodName + '[' ...

  6. spring security xml配置详解

    security 3.x <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns= ...

  7. Spring @Column的注解详解

    就像@Table注解用来标识实体类与数据表的对应关系类似,@Column注解来标识实体类中属性与数据表中字段的对应关系. 该注解的定义如下: @Target({METHOD, FIELD}) @Ret ...

  8. Spring Boot 最核心的 3 个注解详解

    最近面试一些 Java 开发者,他们其中有些在公司实际用过 Spring Boot, 有些是自己兴趣爱好在业余自己学习过.然而,当我问他们 Spring Boot 最核心的 3 个注解是什么,令我失望 ...

  9. Spring中的注入方式 和使用的注解 详解

    注解:http://www.cnblogs.com/liangxiaofeng/p/6390868.html 注入方式:http://www.cnblogs.com/java-class/p/4727 ...

  10. Spring Boot 2.x基础教程:进程内缓存的使用与Cache注解详解

    随着时间的积累,应用的使用用户不断增加,数据规模也越来越大,往往数据库查询操作会成为影响用户使用体验的瓶颈,此时使用缓存往往是解决这一问题非常好的手段之一.Spring 3开始提供了强大的基于注解的缓 ...

随机推荐

  1. nginx开启gzip压缩后导致apk包下载不能正常安装

    最后更新时间:2019/4/27 nginx一般都会开启gzip压缩,以提升传输性能. 配置如下: gzip on; gzip_comp_level 2; gzip_min_length 1k; gz ...

  2. 【codeforces 46C】Hamsters and Tigers

    [题目链接]:http://codeforces.com/problemset/problem/46/C [题意] 给你一个长度为n的01串; 让你把所有的0放在一起,把所有的1放在一起; (即0都是 ...

  3. Java基础学习总结(30)——Java 内存溢出问题总结

    Java中OutOfMemoryError(内存溢出)的三种情况及解决办法 相信有一定java开发经验的人或多或少都会遇到OutOfMemoryError的问题,这个问题曾困扰了我很长时间,随着解决各 ...

  4. POJ 1975 Median Weight Bead

    Median Weight Bead Time Limit: 1000ms Memory Limit: 30000KB This problem will be judged on PKU. Orig ...

  5. MySQL中锁详解(行锁、表锁、页锁、悲观锁、乐观锁等)

    原文地址:http://blog.csdn.net/mysteryhaohao/article/details/51669741 锁,在现实生活中是为我们想要隐藏于外界所使用的一种工具.在计算机中,是 ...

  6. servlet3.0 @webfilter 过滤顺序

    Servlet3.0之前Filter过滤的顺序是由用户在web.xml中配置的顺序决定的,如下会先执行encodingFilter,再执行filter1. <filter> <dis ...

  7. [MST] Create an Entry Form to Add Models to the State Tree

    It is time to add new entries to the wishlist. We will achieve this by reusing forms and models we'v ...

  8. cocos2d-x-3.2 怎样创建新project

    1.在cocos2d-x-3.2\执行python命令 python setup.py //它的作用是将以下这些路径加入到你的用户环境变量中,当然你也能够不加入 COCOS_CONSOLE_ROOT ...

  9. mysql-总结select各子句及其顺序

    顺序:from->where ->group by->having ->order by

  10. EBS OAF开发中怎样通过ReferenceAO进行验证

    EBS OAF开发中怎样通过ReferenceAO进行验证 (版权声明.本人原创或者翻译的文章如需转载,如转载用于个人学习,请注明出处:否则请与本人联系,违者必究) Reference AO 除了用于 ...