[更新]一份包含: 采用RSA JWT(Json Web Token, RSA加密)的OAUTH2.0,HTTP BASIC,本地数据库验证,Windows域验证,单点登录的Spring Security配置文件
没有任何注释,表怪我(¬_¬)
更新:
2016.05.29: 将AuthorizationServer和ResourceServer分开配置
2016.05.29: Token获取采用Http Basic认证以符合RFC6749标准
2016.05.29: grant_type支持authorization_code, password, refresh_token
2016.05.27: 增加用于REST服务的安全配置
2016.05.27: 可选采用RSA JWT(Json Web Token, RSA加密)的OAUTH2.0或者HTTP BASIC
2016.05.27: REST安全验证和WEB安全验证均可通过配置文件关闭
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2.xsd"> <global-method-security pre-post-annotations="enabled" order="0"
proxy-target-class="true">
</global-method-security> <beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" /> <http security="none" pattern="/resources/**" />
<http security="none" pattern="/favicon.ico" /> <beans:beans profile="oauth-authorization-server">
<beans:bean id="oauth2AuthorizationServerJwtAccessTokenConverter" class="org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter" >
<beans:property name="signingKey" ref="jwtSigningKey"/>
<beans:property name="verifierKey" ref="jwtVerifierKey"/>
</beans:bean> <beans:bean id="oauth2AuthorizationServerTokenStore" class="org.springframework.security.oauth2.provider.token.store.JwtTokenStore" >
<beans:constructor-arg ref="oauth2AuthorizationServerJwtAccessTokenConverter"/>
</beans:bean> <beans:bean id="oauth2AuthorizationServerTokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<beans:property name="tokenStore" ref="oauth2AuthorizationServerTokenStore" />
<beans:property name="clientDetailsService" ref="clientDetailsService" />
<beans:property name="tokenEnhancer" ref="oauth2AuthorizationServerJwtAccessTokenConverter" />
<beans:property name="supportRefreshToken" value="true" />
</beans:bean> <beans:bean id="oauth2AuthorizationServerClientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<beans:constructor-arg ref="clientDetailsService"/>
<beans:property name="passwordEncoder" ref="passwordEncoder"/>
</beans:bean> <beans:bean id="oauth2AuthorizationServerAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" /> <authentication-manager id="oauth2AuthorizationServerAuthenticationManager">
<authentication-provider user-service-ref="oauth2AuthorizationServerClientDetailsUserService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager> <beans:bean id="oauth2AuthorizationServerUserApprovalHandler"
class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler" >
<beans:property name="tokenStore" ref="oauth2AuthorizationServerTokenStore" />
<beans:property name="clientDetailsService" ref="clientDetailsService" />
<beans:property name="requestFactory">
<beans:bean class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
<beans:constructor-arg ref="clientDetailsService"/>
</beans:bean>
</beans:property>
</beans:bean> <beans:bean id="oauth2AuthorizationServerAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" /> <oauth2:authorization-server
token-services-ref="oauth2AuthorizationServerTokenServices"
client-details-service-ref="clientDetailsService"
user-approval-handler-ref="oauth2AuthorizationServerUserApprovalHandler"
user-approval-page="oauth/authorize"
error-page="oauth/error" >
<oauth2:authorization-code />
<!--<oauth2:implicit />-->
<oauth2:refresh-token />
<!--<oauth2:client-credentials />-->
<oauth2:password />
</oauth2:authorization-server> <http pattern="/oauth/token" use-expressions="true" create-session="stateless"
authentication-manager-ref="oauth2AuthorizationServerAuthenticationManager"
entry-point-ref="oauth2AuthorizationServerAuthenticationEntryPoint">
<intercept-url pattern="/oauth/token" access="isFullyAuthenticated()"/>
<http-basic />
<access-denied-handler ref="oauth2AuthorizationServerAccessDeniedHandler"/>
<csrf disabled="true"/>
</http>
</beans:beans> <beans:beans profile="rest-security-oauth,oauth-resource-server">
<beans:bean id="oauth2ResourceServerJwtAccessTokenConverter" class="org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter" >
<beans:property name="verifierKey" ref="jwtVerifierKey"/>
</beans:bean> <beans:bean id="oauth2ResourceServerTokenStore" class="org.springframework.security.oauth2.provider.token.store.JwtTokenStore" >
<beans:constructor-arg ref="oauth2ResourceServerJwtAccessTokenConverter"/>
</beans:bean> <beans:bean id="oauth2ResourceServerTokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<beans:property name="tokenStore" ref="oauth2ResourceServerTokenStore" />
<beans:property name="clientDetailsService" ref="clientDetailsService" />
<beans:property name="tokenEnhancer" ref="oauth2ResourceServerJwtAccessTokenConverter" />
<beans:property name="supportRefreshToken" value="true" />
</beans:bean> <beans:bean id="oauth2ResourceServerAccessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/>
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</beans:list>
</beans:constructor-arg>
</beans:bean> <beans:bean id="oauth2ResourceServerAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" /> <beans:bean id="oauth2ResourceServerAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" /> <oauth2:resource-server id="oauth2ResourceServerFilter" resource-id="${oauth.resourceId}" token-services-ref="oauth2ResourceServerTokenServices" /> <http pattern="${rest.rooturl}/**" use-expressions="false" create-session="stateless"
entry-point-ref="oauth2ResourceServerAuthenticationEntryPoint"
access-decision-manager-ref="oauth2ResourceServerAccessDecisionManager"> <intercept-url pattern="${rest.rooturl}/security/**" access="SCOPE_SECURITY"/>
<intercept-url pattern="${rest.rooturl}/demo/**" access="IS_AUTHENTICATED_FULLY"/>
<intercept-url pattern="${rest.rooturl}/**" access="DENY_OAUTH"/> <custom-filter ref="oauth2ResourceServerFilter" before="PRE_AUTH_FILTER"/>
<access-denied-handler ref="oauth2ResourceServerAccessDeniedHandler"/>
<csrf disabled="true"/>
</http>
</beans:beans> <beans:beans profile="rest-security-basic">
<http pattern="${rest.rooturl}/**" use-expressions="true" create-session="stateless">
<intercept-url pattern="${rest.rooturl}/**" access="isFullyAuthenticated()"/>
<http-basic />
<csrf disabled="true"/>
</http>
</beans:beans> <beans:beans profile="rest-security-none">
<http security="none" pattern="${rest.rooturl}/**" />
</beans:beans> <beans:beans profile="web-security-none">
<http security="none" pattern="/**" />
</beans:beans> <beans:beans profile="web-security-local,web-security-ldap">
<http use-expressions="true"> <intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/login/**" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/oauth/**" access="isFullyAuthenticated()" />
<intercept-url pattern="/**" access="isFullyAuthenticated()" />
<form-login login-page="/login" login-processing-url="/login"
authentication-failure-url="/login?error"
default-target-url="/" username-parameter="username"
password-parameter="password" />
<logout logout-url="/logout" logout-success-url="/login?loggedOut"
invalidate-session="true" delete-cookies="JSESSIONID" /> <session-management invalid-session-url="/login"
session-fixation-protection="migrateSession">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="false"
session-registry-ref="sessionRegistry" />
</session-management> <csrf disabled="true" /> </http>
</beans:beans> <beans:beans profile="web-security-local">
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
</beans:beans> <beans:beans profile="web-security-ldap">
<authentication-manager>
<authentication-provider ref="ldapAuthenticationProvider" />
</authentication-manager> <beans:bean id="ldapAuthenticationProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg index="0"
ref="ldapAuthenticator" />
<beans:constructor-arg index="1"
ref="ldapAuthoritiesPopulator" />
</beans:bean> <beans:bean id="ldapAuthenticator"
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="ldapContextSource" />
<beans:property name="userSearch" ref="ldapUserSearch" />
</beans:bean> <beans:bean id="ldapUserSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0"
value="${ldap.searchBase}" />
<beans:constructor-arg index="1"
value="${ldap.searchFilter}" />
<beans:constructor-arg index="2"
ref="ldapContextSource" />
</beans:bean> <beans:bean id="ldapContextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="${ldap.url}" />
<beans:property name="userDn" value="${ldap.userDN}" />
<beans:property name="password" value="${ldap.password}" />
</beans:bean> <beans:bean id="ldapAuthoritiesPopulator"
class="org.springframework.security.ldap.authentication.UserDetailsServiceLdapAuthoritiesPopulator">
<beans:constructor-arg ref="userDetailsService" />
</beans:bean>
</beans:beans> <beans:beans profile="web-security-cas">
<http use-expressions="true" auto-config="false" entry-point-ref="casEntryPoint" servlet-api-provision="true">
<intercept-url pattern="${cas.localSystemLoginUrl}" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/**" access="isFullyAuthenticated()" />
<custom-filter position="CAS_FILTER" ref="casFilter"/>
<custom-filter before="CAS_FILTER" ref="singleLogoutFilter" />
<custom-filter before="LOGOUT_FILTER" ref="requestSingleLogoutFilter" />
<logout logout-url="/logout" logout-success-url="/login?loggedOut"
invalidate-session="true" delete-cookies="JSESSIONID" /> <session-management invalid-session-url="/login"
session-fixation-protection="migrateSession">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="false" />
</session-management> <csrf disabled="true" /> </http> <authentication-manager alias="authenticationManager">
<authentication-provider ref="casAuthenticationProvider" />
</authentication-manager> <beans:bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties">
<beans:property name="service"
value="${cas.localSystemUrl}${cas.localSystemLoginUrl}" />
<beans:property name="sendRenew" value="false" />
</beans:bean> <beans:bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<beans:property name="loginUrl" value="${cas.loginUrl}" />
<beans:property name="serviceProperties" ref="serviceProperties" />
</beans:bean> <beans:bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" />
<beans:property name="serviceProperties" ref="serviceProperties" />
<beans:property name="ticketValidator">
<beans:bean
class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<beans:constructor-arg index="0"
value="${cas.url}" />
</beans:bean>
</beans:property>
<beans:property name="key"
value="an_id_for_this_auth_provider_only" />
</beans:bean> <beans:bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="filterProcessesUrl" value="${cas.localSystemLoginUrl}" />
</beans:bean> <beans:bean id="singleLogoutFilter"
class="org.jasig.cas.client.session.SingleSignOutFilter" /> <beans:bean id="requestSingleLogoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="${cas.logoutUrl}" />
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/logout" />
</beans:bean>
</beans:beans> </beans:beans>
随附配置文件内容
#WEB_CONFIG
##Set WEB authenticate type: none || local || ldap || cas
web.authenticationType=local #REST_CONFIG
##Set REST request root url, please DO NOT end with '/' or '*', just like '/webservice/rest' for 'http://example.com/webservice/rest/*'
rest.rooturl=/rs
##Set REST authenticate type: none || oauth || basic
rest.authenticationType=oauth #OAUTH_CONFIG
oauth.resourceId=DEMO
oauth.jwtVerifierKeyFile=jwtPubKey.pem
oauth.jwtSigningKeyFile=jwtPrivKey.pem #CAS_CONFIG
cas.localSystemUrl=http://www.example.com
cas.localSystemLoginUrl=/j_spring_security_cas_check
cas.url=http://cas.server.com/cas
cas.loginUrl=http://cas.server.com/cas/login
cas.logoutUrl=http://cas.server.com/cas/logout?service=http://www.example.com/loggedOutPage #LDAP_CONFIG
ldap.url=ldap://ldap.server.com:389/
ldap.userDN=CN=XXX,OU=XXX,DC=server,DC=com
ldap.password=XXX
ldap.searchBase=OU=XXX,,DC=server,DC=com
ldap.searchFilter=(sAMAccountName={0})
[更新]一份包含: 采用RSA JWT(Json Web Token, RSA加密)的OAUTH2.0,HTTP BASIC,本地数据库验证,Windows域验证,单点登录的Spring Security配置文件的更多相关文章
- Java JWT: JSON Web Token
Java JWT: JSON Web Token for Java and Android JJWT aims to be the easiest to use and understand libr ...
- 深入浅出JWT(JSON Web Token )
1. JWT 介绍 JSON Web Token(JWT)是一个开放式标准(RFC 7519),它定义了一种紧凑且自包含的方式,用于在各方之间以JSON对象安全传输信息. 这些信息可以通过数字签名进行 ...
- 如何在SpringBoot中集成JWT(JSON Web Token)鉴权
这篇博客主要是简单介绍了一下什么是JWT,以及如何在Spring Boot项目中使用JWT(JSON Web Token). 1.关于JWT 1.1 什么是JWT 老生常谈的开头,我们要用这样一种工具 ...
- ( 转 ) 什么是 JWT -- JSON WEB TOKEN
什么是JWT Json web token (JWT), 是为了在网络应用环境间传递声明而执行的一种基于JSON的开放标准((RFC 7519).该token被设计为紧凑且安全的,特别适用于分布式站点 ...
- 什么是JWT(Json Web Token)
什么是 JWT (Json Web Token) 用户认证是计算机安全领域一个永恒的热点话题. JWT 是为了在网络应用环境间传递声明而执行的一种基于JSON的开放标准((RFC 7519). 该to ...
- 温故知新,.Net Core遇见JWT(JSON Web Token)授权机制方案
什么是JWT JWT (JSON Web Token) 是一个开放标准,它定义了一种以紧凑和自包含的方法,用于在双方之间安全地传输编码为JSON对象的信息. 因此,简单来说,它是JSON格式的加密字符 ...
- JWT(JSON Web Token) 【转载】
JWT(JSON Web Token) 什么叫JWTJSON Web Token(JWT)是目前最流行的跨域身份验证解决方案. 一般来说,互联网用户认证是这样子的. 1.用户向服务器发送用户名和密码. ...
- 5分钟搞懂:JWT(Json Web Token)
https://www.qikegu.com/easy-understanding/892 JWT 基于token的用户认证原理:让用户输入账号和密码,认证通过后获得一个token(令牌),在toke ...
- 关于JWT(Json Web Token)的思考及使用心得
什么是JWT? JWT(Json Web Token)是一个开放的数据交换验证标准rfc7519(php 后端实现JWT认证方法一般用来做轻量级的API鉴权.由于许多API接口设计是遵循无状态的(比如 ...
随机推荐
- Mybatis返回HashMap时,某个字段值为null时,不会保存key
转载: http://blog.csdn.net/little2z/article/details/38525327 mybatis 的 callSettersOnNulls 问题项目用到mybati ...
- Lisp之根源 --- 保罗格雷厄姆
Lisp之根源 --- 保罗格雷厄姆 来源 http://daiyuwen.freeshell.org/gb/rol/roots_of_lisp.html 约翰麦卡锡于1960年发表了一篇非凡的论文, ...
- 【Revit API】创建相机视角
在Revit中有一个相机功能可以以相机视角产生一个视图.一开始我在Revit2016的API文档中找关键词Camera,但是没什么收获. 其实这个相机功能的真正核心是创建透视视图:View3D.Cre ...
- 【BZOJ1898】[ZJOI2005]沼泽鳄鱼(矩阵快速幂,动态规划)
[BZOJ1898][ZJOI2005]沼泽鳄鱼(矩阵快速幂,动态规划) 题面 BZOJ 洛谷 题解 先吐槽,说好了的鳄鱼呢,题面里面全是食人鱼 看到数据范围一眼想到矩乘. 先不考虑食人鱼的问题,直接 ...
- 【BZOJ2084】[Poi2010]Antisymmetry(manarcher)
[BZOJ2084][Poi2010]Antisymmetry(manarcher) 题面 BZOJ 洛谷 题解 一眼马拉车吧...明显就是在回文串的基础上随便改了改. 似乎还可以魔改回文树,然而我这 ...
- 洛谷 P1144 最短路计数 解题报告
P1144 最短路计数 题目描述 给出一个\(N\)个顶点\(M\)条边的无向无权图,顶点编号为\(1-N\).问从顶点1开始,到其他每个点的最短路有几条. 输入输出格式 输入格式: 第一行包含2个正 ...
- 【UVA534】Frogger 最小瓶颈路
题目大意:给定一张 N 个点的完全图,求 1,2 号节点之间的一条最小瓶颈路. 题解:可知,最小瓶颈路一定存在于最小生成树(最小瓶颈树)中.因此,直接跑克鲁斯卡尔算法,当 1,2 号节点在同一个联通块 ...
- git 创建空提交
git commit --allow-empty -m "Empty Commit to setup deployments"
- excel根据一列关键字将多个表格中所需列合并
VLOOKUP(lookup_value, table_array, col_index_num, [range_lookup]) lookup_value要查询的列 table_array第一列是被 ...
- angular.module()参数问题
var app = angular.module('myApp', []); 第二个参数是依赖的模块,因为这里不需要依赖其它模块,因此为空,但是[]不能省略.