spring-security-oauth2支持的注解有:

1.EnableOAuth2Client

适用于使用spring security,并且想从Oauth2认证服务器来获取授权的web应用环境代码中,它启用了一个Oauth2 客户端配置。为了更好的利用这个特性,需要在客户端应用中的DelegatingFilterProxy(代理一个名为oauth2ClientContextFilter)增加一个servlet filter。当filter配置到client app时,可以使用注解@AccessTokenRequest提供的另一个bean来创建一个Oauth2RequestTemplate。示例:

  @Configuration

  @EnableOAuth2Client

  public class RemoteResourceConfiguration {

   @Bean

   public OAuth2RestOperations restTemplate(OAuth2ClientContext oauth2ClientContext) {

          return new OAuth2RestTemplate(remote(), oauth2ClientContext);

      }

  }

Client App使用client credential授权,不需要AccessTokenRequest或者域内RestOperation(对app来说,状态是全局的),但在需要时仍然使用filter来触发OAuth2RestOperation来获取token。使用密码授权的app需要在RestOperation动作之前为OAuth2ProtectedResouceDetail设置认证属性,这就是说,resouce detail 本身也需要session(假设系统中有多个用户)。

@Target(ElementType.TYPE)

@Retention(RetentionPolicy.RUNTIME)

@Documented

@Import(OAuth2ClientConfiguration.class)

public @interface EnableOAuth2Client {

}

实现OAuth2ClientConfiguration

@Configuration

public class OAuth2ClientConfiguration {

    @Bean

    public OAuth2ClientContextFilter oauth2ClientContextFilter() {

        OAuth2ClientContextFilter filter = new OAuth2ClientContextFilter();

        return filter;

    }

    @Bean

    @Scope(value = "request", proxyMode = ScopedProxyMode.INTERFACES)

    protected AccessTokenRequest accessTokenRequest(@Value("#{request.parameterMap}")

    Map<String, String[]> parameters, @Value("#{request.getAttribute('currentUri')}")

    String currentUri) {

        DefaultAccessTokenRequest request = new DefaultAccessTokenRequest(parameters);

        request.setCurrentUri(currentUri);

        return request;

    }

    @Configuration

    protected static class OAuth2ClientContextConfiguration {

        @Resource

        @Qualifier("accessTokenRequest")

        private AccessTokenRequest accessTokenRequest;

        @Bean

        @Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES)

        public OAuth2ClientContext oauth2ClientContext() {

            return new DefaultOAuth2ClientContext(accessTokenRequest);

        }

    }

}

2. EnableAuthorizationServer

工具方法,用来在当前应用context里(必须是一个DispatcherServlet context)开启一个授权server(例如AuthorizationEndpoint)和一个TokenEndpoint。server的多个属性可以通过自定义AuthorizationServerConfigurer类型(如AuthorizationServerConfigurerAdapter的扩展)的Bean来定制。通过正常使用spring security的特色EnableWebSecurity,用户负责保证授权Endpoint(/oauth/authorize)的安全,但Token Endpoint(/oauth/token)将自动使用http basic的客户端凭证来保证安全。通过一个或者多个AuthorizationServerConfigurer提供一个ClientDetailService来注册client(必须)。

@Target(ElementType.TYPE)

@Retention(RetentionPolicy.RUNTIME)

@Documented

@Import({AuthorizationServerEndpointsConfiguration.class, AuthorizationServerSecurityConfiguration.class})

public @interface EnableAuthorizationServer {

}

2.1 AuthorizationServerEndpointsConfiguration

    private AuthorizationServerEndpointsConfigurer endpoints = new AuthorizationServerEndpointsConfigurer();

    @Autowired

    private ClientDetailsService clientDetailsService;

    @Autowired

    private List<AuthorizationServerConfigurer> configurers = Collections.emptyList();

    @PostConstruct

    public void init() {

        for (AuthorizationServerConfigurer configurer : configurers) {

            try {

                configurer.configure(endpoints);

            } catch (Exception e) {

                throw new IllegalStateException("Cannot configure enpdoints", e);

            }

        }

        endpoints.setClientDetailsService(clientDetailsService);

    }
    @Component

    protected static class TokenKeyEndpointRegistrar implements BeanDefinitionRegistryPostProcessor {

        private BeanDefinitionRegistry registry;

        @Override

        public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {

            String[] names = BeanFactoryUtils.beanNamesForTypeIncludingAncestors(beanFactory,

                    JwtAccessTokenConverter.class, false, false);

            if (names.length > 0) {

                BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(TokenKeyEndpoint.class);

                builder.addConstructorArgReference(names[0]);

                registry.registerBeanDefinition(TokenKeyEndpoint.class.getName(), builder.getBeanDefinition());

            }

        }

        @Override

        public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry registry) throws BeansException {

            this.registry = registry;

        }

    }

2.2 AuthorizationServerSecurityConfiguration

@Configuration

@Order(0)

@Import({ ClientDetailsServiceConfiguration.class, AuthorizationServerEndpointsConfiguration.class })

public class AuthorizationServerSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired

    private List<AuthorizationServerConfigurer> configurers = Collections.emptyList();

    @Autowired

    private ClientDetailsService clientDetailsService;

    @Autowired

    private AuthorizationServerEndpointsConfiguration endpoints;

    @Autowired

    public void configure(ClientDetailsServiceConfigurer clientDetails) throws Exception {

        for (AuthorizationServerConfigurer configurer : configurers) {

            configurer.configure(clientDetails);

        }

    }

    @Override

    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        // Over-riding to make sure this.disableLocalConfigureAuthenticationBldr = false

        // This will ensure that when this configurer builds the AuthenticationManager it will not attempt

        // to find another 'Global' AuthenticationManager in the ApplicationContext (if available),

        // and set that as the parent of this 'Local' AuthenticationManager.

        // This AuthenticationManager should only be wired up with an AuthenticationProvider

        // composed of the ClientDetailsService (wired in this configuration) for authenticating 'clients' only.

    }

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        AuthorizationServerSecurityConfigurer configurer = new AuthorizationServerSecurityConfigurer();

        FrameworkEndpointHandlerMapping handlerMapping = endpoints.oauth2EndpointHandlerMapping();

        http.setSharedObject(FrameworkEndpointHandlerMapping.class, handlerMapping);

        configure(configurer);

        http.apply(configurer);

        String tokenEndpointPath = handlerMapping.getServletPath("/oauth/token");

        String tokenKeyPath = handlerMapping.getServletPath("/oauth/token_key");

        String checkTokenPath = handlerMapping.getServletPath("/oauth/check_token");

        if (!endpoints.getEndpointsConfigurer().isUserDetailsServiceOverride()) {

            UserDetailsService userDetailsService = http.getSharedObject(UserDetailsService.class);

            endpoints.getEndpointsConfigurer().userDetailsService(userDetailsService);

        }

        // @formatter:off

        http

            .authorizeRequests()

                .antMatchers(tokenEndpointPath).fullyAuthenticated()

                .antMatchers(tokenKeyPath).access(configurer.getTokenKeyAccess())

                .antMatchers(checkTokenPath).access(configurer.getCheckTokenAccess())

        .and()

            .requestMatchers()

                .antMatchers(tokenEndpointPath, tokenKeyPath, checkTokenPath)

        .and()

            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);

        // @formatter:on

        http.setSharedObject(ClientDetailsService.class, clientDetailsService);

    }

    protected void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {

        for (AuthorizationServerConfigurer configurer : configurers) {

            configurer.configure(oauthServer);

        }

    }

}

3. EnableResourceServer

Oauth2 资源服务器的便利方法,开启了一个spring security的filter,这个filter通过一个Oauth2的token进行认证请求。使用者应该增加这个注解,并提供一个ResourceServerConfigurer类型的Bean(例如通过ResouceServerConfigurerAdapter)来指定资源(url路径和资源id)的细节。为了利用这个filter,你必须在你的应用中的某些地方EnableWebSecurity,或者使用这个注解的地方,或者其他别的地方。

这个注解创建了一个WebSecurityConfigurerAdapter,且自带了硬编码的order=3.在spring中,由于技术原因不能立即改变order的顺序,因此你必须在你的spring应用中避免使用order=3的其他WebSecurityConfigurerAdapter。

@Target(ElementType.TYPE)

@Retention(RetentionPolicy.RUNTIME)

@Documented

@Import(ResourceServerConfiguration.class)

public @interface EnableResourceServer {

}

ResourceServerConfiguration

@Override

    protected void configure(HttpSecurity http) throws Exception {

        ResourceServerSecurityConfigurer resources = new ResourceServerSecurityConfigurer();

        ResourceServerTokenServices services = resolveTokenServices();

        if (services != null) {

            resources.tokenServices(services);

        }

        else {

            if (tokenStore != null) {

                resources.tokenStore(tokenStore);

            }

            else if (endpoints != null) {

                resources.tokenStore(endpoints.getEndpointsConfigurer().getTokenStore());

            }

        }

        if (eventPublisher != null) {

            resources.eventPublisher(eventPublisher);

        }

        for (ResourceServerConfigurer configurer : configurers) {

            configurer.configure(resources);

        }

        // @formatter:off

        http.authenticationProvider(new AnonymousAuthenticationProvider("default"))

        // N.B. exceptionHandling is duplicated in resources.configure() so that

        // it works

        .exceptionHandling()

                .accessDeniedHandler(resources.getAccessDeniedHandler()).and()

                .sessionManagement()

                .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()

                .csrf().disable();

        // @formatter:on

        http.apply(resources);

        if (endpoints != null) {

            // Assume we are in an Authorization Server

            http.requestMatcher(new NotOAuthRequestMatcher(endpoints.oauth2EndpointHandlerMapping()));

        }

        for (ResourceServerConfigurer configurer : configurers) {

            // Delegates can add authorizeRequests() here

            configurer.configure(http);

        }

        if (configurers.isEmpty()) {

            // Add anyRequest() last as a fall back. Spring Security would

            // replace an existing anyRequest() matcher with this one, so to

            // avoid that we only add it if the user hasn't configured anything.

            http.authorizeRequests().anyRequest().authenticated();

        }

    }

ResourceServerSecurityConfigurer

重新的两个方法

1.init

@Override

    public void init(HttpSecurity http) throws Exception {

        registerDefaultAuthenticationEntryPoint(http);

    }

    @SuppressWarnings("unchecked")

    private void registerDefaultAuthenticationEntryPoint(HttpSecurity http) {

        ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling = http

                .getConfigurer(ExceptionHandlingConfigurer.class);

        if (exceptionHandling == null) {

            return;

        }

        ContentNegotiationStrategy contentNegotiationStrategy = http.getSharedObject(ContentNegotiationStrategy.class);

        if (contentNegotiationStrategy == null) {

            contentNegotiationStrategy = new HeaderContentNegotiationStrategy();

        }

        MediaTypeRequestMatcher preferredMatcher = new MediaTypeRequestMatcher(contentNegotiationStrategy,

                MediaType.APPLICATION_ATOM_XML, MediaType.APPLICATION_FORM_URLENCODED, MediaType.APPLICATION_JSON,

                MediaType.APPLICATION_OCTET_STREAM, MediaType.APPLICATION_XML, MediaType.MULTIPART_FORM_DATA,

                MediaType.TEXT_XML);

        preferredMatcher.setIgnoredMediaTypes(Collections.singleton(MediaType.ALL));

        exceptionHandling.defaultAuthenticationEntryPointFor(postProcess(authenticationEntryPoint), preferredMatcher);

    }

2.configure

@Override

    public void configure(HttpSecurity http) throws Exception {

        AuthenticationManager oauthAuthenticationManager = oauthAuthenticationManager(http);

        resourcesServerFilter = new OAuth2AuthenticationProcessingFilter();

        resourcesServerFilter.setAuthenticationEntryPoint(authenticationEntryPoint);

        resourcesServerFilter.setAuthenticationManager(oauthAuthenticationManager);

        if (eventPublisher != null) {

            resourcesServerFilter.setAuthenticationEventPublisher(eventPublisher);

        }

        if (tokenExtractor != null) {

            resourcesServerFilter.setTokenExtractor(tokenExtractor);

        }

        resourcesServerFilter = postProcess(resourcesServerFilter);

        resourcesServerFilter.setStateless(stateless);

        // @formatter:off

        http

            .authorizeRequests().expressionHandler(expressionHandler)

        .and()

            .addFilterBefore(resourcesServerFilter, AbstractPreAuthenticatedProcessingFilter.class)

            .exceptionHandling()

                .accessDeniedHandler(accessDeniedHandler)

                .authenticationEntryPoint(authenticationEntryPoint);

        // @formatter:on

    }

其中OAuth2AuthenticationProcessingFilter:A pre-authentication filter for OAuth2 protected resources. Extracts an OAuth2 token from the incoming request and uses it to populate the Spring Security context with an {@link OAuth2Authentication} (if used in conjunction with an{@link OAuth2AuthenticationManager}).

spring-security-oauth2注解详解的更多相关文章

  1. Spring IoC 公共注解详解

    前言 本系列全部基于 Spring 5.2.2.BUILD-SNAPSHOT 版本.因为 Spring 整个体系太过于庞大,所以只会进行关键部分的源码解析. 什么是公共注解?公共注解就是常见的Java ...

  2. Spring IoC @Autowired 注解详解

    前言 本系列全部基于 Spring 5.2.2.BUILD-SNAPSHOT 版本.因为 Spring 整个体系太过于庞大,所以只会进行关键部分的源码解析. 我们平时使用 Spring 时,想要 依赖 ...

  3. Spring MVC @RequestMapping注解详解

    @RequestMapping 参数说明 value:定义处理方法的请求的 URL 地址.(重点) method:定义处理方法的 http method 类型,如 GET.POST 等.(重点) pa ...

  4. Spring MVC @RequestMapping注解详解(2)

    @RequestMapping 参数说明 value:定义处理方法的请求的 URL 地址.(重点) method:定义处理方法的 http method 类型,如 GET.POST 等.(重点) pa ...

  5. 27. Spring Boot 缓存注解详解: @Cacheable、@CachePut、 @CacheEvict、@Caching、@CacheConfig

     1.使用OGNL的命名规则来定义Key的值 @Cacheable(cacheNames = {"user"},key = "#root.methodName + '[' ...

  6. spring security xml配置详解

    security 3.x <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns= ...

  7. Spring @Column的注解详解

    就像@Table注解用来标识实体类与数据表的对应关系类似,@Column注解来标识实体类中属性与数据表中字段的对应关系. 该注解的定义如下: @Target({METHOD, FIELD}) @Ret ...

  8. Spring Boot 最核心的 3 个注解详解

    最近面试一些 Java 开发者,他们其中有些在公司实际用过 Spring Boot, 有些是自己兴趣爱好在业余自己学习过.然而,当我问他们 Spring Boot 最核心的 3 个注解是什么,令我失望 ...

  9. Spring中的注入方式 和使用的注解 详解

    注解:http://www.cnblogs.com/liangxiaofeng/p/6390868.html 注入方式:http://www.cnblogs.com/java-class/p/4727 ...

  10. Spring Boot 2.x基础教程:进程内缓存的使用与Cache注解详解

    随着时间的积累,应用的使用用户不断增加,数据规模也越来越大,往往数据库查询操作会成为影响用户使用体验的瓶颈,此时使用缓存往往是解决这一问题非常好的手段之一.Spring 3开始提供了强大的基于注解的缓 ...

随机推荐

  1. 微信小程序 上传图片

    效果图  如上,js  如下,在页面循环图片就可以 /** * 选择图片 */ uploadImgAdd: function(e) { var imgs = this.data.imgs; wx.ch ...

  2. HTTP——学习笔记(7)

    HTTP中的认证机制 什么是认证机制?: 服务器需要知道客户端是谁. 怎样知道客户端身份?: 核对“登录者本人才知道的信息” 密码:只有本人才会知道的字符串信息 动态令牌:仅限本人持有的设备内显示的一 ...

  3. 【BZOJ 1303】 [CQOI2009]中位数图

    [链接] 我是链接,点我呀:) [题意] 在这里输入题意 [题解] 注意是1..n的排列. 设b的位置为i. 设i右边的数字,比b大的为1,比b小的为-1. (i左边的位置数字也一样设置成1和-1 则 ...

  4. CentOS6.5安装redis(3.0.3)

      如果没有安装gcc需要安装gcc 才能编译成功 yum install gcc 离线安装gcc的方法 # rpm -ivh mpfr-2.4.1-6.el6.x86_64.rpm # rpm -i ...

  5. 调用Windows属性窗口

    简述 在Windows系统下.可以通过:右键 -> 属性,来查看文件/文件夹对应的属性信息,包括:常规.安全.详细信息等. 简述 共有类型 共有类型 首先,需要包含头文件: #include & ...

  6. zookeeper的理解与概述

    文章转自https://www.cnblogs.com/likehua/p/3999600.html  感谢博主 文章转自:http://www.aboutyun.com/thread-9266-1- ...

  7. Traversing a list

    The most common way to traverse the elements of a list is with a for loop. The syntax is the same as ...

  8. MetaSploit攻击实例讲解------Metasploit自动化攻击(包括kali linux 2016.2(rolling) 和 BT5)

    不多说,直接上干货! 前期博客 Kali linux 2016.2(Rolling)里Metasploit连接(包括默认和自定义)的PostgreSQL数据库 Kali linux 2016.2(Ro ...

  9. 数据仓库 SSIS

    SSDT 下载 :https://msdn.microsoft.com/en-us/library/mt204009.aspx Codeplex 上的 AdventureWorks 示例数据库此链接将 ...

  10. webi和universe

    Universe是一个包含以下内容的文件: 1 一个或多个数据库中间件的连接参数. 2 称为对象的SQL结构,映射到数据库中的实际SQL结构,如列,表和数据库函数.其中对象是按类分组的.用户既可以看到 ...