spring oauth2.0入门(实战)

1.首先spring security基本配置

public class ServletInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {......@Overridepublic void onStartup(ServletContext servletContext) throws ServletException {super.onStartup(servletContext);/** UrlRewriteFilter **//* * servletContext.addFilter("UrlRewriteFilter", * UrlRewriteFilter.class).addMappingForUrlPatterns(null, false, "/*"); */DelegatingFilterProxy filter = new DelegatingFilterProxy("springSecurityFilterChain");filter.setContextAttribute("org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcher");servletContext.addFilter("springSecurityFilterChain", filter).addMappingForUrlPatterns(null, false, "/*");}}

@Configuration@EnableWebSecurity@Order(2)public class SecurityConfiguration extends WebSecurityConfigurerAdapter {@Autowiredprivate UserDetailsService myUserDetailsService;@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {// auth.inMemoryAuthentication().withUser("marissa").password("koala").roles("USER").and().withUser("paul")// .password("emu").roles("USER");auth.userDetailsService(myUserDetailsService);}@Overridepublic void configure(WebSecurity web) throws Exception {web.ignoring().antMatchers("/webjars/**", "/images/**", "/oauth/uncache_approvals", "/oauth/cache_approvals");}@Overrideprotected UserDetailsService userDetailsService() {return myUserDetailsService;}@Override@Beanpublic AuthenticationManager authenticationManagerBean() throws Exception {return super.authenticationManagerBean();}@Overrideprotected void configure(HttpSecurity http) throws Exception {System.out.println("==============SecurityConfiguration.configure(HttpSecurity http)");// @formatter:off                 http            .authorizeRequests()                .antMatchers("/login.jsp").permitAll()                .anyRequest().hasRole("USER")                .and()            .exceptionHandling()                .accessDeniedPage("/login.jsp?authorization_error=true")                .and()            // TODO: put CSRF protection back into this endpoint            .csrf()                .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize"))                .disable()            .logout()            .logoutUrl("/logout")                .logoutSuccessUrl("/login.jsp")                .and()            .formLogin()            .loginProcessingUrl("/login")                .failureUrl("/login.jsp?authentication_error=true")                .loginPage("/login.jsp");        // @formatter:on}}

2.配置oauth

@Configurationpublic class OAuth2ServerConfig {@Configuration@EnableResourceServer@Order(6)protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {@Overridepublic void configure(ResourceServerSecurityConfigurer resources) {resources.resourceId(ResourcesIDs.USER_RESOURCE_ID).stateless(false);}@Overridepublic void configure(HttpSecurity http) throws Exception {System.out.println("====================ResourceServerConfiguration.configure(HttpSecurity http)");// @formatter:offhttp// Since we want the protected resources to be accessible in the UI as well we need // session creation to be allowed (it's disabled by default in 2.0.6).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED).and().requestMatchers().antMatchers("/user/**").and()            .authorizeRequests()                .antMatchers("/user/profile").access("#oauth2.hasScope('read') or (!#oauth2.isOAuth() and hasRole('ROLE_USER'))");// @formatter:on}}@Configuration@EnableAuthorizationServerprotected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {@Autowired@Qualifier("myClientDetailsService")private ClientDetailsService clientDetailsService;@Autowiredprivate TokenStore tokenStore;@Autowiredprivate UserApprovalHandler userApprovalHandler;@Autowired@Qualifier("authenticationManagerBean")private AuthenticationManager authenticationManager;@Overridepublic void configure(ClientDetailsServiceConfigurer clients) throws Exception {clients.withClientDetails(clientDetailsService);}@Overridepublic void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler).authenticationManager(authenticationManager);/* * .pathMapping("/oauth/authorize", "/oauth2/authorize") * .pathMapping("/oauth/token", "/oauth2/token"); */// 以上的注释掉的是用来改变配置的}@Overridepublic void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {// oauthServer.realm("sparklr2/client");oauthServer.allowFormAuthenticationForClients();}@Beanpublic TokenStore tokenStore() {return new InMemoryTokenStore();}}/** * @author admin *  *         some bean denfinition * */@Configurationprotected static class Stuff {@Autowired@Qualifier("myClientDetailsService")private ClientDetailsService clientDetailsService;@Autowiredprivate TokenStore tokenStore;@Beanpublic ApprovalStore approvalStore() throws Exception {TokenApprovalStore store = new TokenApprovalStore();store.setTokenStore(tokenStore);return store;}@Bean@Lazy@Scope(proxyMode = ScopedProxyMode.TARGET_CLASS)public MyUserApprovalHandler userApprovalHandler() throws Exception {MyUserApprovalHandler handler = new MyUserApprovalHandler();handler.setApprovalStore(approvalStore());handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));handler.setClientDetailsService(clientDetailsService);handler.setUseApprovalStore(true);return handler;}}

以上是基于注解配置的

一定注意: ResourceServerConfiguration 和 SecurityConfiguration上配置的顺序,  SecurityConfiguration一定要在ResourceServerConfiguration 之前，因为spring实现安全是通过添加过滤器(Filter)来实现的，基本的安全过滤应该在oauth过滤之前, 所以在SecurityConfiguration设置@Order(2), 在ResourceServerConfiguration上设置@Order(6)

其它类:

MyUserApprovalHandler.java

public class MyUserApprovalHandler extends ApprovalStoreUserApprovalHandler {private boolean useApprovalStore = true;private ClientDetailsService clientDetailsService;/** * Service to load client details (optional) for auto approval checks. *  * @param clientDetailsService *            a client details service */public void setClientDetailsService(ClientDetailsService clientDetailsService) {this.clientDetailsService = clientDetailsService;super.setClientDetailsService(clientDetailsService);}/** * @param useApprovalStore *            the useTokenServices to set */public void setUseApprovalStore(boolean useApprovalStore) {this.useApprovalStore = useApprovalStore;}/** * Allows automatic approval for a white list of clients in the implicit * grant case. *  * @param authorizationRequest *            The authorization request. * @param userAuthentication *            the current user authentication *  * @return An updated request if it has already been approved by the current *         user. */@Overridepublic AuthorizationRequest checkForPreApproval(AuthorizationRequest authorizationRequest,Authentication userAuthentication) {boolean approved = false;// If we are allowed to check existing approvals this will short circuit// the decisionif (useApprovalStore) {authorizationRequest = super.checkForPreApproval(authorizationRequest, userAuthentication);approved = authorizationRequest.isApproved();} else {if (clientDetailsService != null) {Collection<String> requestedScopes = authorizationRequest.getScope();try {ClientDetails client = clientDetailsService.loadClientByClientId(authorizationRequest.getClientId());for (String scope : requestedScopes) {if (client.isAutoApprove(scope)) {approved = true;break;}}} catch (ClientRegistrationException e) {}}}authorizationRequest.setApproved(approved);return authorizationRequest;}}

MyClientDetailsService.java

@Servicepublic class MyClientDetailsService implements ClientDetailsService {private ClientDetailsService clientDetailsService;@PostConstructpublic void init() {InMemoryClientDetailsServiceBuilder inMemoryClientDetailsServiceBuilder = new InMemoryClientDetailsServiceBuilder();// @formatter:offinMemoryClientDetailsServiceBuilder.withClient("tonr").resourceIds(ResourcesIDs.USER_RESOURCE_ID).authorizedGrantTypes("authorization_code", "implicit").authorities("ROLE_CLIENT").scopes("read", "write").secret("secret").and().withClient("tonr-with-redirect").resourceIds(ResourcesIDs.USER_RESOURCE_ID).authorizedGrantTypes("authorization_code", "implicit").authorities("ROLE_CLIENT").scopes("read", "write").secret("secret")// .redirectUris(tonrRedirectUri).and().withClient("my-client-with-registered-redirect").resourceIds(ResourcesIDs.USER_RESOURCE_ID).authorizedGrantTypes("authorization_code", "client_credentials").authorities("ROLE_CLIENT").scopes("read", "trust").redirectUris("http://anywhere?key=value").and().withClient("my-trusted-client").authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit").authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT").scopes("read", "write", "trust").accessTokenValiditySeconds(60).and().withClient("my-trusted-client-with-secret").authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit").authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT").scopes("read", "write", "trust").secret("somesecret").and().withClient("my-less-trusted-client").authorizedGrantTypes("authorization_code", "implicit").authorities("ROLE_CLIENT").scopes("read", "write", "trust").and().withClient("my-less-trusted-autoapprove-client").authorizedGrantTypes("implicit").authorities("ROLE_CLIENT").scopes("read", "write", "trust").autoApprove(true);// @formatter:ontry {clientDetailsService = inMemoryClientDetailsServiceBuilder.build();} catch (Exception e) {// TODO Auto-generated catch blocke.printStackTrace();}}@Overridepublic ClientDetails loadClientByClientId(String clientId) throws ClientRegistrationException {System.out.println("loadClientByClientId:" + clientId + "  ----------------------");return clientDetailsService.loadClientByClientId(clientId);}}