我刚接触oauth-spring项目并尝试在
下构建安全的Rest接口/ api / entity
实体很多,API的范围目前是我正在使用的内部
@Configuration
static class Oauth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsServiceImpl userDetailsService;
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.checkTokenAccess("permitAll()");
oauthServer.allowFormAuthenticationForClients();
}
/*
* (non-Javadoc)
*
* @see org.springframework.security.oauth2.config.annotation.web.configuration.
* AuthorizationServerConfigurerAdapter#configure(org.springframework.security.
* oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer)
*/
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
clients.inMemory()
.withClient("domain")
.secret("secret")//.accessTokenValiditySeconds(expiration)
.scopes("read", "write", "read_all", "modify", "delete")
.authorizedGrantTypes("password", "refresh_token")
.resourceIds("api");
// @formatter:on
}
/*
* (non-Javadoc)
*
* @see org.springframework.security.oauth2.config.annotation.web.configuration.
* AuthorizationServerConfigurerAdapter#configure(org.springframework.security.
* oauth2.config.annotation.web.configurers.
* AuthorizationServerEndpointsConfigurer)
*/
@Override
public void configure(AuthorizationServerEndpointsConfigurer configurer) throws Exception {
configurer.authenticationManager(authenticationManager);
configurer.userDetailsService(userDetailsService);
}
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
}
在我的资源服务器上;
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("api");
}
及其运作良好,我的下一个任务是计划进行一些整合,
/ api / entity / sync
这次,我希望用户在经过身份验证/标记的过程/同步路径时被重定向到外部oauth登录页面。春季Oauth几乎花了一整天的时间,却无法弄清楚该如何实现。
我的拳头与提供商集成,当用户单击“权限”时,“允许”会使用
进行回调我不知道如何自定义以下内容
private static final RequestMatcher API_URLS = new OrRequestMatcher(new AntPathRequestMatcher("/api/**"));
private static final RequestMatcher EXTERNAL_API_URLS = new OrRequestMatcher(new AntPathRequestMatcher("/api/**/sync"));
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.requestMatchers(API_URLS)
.access("#oauth2.hasScope('read')"); // require 'read' scope to access
// @formatter:on
}
能够允许oauth2Login和自定义
.oauth2Login()
.tokenEndpoint()
.accessTokenResponseClient(accessTokenResponseClient())
.and()
.userInfoEndpoint().userService(new ExternalUserDetailsService());