From 2baad3721612ac26194da5aced29e491f3ef4259 Mon Sep 17 00:00:00 2001 From: LSZ Date: Tue, 24 May 2016 23:02:17 +0800 Subject: [PATCH] Update oauth2 config --- .../config/AuthorizationServerConfigurer.java | 64 ------------------- .../sos/config/MethodSecurityConfig.java | 25 -------- .../sos/config/OAuth2ServerConfig.java | 57 ++++++++++------- .../sos/config/ServletInitializer.java | 2 +- .../config/UnityResourceServerConfigurer.java | 52 --------------- .../sos/config/WebSecurityConfigurer.java | 3 +- src/main/webapp/login.jsp | 31 +-------- 7 files changed, 38 insertions(+), 196 deletions(-) delete mode 100644 src/main/java/com/monkeyk/sos/config/AuthorizationServerConfigurer.java delete mode 100644 src/main/java/com/monkeyk/sos/config/MethodSecurityConfig.java delete mode 100644 src/main/java/com/monkeyk/sos/config/UnityResourceServerConfigurer.java diff --git a/src/main/java/com/monkeyk/sos/config/AuthorizationServerConfigurer.java b/src/main/java/com/monkeyk/sos/config/AuthorizationServerConfigurer.java deleted file mode 100644 index 143e757..0000000 --- a/src/main/java/com/monkeyk/sos/config/AuthorizationServerConfigurer.java +++ /dev/null @@ -1,64 +0,0 @@ -package com.monkeyk.sos.config; - -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.annotation.Configuration; -import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer; -import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter; -import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer; -import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer; -import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer; -import org.springframework.security.oauth2.provider.ClientDetailsService; -import org.springframework.security.oauth2.provider.approval.UserApprovalHandler; -import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices; -import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler; -import org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint; -import org.springframework.security.oauth2.provider.token.DefaultTokenServices; - -/** - * 2016/4/4 - * - * @author Shengzhao Li - */ -//AuthorizationServer -//@Configuration -//@EnableAuthorizationServer -public class AuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter { - -// @Autowired -// private DefaultTokenServices tokenServices; - - @Autowired - private UserApprovalHandler userApprovalHandler; - - @Autowired - private AuthorizationCodeServices authorizationCodeServices; - @Autowired - private ClientDetailsService clientDetailsService; - @Autowired - private OAuth2AccessDeniedHandler oauth2AccessDeniedHandler; - @Autowired - private OAuth2AuthenticationEntryPoint oAuth2AuthenticationEntryPoint; - - @Override - public void configure(ClientDetailsServiceConfigurer clients) throws Exception { - clients.withClientDetails(clientDetailsService); - } - - - @Override - public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { - endpoints.userApprovalHandler(userApprovalHandler) -// .tokenServices(tokenServices) - .authorizationCodeServices(authorizationCodeServices); - } - - @Override - public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { - security.accessDeniedHandler(oauth2AccessDeniedHandler) - .authenticationEntryPoint(oAuth2AuthenticationEntryPoint) - .allowFormAuthenticationForClients(); - security.realm("spring-oauth-server_realm"); - } - - -} diff --git a/src/main/java/com/monkeyk/sos/config/MethodSecurityConfig.java b/src/main/java/com/monkeyk/sos/config/MethodSecurityConfig.java deleted file mode 100644 index 966d16c..0000000 --- a/src/main/java/com/monkeyk/sos/config/MethodSecurityConfig.java +++ /dev/null @@ -1,25 +0,0 @@ -package com.monkeyk.sos.config; - -import org.springframework.context.annotation.Configuration; -import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; -import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; -import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration; -import org.springframework.security.oauth2.provider.expression.OAuth2MethodSecurityExpressionHandler; - -/** - * 2016/4/4 - * - * @author Shengzhao Li - */ -@Configuration -@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true) -public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration { - - - @Override - protected MethodSecurityExpressionHandler createExpressionHandler() { - return new OAuth2MethodSecurityExpressionHandler(); -// return new DefaultMethodSecurityExpressionHandler(); - } - -} diff --git a/src/main/java/com/monkeyk/sos/config/OAuth2ServerConfig.java b/src/main/java/com/monkeyk/sos/config/OAuth2ServerConfig.java index 9d082ef..77d7cb9 100644 --- a/src/main/java/com/monkeyk/sos/config/OAuth2ServerConfig.java +++ b/src/main/java/com/monkeyk/sos/config/OAuth2ServerConfig.java @@ -13,10 +13,9 @@ import org.springframework.security.oauth2.config.annotation.web.configuration.R import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer; import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer; import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer; -import org.springframework.security.oauth2.provider.ClientDetailsService; import org.springframework.security.oauth2.provider.approval.UserApprovalHandler; import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices; -import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler; +import org.springframework.security.oauth2.provider.token.TokenStore; /** * 2016/4/4 @@ -26,11 +25,13 @@ import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHand @Configuration public class OAuth2ServerConfig { + private static final String UNITY_RESOURCE_ID = "unity-resource"; + private static final String MOBILE_RESOURCE_ID = "mobile-resource"; // unity-resource @Configuration @EnableResourceServer - protected static class UnityResourceServerConfigurer extends ResourceServerConfigurerAdapter { + protected static class UnityResourceServerConfiguration extends ResourceServerConfigurerAdapter { @Autowired @@ -38,26 +39,22 @@ public class OAuth2ServerConfig { @Override public void configure(ResourceServerSecurityConfigurer resources) { - resources.resourceId("unity-resource").stateless(false); + resources.resourceId(UNITY_RESOURCE_ID).stateless(false); } @Override public void configure(HttpSecurity http) throws Exception { -// final DefaultWebSecurityExpressionHandler expressionHandler = new DefaultWebSecurityExpressionHandler(); -// expressionHandler.setExpressionParser(); http.sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.NEVER) + .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) .and() .requestMatchers().antMatchers("/unity/**") .and() .authorizeRequests() -// .expressionHandler(expressionHandler) .antMatchers("/unity/**") -// .access("hasRole('ROLE_UNITY') and hasRole('SCOPE_READ')") - .access("#oauth2.clientHasRole('ROLE_UNITY') and #oauth2.isClient() and #oauth2.hasScope('read')") - .accessDecisionManager(oauth2AccessDecisionManager) - .and().csrf().disable(); + .access("#oauth2.hasScope('read') or (!#oauth2.isOAuth() and hasRole('ROLE_UNITY'))"); +// .accessDecisionManager(oauth2AccessDecisionManager) +// .and().csrf().disable(); } @@ -67,41 +64,57 @@ public class OAuth2ServerConfig { //AuthorizationServer @Configuration @EnableAuthorizationServer - protected static class AuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter { + protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter { // @Autowired // private DefaultTokenServices tokenServices; + @Autowired + private TokenStore tokenStore; + @Autowired private UserApprovalHandler userApprovalHandler; @Autowired private AuthorizationCodeServices authorizationCodeServices; - @Autowired - private ClientDetailsService clientDetailsService; - @Autowired - private OAuth2AccessDeniedHandler oauth2AccessDeniedHandler; +// @Autowired +// private ClientDetailsService clientDetailsService; +// @Autowired +// private OAuth2AccessDeniedHandler oauth2AccessDeniedHandler; // @Autowired // private OAuth2AuthenticationEntryPoint oAuth2AuthenticationEntryPoint; @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { - clients.withClientDetails(clientDetailsService); +// clients.withClientDetails(clientDetailsService); + clients.inMemory().withClient("unity-client") + .resourceIds(UNITY_RESOURCE_ID) + .authorizedGrantTypes("authorization_code", "refresh_token", "implicit") + .authorities("ROLE_UNITY") + .scopes("read") + .secret("unity") + .and() + .withClient("mobile-client") + .resourceIds(MOBILE_RESOURCE_ID) + .authorizedGrantTypes("password", "refresh_token") + .authorities("ROLE_CLIENT") + .scopes("read") + .secret("mobile"); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { - endpoints.userApprovalHandler(userApprovalHandler) -// .tokenServices(tokenServices) + endpoints.tokenStore(tokenStore) + .userApprovalHandler(userApprovalHandler) .authorizationCodeServices(authorizationCodeServices); } @Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { - security.accessDeniedHandler(oauth2AccessDeniedHandler) +// security.accessDeniedHandler(oauth2AccessDeniedHandler) // .authenticationEntryPoint(oAuth2AuthenticationEntryPoint) - .allowFormAuthenticationForClients(); +// .allowFormAuthenticationForClients(); security.realm("spring-oauth-server_realm"); } diff --git a/src/main/java/com/monkeyk/sos/config/ServletInitializer.java b/src/main/java/com/monkeyk/sos/config/ServletInitializer.java index 4a6a10e..cf341c4 100644 --- a/src/main/java/com/monkeyk/sos/config/ServletInitializer.java +++ b/src/main/java/com/monkeyk/sos/config/ServletInitializer.java @@ -60,7 +60,7 @@ public class ServletInitializer extends AbstractDispatcherServletInitializer { @Override protected WebApplicationContext createRootApplicationContext() { - return null; + return createServletApplicationContext(); } @Override diff --git a/src/main/java/com/monkeyk/sos/config/UnityResourceServerConfigurer.java b/src/main/java/com/monkeyk/sos/config/UnityResourceServerConfigurer.java deleted file mode 100644 index 62e3986..0000000 --- a/src/main/java/com/monkeyk/sos/config/UnityResourceServerConfigurer.java +++ /dev/null @@ -1,52 +0,0 @@ -package com.monkeyk.sos.config; - -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.annotation.Configuration; -import org.springframework.security.access.AccessDecisionManager; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.http.SessionCreationPolicy; -import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; -import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter; -import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer; - -/** - * 2016/4/4 - * - * @author Shengzhao Li - */ -// unity-resource -//@Configuration -//@EnableResourceServer -public class UnityResourceServerConfigurer extends ResourceServerConfigurerAdapter { - - - @Autowired - private AccessDecisionManager oauth2AccessDecisionManager; - - @Override - public void configure(ResourceServerSecurityConfigurer resources) { - resources.resourceId("unity-resource").stateless(false); - } - - @Override - public void configure(HttpSecurity http) throws Exception { -// final DefaultWebSecurityExpressionHandler expressionHandler = new DefaultWebSecurityExpressionHandler(); -// expressionHandler.setExpressionParser(); - - http.sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.NEVER) - .and() - .requestMatchers().antMatchers("/unity/**") - .and() - .authorizeRequests() -// .expressionHandler(expressionHandler) - .antMatchers("/unity/**") -// .access("hasRole('ROLE_UNITY') and hasRole('SCOPE_READ')") - .access("#oauth2.clientHasRole('ROLE_UNITY') and #oauth2.isClient() and #oauth2.hasScope('read')") - .accessDecisionManager(oauth2AccessDecisionManager) - .and().csrf().disable(); - - } - -} - diff --git a/src/main/java/com/monkeyk/sos/config/WebSecurityConfigurer.java b/src/main/java/com/monkeyk/sos/config/WebSecurityConfigurer.java index a2f4d44..65f6f44 100644 --- a/src/main/java/com/monkeyk/sos/config/WebSecurityConfigurer.java +++ b/src/main/java/com/monkeyk/sos/config/WebSecurityConfigurer.java @@ -66,7 +66,7 @@ public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() - .antMatchers("/oauth/**").hasAnyRole("USER,UNITY,MOBILE") + .antMatchers("/oauth/**").hasAnyRole("ROLE_USER", "ROLE_UNITY", "ROLE_MOBILE") .antMatchers("/**").anonymous() .and() .exceptionHandling().accessDeniedPage("/login.jsp?authorization_error=2") @@ -184,5 +184,4 @@ public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter { // } - } diff --git a/src/main/webapp/login.jsp b/src/main/webapp/login.jsp index 80eb6cb..7ba3edd 100644 --- a/src/main/webapp/login.jsp +++ b/src/main/webapp/login.jsp @@ -45,35 +45,6 @@ -
-

You can use the users to login as follow:

- - - - - - - - - - - - - - - - - - - - - - - - - -
UsernamePasswordPrivileges
adminadminAll privileges, allow visit [Mobile] and [Unity] resources
unityunityOnly allow visit [Unity] resource, support grant_type: - authorization_code,refresh_token,implicit
mobilemobileOnly allow visit [Mobile] resource, support grant_type: password,refresh_token
-
+ \ No newline at end of file