java spring oauth 2的xml配置示例
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/31435288/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
example xml configuration of spring oauth 2
提问by sagioto
I'm trying to implement add an oauth2 security scheme to my project, the oauth2 authentication server is already implemented by another project so all I need is to intercept relevant requests and use the the auth server in order to login, additionally, I want to use the auth server as an authorization provider by using the users' groups has roles in the application, my current spring security xml looks like this:
我正在尝试向我的项目添加 oauth2 安全方案,oauth2 身份验证服务器已经由另一个项目实现,所以我只需要拦截相关请求并使用身份验证服务器来登录,另外,我想通过使用用户组在应用程序中具有角色,将身份验证服务器用作授权提供者,我当前的 spring 安全 xml 如下所示:
<security:http pattern="/resources/**" security="none" />
<security:http pattern="/loginError.html" security="none" />
<security:http use-expressions="true">
<security:intercept-url pattern="/login.html"
access="permitAll"/>
<security:form-login login-page="/login.html"
authentication-failure-url="/loginError.html"/>
<security:logout logout-success-url="/login.html"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="user" password="p" authorities="VIEW"/>
<security:user name="admin" password="p" authorities="ALL, VIEW"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<security:global-method-security pre-post-annotations="enabled"/>
<oauth:resource-server id="oauthResourceServer" entry-point-ref="entry"/>
<bean id="entry" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<constructor-arg value="https://www.example.com" />
</bean>
also, we're using a web.xmlwith this filter:
此外,我们正在使用web.xml带有此过滤器的 a:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
The current authentication-manager is going to get moved to a development profile, and of course is not expected to be used alongside the oauth server. I'm aware that it's probably best to move to spring 4 and have configuration in code like the examples but it is not possible for me at this time so the current configuration mechanism should be maintained
当前的身份验证管理器将移至开发配置文件,当然预计不会与 oauth 服务器一起使用。我知道最好转移到 spring 4 并像示例一样在代码中进行配置,但目前对我来说是不可能的,因此应该保持当前的配置机制
采纳答案by sagioto
I found this example in an older version of the current github repository: https://github.com/spring-projects/spring-security-oauth/blob/114fbd44beef0382009f207c08f0b1d9c24e95a9/samples/oauth2/sparklr/src/main/webapp/WEB-INF/spring-servlet.xml
我在当前 github 存储库的旧版本中找到了这个示例:https: //github.com/spring-projects/spring-security-oauth/blob/114fbd44beef0382009f207c08f0b1d9c24e95a9/samples/oauth2/sparklr/src/main/webapp/ INF/spring-servlet.xml
there are more examples in here: https://github.com/cloudfoundry/uaa/tree/master/samples
这里有更多例子:https: //github.com/cloudfoundry/uaa/tree/master/samples
under src/main/webapp/WEB-INF in each of the projects
在每个项目的 src/main/webapp/WEB-INF 下
回答by OhadR
i have a working project of oAuth 2.0, with all 3 component, you can find it in GitHubwith explanations. I support there spring 3, spring 4 and spring 5, all configured with XML.
我有一个 oAuth 2.0 的工作项目,包含所有 3 个组件,您可以在 GitHub 中找到它并附有说明。我支持 spring 3、spring 4 和 spring 5,它们都配置了 XML。
for example, for spring-5, the authorization-server is configured this way:
例如,对于 spring-5,授权服务器是这样配置的:
<security:http pattern="/login/**" security="none" />
<!-- Protect the /oauth/token url to allow only registered clients -->
<!-- this statement enables the access to /oauth/token. without it we get "cannot access" -->
<security:http pattern="/oauth/token"
use-expressions="false"
authentication-manager-ref="clientAuthenticationManager">
<security:intercept-url pattern="/oauth/token" access="ROLE_CLIENT"/>
<security:anonymous enabled="false" />
<security:http-basic />
<security:csrf disabled="true"/>
</security:http>
<security:http auto-config="true"
use-expressions="false"
authentication-manager-ref="usersAuthManager">
<security:intercept-url pattern="/publicKey" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/oauth/**" access="ROLE_USER" />
<security:intercept-url pattern="/**" access="ROLE_ADMIN" />
<security:form-login
login-page="/login/login.htm"
login-processing-url="/j_spring_security_check"
authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-url="/login/login.htm?login_error=1" />
<security:anonymous enabled="false"/>
<security:csrf disabled="true"/>
<!-- >security:custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" /-->
<!-- security:access-denied-handler ref="oauthAccessDeniedHandler" /-->
</security:http>
<bean id="viewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/jsp/" />
<property name="suffix" value=".jsp" />
</bean>
<security:authentication-manager alias="usersAuthManager">
<security:authentication-provider user-service-ref="userDetailsService"/>
</security:authentication-manager>
<security:user-service id="userDetailsService">
<security:user name="[email protected]" password="uripass" authorities="ROLE_USER" />
<security:user name="[email protected]" password="demo" authorities="ROLE_USER" />
</security:user-service>
<!-- OAuth2 Configuration -->
<oauth:authorization-server
client-details-service-ref="clientDetails"
token-services-ref="myAuthorizationServerTokenServices"
user-approval-handler-ref="automaticUserApprovalHandler">
<oauth:authorization-code />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password />
</oauth:authorization-server>
<security:authentication-manager id="clientAuthenticationManager">
<security:authentication-provider user-service-ref="clientDetailsUserService" />
</security:authentication-manager>
<bean id="clientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails" />
</bean>
<oauth:client-details-service id="clientDetails">
<oauth:client client-id="${com.ohadr.oauth2.client.name}"
secret="${com.ohadr.oauth2.client.secret}"
scope="read,write,trust"
authorized-grant-types="authorization_code,refresh_token"
authorities="ROLE_CLIENT"/>
</oauth:client-details-service>
<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
<constructor-arg value="256"/>
</bean>
...
...
