开源中国 2018 年度最后一场技术盛会邀你来约~错过就要等明年啦!点此立即预约

li.shengzhao / spring-oauth-serverJavaGPL-2.0

指数
0
Watch 321 Star 862 Fork 490
加入码云
与超过 300 万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
security.xml 11.78 KB
一键复制 编辑 Web IDE 原始数据 按行查看 历史
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd">
<!--
Spring Security + OAuth 的主配置文件
-->
<!-- 若需要调试, 可将debug 标签注释取消 -->
<!--<debug/>-->
<!-- 静态资源, 忽略 -->
<!--static url pattern-->
<http pattern="/resources/**" security="none"/>
<!-- 公开, 扩展的 API, public -->
<http pattern="/oauth/rest_token" security="none"/>
<http pattern="/oauth/check_token" security="none"/>
<!--
Oauth server start.............
https://github.com/spring-projects/spring-security-oauth/blob/master/docs/oauth2.md
-->
<!--
Spring MVC的注解配置, 注意: 该配置不能放置在 mkk-servlet.xml 文件中
-->
<mvc:annotation-driven/>
<mvc:default-servlet-handler/>
<!--
OAuth2 URL: /oauth/token 的处理与配置
一般使用时这里不需要修改, 直接使用即可
-->
<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="oauth2AuthenticationManager"
entry-point-ref="oauth2AuthenticationEntryPoint" use-expressions="false">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
<anonymous enabled="false"/>
<http-basic entry-point-ref="oauth2AuthenticationEntryPoint"/>
<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER"/>
<access-denied-handler ref="oauth2AccessDeniedHandler"/>
<csrf disabled="true"/>
</http>
<!--
处理grant_type=client_credentials 的逻辑
只从请求中获取client_id与client_secret
-->
<beans:bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<beans:property name="authenticationManager" ref="oauth2AuthenticationManager"/>
</beans:bean>
<!--
对具体的资源(resource)的安全配置逻辑, 包括ROLE, Scope等
可根据具体的需求添加, 每一类URL pattern 对应具体的resource
/unity/** 处理资源 unityResourceServer
/m/** 处理资源 mobileResourceServer
-->
<!--unity http configuration-->
<http pattern="/unity/**" create-session="never" entry-point-ref="oauth2AuthenticationEntryPoint"
access-decision-manager-ref="oauth2AccessDecisionManager" use-expressions="false">
<anonymous enabled="false"/>
<intercept-url pattern="/unity/**" access="ROLE_UNITY,SCOPE_READ"/>
<custom-filter ref="unityResourceServer" before="PRE_AUTH_FILTER"/>
<access-denied-handler ref="oauth2AccessDeniedHandler"/>
<csrf disabled="true"/>
</http>
<!--mobile http configuration-->
<http pattern="/m/**" create-session="never" entry-point-ref="oauth2AuthenticationEntryPoint"
access-decision-manager-ref="oauth2AccessDecisionManager" use-expressions="false">
<anonymous enabled="false"/>
<intercept-url pattern="/m/**" access="ROLE_MOBILE,SCOPE_READ"/>
<custom-filter ref="mobileResourceServer" before="PRE_AUTH_FILTER"/>
<access-denied-handler ref="oauth2AccessDeniedHandler"/>
<csrf disabled="true"/>
</http>
<!--
每一个资源(resource)的定义, resource-id必须唯一, OauthClientDetails中的resourceIds属性的值由此来的,
允许一个Client有多个resource-id, 由逗号(,)分隔
每一个定义会在Security Flow中添加一个位于 PRE_AUTH_FILTER 之前的Filter
-->
<!--unity resource server filter-->
<oauth2:resource-server id="unityResourceServer" resource-id="unity-resource" token-services-ref="tokenServices"/>
<!--mobile resource server filter-->
<oauth2:resource-server id="mobileResourceServer" resource-id="mobile-resource" token-services-ref="tokenServices"/>
<!--Config ClientDetailsService-->
<!--<oauth2:client-details-service id="clientDetailsService">-->
<!--&lt;!&ndash;unity client&ndash;&gt;-->
<!--<oauth2:client client-id="unity-client" resource-ids="unity-resource"-->
<!--authorized-grant-types="password,authorization_code,refresh_token,implicit"-->
<!--secret="unity" authorities="ROLE_UNITY" scope="read,write"/>-->
<!--&lt;!&ndash;mobile client&ndash;&gt;-->
<!--<oauth2:client client-id="mobile-client" resource-ids="mobile-resource"-->
<!--authorized-grant-types="password,authorization_code,refresh_token,implicit"-->
<!--secret="mobile" authorities="ROLE_MOBILE" scope="read,write"/>-->
<!--</oauth2:client-details-service>-->
<!--
管理 ClientDetails
-->
<beans:bean id="clientDetailsService" class="com.monkeyk.sos.domain.oauth.CustomJdbcClientDetailsService">
<beans:constructor-arg index="0" ref="dataSource"/>
</beans:bean>
<!--Config token services-->
<!--<beans:bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore"/>-->
<beans:bean id="tokenStore" class="com.monkeyk.sos.domain.oauth.CustomJdbcTokenStore">
<beans:constructor-arg index="0" ref="dataSource"/>
</beans:bean>
<beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<beans:property name="tokenStore" ref="tokenStore"/>
<beans:property name="clientDetailsService" ref="clientDetailsService"/>
<beans:property name="supportRefreshToken" value="true"/>
</beans:bean>
<!--<global-method-security pre-post-annotations="enabled" proxy-target-class="true">-->
<!--<expression-handler ref="oauth2ExpressionHandler"/>-->
<!--</global-method-security>-->
<!--<oauth2:expression-handler id="oauth2ExpressionHandler"/>-->
<!--<oauth2:web-expression-handler id="oauth2WebExpressionHandler"/>-->
<beans:bean class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory"
id="oAuth2RequestFactory">
<beans:constructor-arg name="clientDetailsService" ref="clientDetailsService"/>
</beans:bean>
<beans:bean id="oauthUserApprovalHandler" class="com.monkeyk.sos.web.oauth.OauthUserApprovalHandler">
<beans:property name="tokenStore" ref="tokenStore"/>
<beans:property name="clientDetailsService" ref="clientDetailsService"/>
<beans:property name="requestFactory" ref="oAuth2RequestFactory"/>
<beans:property name="oauthService" ref="oauthService"/>
</beans:bean>
<!--
管理 Authorization code
-->
<!--<beans:bean id="jdbcAuthorizationCodeServices"-->
<!--class="org.springframework.security.oauth2.provider.code.JdbcAuthorizationCodeServices">-->
<!--<beans:constructor-arg index="0" ref="dataSource"/>-->
<!--</beans:bean>-->
<beans:bean id="jdbcAuthorizationCodeServices"
class="com.monkeyk.sos.infrastructure.jdbc.SOSAuthorizationCodeServices">
<beans:constructor-arg index="0" ref="dataSource"/>
</beans:bean>
<!--
Security OAuth Flow的核心配置
每一个配置对应一类具体的grant_type
可根据需求删除或禁用, 如: <oauth2:implicit disabled="true"/>
默认支持OAuth2提供的5类grant_type, 若不需要任何一类, 将其配置注释掉(或删掉)即可.
若需要自定义 authorization url, 在 <oauth2:authorization-server > 配置中添加authorization-endpoint-url,如: authorization-endpoint-url="/oauth2/authorization"
若需要自定义 token url, 在 <oauth2:authorization-server > 配置中添加token-endpoint-url配置, 如:token-endpoint-url="/oauth2/my_token"
-->
<oauth2:authorization-server client-details-service-ref="clientDetailsService" token-services-ref="tokenServices"
user-approval-handler-ref="oauthUserApprovalHandler"
user-approval-page="oauth_approval"
error-page="oauth_error">
<oauth2:authorization-code authorization-code-services-ref="jdbcAuthorizationCodeServices"/>
<oauth2:implicit/>
<oauth2:refresh-token/>
<oauth2:client-credentials/>
<oauth2:password/>
</oauth2:authorization-server>
<beans:bean id="oauth2AuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"/>
<beans:bean id="oauth2ClientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<beans:constructor-arg ref="clientDetailsService"/>
</beans:bean>
<authentication-manager id="oauth2AuthenticationManager">
<authentication-provider user-service-ref="oauth2ClientDetailsUserService"/>
</authentication-manager>
<!--
扩展Spring Security 默认的 AccessDecisionManager
添加对OAuth中 scope 的检查与校验
-->
<beans:bean id="oauth2AccessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/>
<beans:bean class="org.springframework.security.access.vote.RoleVoter"/>
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="oauth2AccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>
<http disable-url-rewriting="true" use-expressions="false"
authentication-manager-ref="authenticationManager">
<intercept-url pattern="/oauth/**" access="ROLE_USER,ROLE_UNITY,ROLE_MOBILE"/>
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<!-- 配置表单验证 -->
<form-login authentication-failure-url="/login.jsp?authentication_error=1" default-target-url="/index.jsp"
login-page="/login.jsp" login-processing-url="/login.do"/>
<logout logout-success-url="/index.jsp" logout-url="/logout.do"/>
<access-denied-handler error-page="/login.jsp?authorization_error=2"/>
<anonymous/>
<!--CSRF 不启用; 实际 场景 推荐启用 -->
<csrf disabled="true"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userService">
<!--
密码使用 MD5 加密 ; 实际使用时推荐使用 SHA-256, 并使用 salt
-->
<password-encoder hash="md5"/>
</authentication-provider>
</authentication-manager>
<!--
Oauth server end.............
-->
</beans:beans>

评论 ( 0 )

你可以在登录后,发表评论

搜索帮助