没有任何注释,表怪我(¬_¬)
更新:
2016.05.29: 将AuthorizationServer和ResourceServer分开配置
2016.05.29: Token获取采用Http Basic认证以符合RFC6749标准
2016.05.29: grant_type支持authorization_code, password, refresh_token
2016.05.27: 增加用于REST服务的安全配置
2016.05.27: 可选采用RSA JWT(Json Web Token, RSA加密)的OAUTH2.0或者HTTP BASIC
2016.05.27: REST安全验证和WEB安全验证均可通过配置文件关闭
1 <?xml version="1.0" encoding="UTF-8"?> 2 <beans:beans xmlns="http://www.springframework.org/schema/security" 3 xmlns:beans="http://www.springframework.org/schema/beans" 4 xmlns:oauth2="http://www.springframework.org/schema/security/oauth2" 5 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 6 xsi:schemaLocation="http://www.springframework.org/schema/beans 7 http://www.springframework.org/schema/beans/spring-beans-4.2.xsd 8 http://www.springframework.org/schema/security 9 http://www.springframework.org/schema/security/spring-security-4.0.xsd 10 http://www.springframework.org/schema/security/oauth2 11 http://www.springframework.org/schema/security/spring-security-oauth2.xsd"> 12 13 14 <global-method-security pre-post-annotations="enabled" order="0" 15 proxy-target-class="true"> 16 </global-method-security> 17 18 <beans:bean id="sessionRegistry" 19 class="org.springframework.security.core.session.SessionRegistryImpl" /> 20 21 <http security="none" pattern="/resources/**" /> 22 <http security="none" pattern="/favicon.ico" /> 23 24 <beans:beans profile="oauth-authorization-server"> 25 <beans:bean id="oauth2AuthorizationServerJwtAccessTokenConverter" class="org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter" > 26 <beans:property name="signingKey" ref="jwtSigningKey"/> 27 <beans:property name="verifierKey" ref="jwtVerifierKey"/> 28 </beans:bean> 29 30 <beans:bean id="oauth2AuthorizationServerTokenStore" class="org.springframework.security.oauth2.provider.token.store.JwtTokenStore" > 31 <beans:constructor-arg ref="oauth2AuthorizationServerJwtAccessTokenConverter"/> 32 </beans:bean> 33 34 <beans:bean id="oauth2AuthorizationServerTokenServices" 35 class="org.springframework.security.oauth2.provider.token.DefaultTokenServices"> 36 <beans:property name="tokenStore" ref="oauth2AuthorizationServerTokenStore" /> 37 <beans:property name="clientDetailsService" ref="clientDetailsService" /> 38 <beans:property name="tokenEnhancer" ref="oauth2AuthorizationServerJwtAccessTokenConverter" /> 39 <beans:property name="supportRefreshToken" value="true" /> 40 </beans:bean> 41 42 <beans:bean id="oauth2AuthorizationServerClientDetailsUserService" 43 class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService"> 44 <beans:constructor-arg ref="clientDetailsService"/> 45 <beans:property name="passwordEncoder" ref="passwordEncoder"/> 46 </beans:bean> 47 48 <beans:bean id="oauth2AuthorizationServerAuthenticationEntryPoint" 49 class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" /> 50 51 <authentication-manager id="oauth2AuthorizationServerAuthenticationManager"> 52 <authentication-provider user-service-ref="oauth2AuthorizationServerClientDetailsUserService"> 53 <password-encoder ref="passwordEncoder" /> 54 </authentication-provider> 55 </authentication-manager> 56 57 <beans:bean id="oauth2AuthorizationServerUserApprovalHandler" 58 class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler" > 59 <beans:property name="tokenStore" ref="oauth2AuthorizationServerTokenStore" /> 60 <beans:property name="clientDetailsService" ref="clientDetailsService" /> 61 <beans:property name="requestFactory"> 62 <beans:bean class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory"> 63 <beans:constructor-arg ref="clientDetailsService"/> 64 </beans:bean> 65 </beans:property> 66 </beans:bean> 67 68 <beans:bean id="oauth2AuthorizationServerAccessDeniedHandler" 69 class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" /> 70 71 <oauth2:authorization-server 72 token-services-ref="oauth2AuthorizationServerTokenServices" 73 client-details-service-ref="clientDetailsService" 74 user-approval-handler-ref="oauth2AuthorizationServerUserApprovalHandler" 75 user-approval-page="oauth/authorize" 76 error-page="oauth/error" > 77 <oauth2:authorization-code /> 78 <!--<oauth2:implicit />--> 79 <oauth2:refresh-token /> 80 <!--<oauth2:client-credentials />--> 81 <oauth2:password /> 82 </oauth2:authorization-server> 83 84 <http pattern="/oauth/token" use-expressions="true" create-session="stateless" 85 authentication-manager-ref="oauth2AuthorizationServerAuthenticationManager" 86 entry-point-ref="oauth2AuthorizationServerAuthenticationEntryPoint"> 87 <intercept-url pattern="/oauth/token" access="isFullyAuthenticated()"/> 88 <http-basic /> 89 <access-denied-handler ref="oauth2AuthorizationServerAccessDeniedHandler"/> 90 <csrf disabled="true"/> 91 </http> 92 </beans:beans> 93 94 <beans:beans profile="rest-security-oauth,oauth-resource-server"> 95 <beans:bean id="oauth2ResourceServerJwtAccessTokenConverter" class="org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter" > 96 <beans:property name="verifierKey" ref="jwtVerifierKey"/> 97 </beans:bean> 98 99 <beans:bean id="oauth2ResourceServerTokenStore" class="org.springframework.security.oauth2.provider.token.store.JwtTokenStore" > 100 <beans:constructor-arg ref="oauth2ResourceServerJwtAccessTokenConverter"/> 101 </beans:bean> 102 103 <beans:bean id="oauth2ResourceServerTokenServices" 104 class="org.springframework.security.oauth2.provider.token.DefaultTokenServices"> 105 <beans:property name="tokenStore" ref="oauth2ResourceServerTokenStore" /> 106 <beans:property name="clientDetailsService" ref="clientDetailsService" /> 107 <beans:property name="tokenEnhancer" ref="oauth2ResourceServerJwtAccessTokenConverter" /> 108 <beans:property name="supportRefreshToken" value="true" /> 109 </beans:bean> 110 111 <beans:bean id="oauth2ResourceServerAccessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"> 112 <beans:constructor-arg> 113 <beans:list> 114 <beans:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/> 115 <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/> 116 </beans:list> 117 </beans:constructor-arg> 118 </beans:bean> 119 120 <beans:bean id="oauth2ResourceServerAuthenticationEntryPoint" 121 class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" /> 122 123 <beans:bean id="oauth2ResourceServerAccessDeniedHandler" 124 class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" /> 125 126 <oauth2:resource-server id="oauth2ResourceServerFilter" resource-id="${oauth.resourceId}" token-services-ref="oauth2ResourceServerTokenServices" /> 127 128 <http pattern="${rest.rooturl}/**" use-expressions="false" create-session="stateless" 129 entry-point-ref="oauth2ResourceServerAuthenticationEntryPoint" 130 access-decision-manager-ref="oauth2ResourceServerAccessDecisionManager"> 131 132 <intercept-url pattern="${rest.rooturl}/security/**" access="SCOPE_SECURITY"/> 133 <intercept-url pattern="${rest.rooturl}/demo/**" access="IS_AUTHENTICATED_FULLY"/> 134 <intercept-url pattern="${rest.rooturl}/**" access="DENY_OAUTH"/> 135 136 <custom-filter ref="oauth2ResourceServerFilter" before="PRE_AUTH_FILTER"/> 137 <access-denied-handler ref="oauth2ResourceServerAccessDeniedHandler"/> 138 <csrf disabled="true"/> 139 </http> 140 </beans:beans> 141 142 <beans:beans profile="rest-security-basic"> 143 <http pattern="${rest.rooturl}/**" use-expressions="true" create-session="stateless"> 144 <intercept-url pattern="${rest.rooturl}/**" access="isFullyAuthenticated()"/> 145 <http-basic /> 146 <csrf disabled="true"/> 147 </http> 148 </beans:beans> 149 150 <beans:beans profile="rest-security-none"> 151 <http security="none" pattern="${rest.rooturl}/**" /> 152 </beans:beans> 153 154 <beans:beans profile="web-security-none"> 155 <http security="none" pattern="/**" /> 156 </beans:beans> 157 158 <beans:beans profile="web-security-local,web-security-ldap"> 159 <http use-expressions="true"> 160 161 <intercept-url pattern="/login" access="permitAll" /> 162 <intercept-url pattern="/login/**" access="permitAll" /> 163 <intercept-url pattern="/logout" access="permitAll" /> 164 <intercept-url pattern="/oauth/**" access="isFullyAuthenticated()" /> 165 <intercept-url pattern="/**" access="isFullyAuthenticated()" /> 166 <form-login login-page="/login" login-processing-url="/login" 167 authentication-failure-url="/login?error" 168 default-target-url="/" username-parameter="username" 169 password-parameter="password" /> 170 <logout logout-url="/logout" logout-success-url="/login?loggedOut" 171 invalidate-session="true" delete-cookies="JSESSIONID" /> 172 173 <session-management invalid-session-url="/login" 174 session-fixation-protection="migrateSession"> 175 <concurrency-control max-sessions="1" 176 error-if-maximum-exceeded="false" 177 session-registry-ref="sessionRegistry" /> 178 </session-management> 179 180 <csrf disabled="true" /> 181 182 </http> 183 </beans:beans> 184 185 <beans:beans profile="web-security-local"> 186 <authentication-manager> 187 <authentication-provider user-service-ref="userDetailsService"> 188 <password-encoder ref="passwordEncoder" /> 189 </authentication-provider> 190 </authentication-manager> 191 </beans:beans> 192 193 <beans:beans profile="web-security-ldap"> 194 <authentication-manager> 195 <authentication-provider ref="ldapAuthenticationProvider" /> 196 </authentication-manager> 197 198 <beans:bean id="ldapAuthenticationProvider" 199 class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> 200 <beans:constructor-arg index="0" 201 ref="ldapAuthenticator" /> 202 <beans:constructor-arg index="1" 203 ref="ldapAuthoritiesPopulator" /> 204 </beans:bean> 205 206 <beans:bean id="ldapAuthenticator" 207 class="org.springframework.security.ldap.authentication.BindAuthenticator"> 208 <beans:constructor-arg ref="ldapContextSource" /> 209 <beans:property name="userSearch" ref="ldapUserSearch" /> 210 </beans:bean> 211 212 <beans:bean id="ldapUserSearch" 213 class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> 214 <beans:constructor-arg index="0" 215 value="${ldap.searchBase}" /> 216 <beans:constructor-arg index="1" 217 value="${ldap.searchFilter}" /> 218 <beans:constructor-arg index="2" 219 ref="ldapContextSource" /> 220 </beans:bean> 221 222 <beans:bean id="ldapContextSource" 223 class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> 224 <beans:constructor-arg value="${ldap.url}" /> 225 <beans:property name="userDn" value="${ldap.userDN}" /> 226 <beans:property name="password" value="${ldap.password}" /> 227 </beans:bean> 228 229 <beans:bean id="ldapAuthoritiesPopulator" 230 class="org.springframework.security.ldap.authentication.UserDetailsServiceLdapAuthoritiesPopulator"> 231 <beans:constructor-arg ref="userDetailsService" /> 232 </beans:bean> 233 </beans:beans> 234 235 <beans:beans profile="web-security-cas"> 236 <http use-expressions="true" auto-config="false" entry-point-ref="casEntryPoint" servlet-api-provision="true"> 237 <intercept-url pattern="${cas.localSystemLoginUrl}" access="permitAll" /> 238 <intercept-url pattern="/logout" access="permitAll" /> 239 <intercept-url pattern="/**" access="isFullyAuthenticated()" /> 240 <custom-filter position="CAS_FILTER" ref="casFilter"/> 241 <custom-filter before="CAS_FILTER" ref="singleLogoutFilter" /> 242 <custom-filter before="LOGOUT_FILTER" ref="requestSingleLogoutFilter" /> 243 <logout logout-url="/logout" logout-success-url="/login?loggedOut" 244 invalidate-session="true" delete-cookies="JSESSIONID" /> 245 246 <session-management invalid-session-url="/login" 247 session-fixation-protection="migrateSession"> 248 <concurrency-control max-sessions="1" 249 error-if-maximum-exceeded="false" /> 250 </session-management> 251 252 <csrf disabled="true" /> 253 254 </http> 255 256 <authentication-manager alias="authenticationManager"> 257 <authentication-provider ref="casAuthenticationProvider" /> 258 </authentication-manager> 259 260 <beans:bean id="serviceProperties" 261 class="org.springframework.security.cas.ServiceProperties"> 262 <beans:property name="service" 263 value="${cas.localSystemUrl}${cas.localSystemLoginUrl}" /> 264 <beans:property name="sendRenew" value="false" /> 265 </beans:bean> 266 267 <beans:bean id="casEntryPoint" 268 class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"> 269 <beans:property name="loginUrl" value="${cas.loginUrl}" /> 270 <beans:property name="serviceProperties" ref="serviceProperties" /> 271 </beans:bean> 272 273 <beans:bean id="casAuthenticationProvider" 274 class="org.springframework.security.cas.authentication.CasAuthenticationProvider"> 275 <beans:property name="userDetailsService" ref="userDetailsService" /> 276 <beans:property name="serviceProperties" ref="serviceProperties" /> 277 <beans:property name="ticketValidator"> 278 <beans:bean 279 class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> 280 <beans:constructor-arg index="0" 281 value="${cas.url}" /> 282 </beans:bean> 283 </beans:property> 284 <beans:property name="key" 285 value="an_id_for_this_auth_provider_only" /> 286 </beans:bean> 287 288 <beans:bean id="casFilter" 289 class="org.springframework.security.cas.web.CasAuthenticationFilter"> 290 <beans:property name="authenticationManager" ref="authenticationManager" /> 291 <beans:property name="filterProcessesUrl" value="${cas.localSystemLoginUrl}" /> 292 </beans:bean> 293 294 <beans:bean id="singleLogoutFilter" 295 class="org.jasig.cas.client.session.SingleSignOutFilter" /> 296 297 <beans:bean id="requestSingleLogoutFilter" 298 class="org.springframework.security.web.authentication.logout.LogoutFilter"> 299 <beans:constructor-arg value="${cas.logoutUrl}" /> 300 <beans:constructor-arg> 301 <beans:bean 302 class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" /> 303 </beans:constructor-arg> 304 <beans:property name="filterProcessesUrl" value="/logout" /> 305 </beans:bean> 306 </beans:beans> 307 308 </beans:beans>
随附配置文件内容
1 #WEB_CONFIG 2 ##Set WEB authenticate type: none || local || ldap || cas 3 web.authenticationType=local 4 5 #REST_CONFIG 6 ##Set REST request root url, please DO NOT end with '/' or '*', just like '/webservice/rest' for 'http://example.com/webservice/rest/*' 7 rest.rooturl=/rs 8 ##Set REST authenticate type: none || oauth || basic 9 rest.authenticationType=oauth 10 11 #OAUTH_CONFIG 12 oauth.resourceId=DEMO 13 oauth.jwtVerifierKeyFile=jwtPubKey.pem 14 oauth.jwtSigningKeyFile=jwtPrivKey.pem 15 16 #CAS_CONFIG 17 cas.localSystemUrl=http://www.example.com 18 cas.localSystemLoginUrl=/j_spring_security_cas_check 19 cas.url=http://cas.server.com/cas 20 cas.loginUrl=http://cas.server.com/cas/login 21 cas.logoutUrl=http://cas.server.com/cas/logout?service=http://www.example.com/loggedOutPage 22 23 #LDAP_CONFIG 24 ldap.url=ldap://ldap.server.com:389/ 25 ldap.userDN=CN=XXX,OU=XXX,DC=server,DC=com 26 ldap.password=XXX 27 ldap.searchBase=OU=XXX,,DC=server,DC=com 28 ldap.searchFilter=(sAMAccountName={0})