springsecurity oauth2 端点安全源码

默认配置

AuthorizationServerSecurityConfigurer

...
// 客户端默认使用BASIC AUTH认证,设置此项兼容表单认证(参数传递客户端ID、密码)
private boolean allowFormAuthenticationForClients = false;
// 默认禁止访问
private String tokenKeyAccess = "denyAll()";
// 默认禁止访问/oauth/check_token端点
private String checkTokenAccess = "denyAll()";
// 默认不阻止http请求
private boolean sslOnly = false;
...
// 注册默认认证入口
private void registerDefaultAuthenticationEntryPoint(HttpSecurity http) {
	ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling = http
			.getConfigurer(ExceptionHandlingConfigurer.class);
	if (exceptionHandling == null) {
		return;
	}
	if (authenticationEntryPoint==null) {
	// 默认使用Basic 认证
		BasicAuthenticationEntryPoint basicEntryPoint = new BasicAuthenticationEntryPoint();
		basicEntryPoint.setRealmName(realm);
		authenticationEntryPoint = basicEntryPoint;
	}
	ContentNegotiationStrategy contentNegotiationStrategy = http.getSharedObject(ContentNegotiationStrategy.class);
	if (contentNegotiationStrategy == null) {
		contentNegotiationStrategy = new HeaderContentNegotiationStrategy();
	}
	MediaTypeRequestMatcher preferredMatcher = new MediaTypeRequestMatcher(contentNegotiationStrategy,
			MediaType.APPLICATION_ATOM_XML, MediaType.APPLICATION_FORM_URLENCODED, MediaType.APPLICATION_JSON,
			MediaType.APPLICATION_OCTET_STREAM, MediaType.APPLICATION_XML, MediaType.MULTIPART_FORM_DATA,
			MediaType.TEXT_XML);
	preferredMatcher.setIgnoredMediaTypes(Collections.singleton(MediaType.ALL));
	exceptionHandling.defaultAuthenticationEntryPointFor(postProcess(authenticationEntryPoint), preferredMatcher);
}
// 客户端
private ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter(HttpSecurity http) {
		ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter = new ClientCredentialsTokenEndpointFilter(
				frameworkEndpointHandlerMapping().getServletPath("/oauth/token"));
		clientCredentialsTokenEndpointFilter
				.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
		OAuth2AuthenticationEntryPoint authenticationEntryPoint = new OAuth2AuthenticationEntryPoint();
		authenticationEntryPoint.setTypeName("Form");
		authenticationEntryPoint.setRealmName(realm);
		clientCredentialsTokenEndpointFilter.setAuthenticationEntryPoint(authenticationEntryPoint);
		clientCredentialsTokenEndpointFilter = postProcess(clientCredentialsTokenEndpointFilter);
		http.addFilterBefore(clientCredentialsTokenEndpointFilter, BasicAuthenticationFilter.class);
		return clientCredentialsTokenEndpointFilter;
	}
// 配置接口
@Override
public void configure(HttpSecurity http) throws Exception {
	
	// ensure this is initialized
	frameworkEndpointHandlerMapping();
	// 注册
	if (allowFormAuthenticationForClients) {
		clientCredentialsTokenEndpointFilter(http);
	}

	for (Filter filter : tokenEndpointAuthenticationFilters) {
		http.addFilterBefore(filter, BasicAuthenticationFilter.class);
	}

	http.exceptionHandling().accessDeniedHandler(accessDeniedHandler);
}
...