spring oauth 2的示例xml配置

Question

我正在尝试向我的项目添加一个 oauth2 安全方案， oauth2 身份验证服务器已经由另一个项目实现，所以我只需要拦截相关请求并使用身份验证服务器进行登录， 另外，我想通过使用用户组在应用程序中具有角色来使用身份验证服务器作为授权提供程序， 我当前的 Spring Security xml 如下所示：

<security:http pattern="/resources/**" security="none" />
    <security:http pattern="/loginError.html" security="none" />
    <security:http use-expressions="true">
        <security:intercept-url pattern="/login.html"
                                access="permitAll"/>
        <security:form-login login-page="/login.html"
                             authentication-failure-url="/loginError.html"/>
        <security:logout logout-success-url="/login.html"/>
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider>
            <security:user-service>
                <security:user name="user" password="p" authorities="VIEW"/>
                <security:user name="admin" password="p" authorities="ALL, VIEW"/>
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager>

    <security:global-method-security pre-post-annotations="enabled"/>

    <oauth:resource-server id="oauthResourceServer" entry-point-ref="entry"/>
    <bean id="entry" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <constructor-arg value="https://www.example.com" />
    </bean>

此外，我们正在使用带有此过滤器的web.xml：

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>
        org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
</filter>

当前的身份验证管理器将移至开发配置文件，当然不会与 oauth 服务器一起使用。 我知道最好转到 spring 4 并像示例一样在代码中进行配置，但目前对我来说是不可能的，所以应该保持当前的配置机制

Answer 1

我在当前 github 存储库的旧版本中找到了这个示例： https://github.com/spring-projects/spring-security-oauth/blob/114fbd44beef0382009f207c08f0b1d9c24e95a9/samples/oauth2/sparklr/src/main/webapp/WEB-INF/spring-servlet.xml

这里有更多例子： https://github.com/cloudfoundry/uaa/tree/master/samples

在每个项目的src/main/webapp/WEB-INF下

Answer 2

我有一个 oAuth 2.0 的工作项目，包含所有 3 个组件，您可以在 in GitHub 找到它并附上解释。我支持spring 3、spring 4和spring 5，都配置了XML。

例如，对于spring-5，授权服务器是这样配置的：

<security:http pattern="/login/**" security="none" />


<!-- Protect the /oauth/token url to allow only registered clients -->
<!-- this statement enables the access to /oauth/token. without it we get "cannot access" -->
<security:http pattern="/oauth/token"  
    use-expressions="false"
    authentication-manager-ref="clientAuthenticationManager">
    <security:intercept-url pattern="/oauth/token" access="ROLE_CLIENT"/>
    <security:anonymous enabled="false" />
    <security:http-basic />

    <security:csrf disabled="true"/>

</security:http>


<security:http auto-config="true" 
    use-expressions="false"
    authentication-manager-ref="usersAuthManager">
    <security:intercept-url pattern="/publicKey" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/oauth/**" access="ROLE_USER" />
    <security:intercept-url pattern="/**" access="ROLE_ADMIN" />

    <security:form-login 
        login-page="/login/login.htm" 
        login-processing-url="/j_spring_security_check"
        authentication-success-handler-ref="authenticationSuccessHandler"
        authentication-failure-url="/login/login.htm?login_error=1" />


    <security:anonymous enabled="false"/>
    <security:csrf disabled="true"/>

    <!-- >security:custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" /-->
    <!-- security:access-denied-handler ref="oauthAccessDeniedHandler" /-->

</security:http>



<bean id="viewResolver"
    class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <property name="prefix" value="/WEB-INF/jsp/" />
    <property name="suffix" value=".jsp" />
</bean>

<security:authentication-manager alias="usersAuthManager">
    <security:authentication-provider user-service-ref="userDetailsService"/>
</security:authentication-manager>

<security:user-service id="userDetailsService">
            <security:user name="user@ohadr.com" password="uripass" authorities="ROLE_USER" />
            <security:user name="demo@ohadr.com" password="demo" authorities="ROLE_USER" />
</security:user-service>


<!-- OAuth2 Configuration -->
<oauth:authorization-server
    client-details-service-ref="clientDetails" 
    token-services-ref="myAuthorizationServerTokenServices"
    user-approval-handler-ref="automaticUserApprovalHandler">
    <oauth:authorization-code />
    <oauth:implicit />
    <oauth:refresh-token />
    <oauth:client-credentials />
    <oauth:password />
</oauth:authorization-server>

<security:authentication-manager id="clientAuthenticationManager">
    <security:authentication-provider user-service-ref="clientDetailsUserService" />
</security:authentication-manager>

<bean id="clientDetailsUserService"
    class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <constructor-arg ref="clientDetails" />
</bean>

<oauth:client-details-service id="clientDetails">
    <oauth:client client-id="${com.ohadr.oauth2.client.name}"
        secret="${com.ohadr.oauth2.client.secret}" 
        scope="read,write,trust"
        authorized-grant-types="authorization_code,refresh_token" 
        authorities="ROLE_CLIENT"/>
</oauth:client-details-service>


<bean id="passwordEncoder"  class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
    <constructor-arg value="256"/>
</bean>

...