【发布时间】:2016-04-25 00:13:37
【问题描述】:
假设我配置了两个具有不同 URL 的 API 资源:
- /api/secure/**
- /api/admin/**
@Override
public void configure(HttpSecurity http) throws Exception {
http.exceptionHandling()
.authenticationEntryPoint(customAuthenticationEntryPoint)
.and()
.logout()
.logoutUrl("/oauth/logout")
.logoutSuccessHandler(customLogoutSuccessHandler)
.and()
.csrf()
.requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize"))
.disable()
.headers()
.frameOptions()
.disable()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/secure/**").hasAnyAuthority(Authorities.ROLE_USER.name(), Authorities.ROLE_ADMIN.name())
.antMatchers("/admin/**").hasAnyAuthority(Authorities.ROLE_ADMIN.name());
}
我配置了超时:
- 对于刷新令牌:1 天;
- 访问令牌:30 分钟;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("client01")
.secret("pass")
.refreshTokenValiditySeconds(24 * 60 * 60)
.accessTokenValiditySeconds(30 * 60)
.scopes("read", "write")
.authorities(Authorities.ROLE_USER.name(), Authorities.ROLE_ADMIN.name(), Authorities.ROLE_SUPERADMIN.name())
.authorizedGrantTypes("password", "refresh_token");
}
如何为 /api/secure/**(如上)和 /api/admin/**(refreshToken:20 分钟,accessToken:10 秒)设置不同的超时时间?
【问题讨论】:
标签: spring-boot oauth-2.0 settimeout