没有任何注释,表怪我(¬_¬)
更新:
2016.05.29: 将AuthorizationServer和ResourceServer分开配置
2016.05.29: Token获取采用Http Basic认证以符合RFC6749标准
2016.05.29: grant_type支持authorization_code, password, refresh_token
2016.05.27: 增加用于REST服务的安全配置
2016.05.27: 可选采用RSA JWT(Json Web Token, RSA加密)的OAUTH2.0或者HTTP BASIC
2016.05.27: REST安全验证和WEB安全验证均可通过配置文件关闭
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2.xsd"> <global-method-security pre-post-annotations="enabled" order="0"
proxy-target-class="true">
</global-method-security> <beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" /> <http security="none" pattern="/resources/**" />
<http security="none" pattern="/favicon.ico" /> <beans:beans profile="oauth-authorization-server">
<beans:bean id="oauth2AuthorizationServerJwtAccessTokenConverter" class="org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter" >
<beans:property name="signingKey" ref="jwtSigningKey"/>
<beans:property name="verifierKey" ref="jwtVerifierKey"/>
</beans:bean> <beans:bean id="oauth2AuthorizationServerTokenStore" class="org.springframework.security.oauth2.provider.token.store.JwtTokenStore" >
<beans:constructor-arg ref="oauth2AuthorizationServerJwtAccessTokenConverter"/>
</beans:bean> <beans:bean id="oauth2AuthorizationServerTokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<beans:property name="tokenStore" ref="oauth2AuthorizationServerTokenStore" />
<beans:property name="clientDetailsService" ref="clientDetailsService" />
<beans:property name="tokenEnhancer" ref="oauth2AuthorizationServerJwtAccessTokenConverter" />
<beans:property name="supportRefreshToken" value="true" />
</beans:bean> <beans:bean id="oauth2AuthorizationServerClientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<beans:constructor-arg ref="clientDetailsService"/>
<beans:property name="passwordEncoder" ref="passwordEncoder"/>
</beans:bean> <beans:bean id="oauth2AuthorizationServerAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" /> <authentication-manager id="oauth2AuthorizationServerAuthenticationManager">
<authentication-provider user-service-ref="oauth2AuthorizationServerClientDetailsUserService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager> <beans:bean id="oauth2AuthorizationServerUserApprovalHandler"
class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler" >
<beans:property name="tokenStore" ref="oauth2AuthorizationServerTokenStore" />
<beans:property name="clientDetailsService" ref="clientDetailsService" />
<beans:property name="requestFactory">
<beans:bean class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
<beans:constructor-arg ref="clientDetailsService"/>
</beans:bean>
</beans:property>
</beans:bean> <beans:bean id="oauth2AuthorizationServerAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" /> <oauth2:authorization-server
token-services-ref="oauth2AuthorizationServerTokenServices"
client-details-service-ref="clientDetailsService"
user-approval-handler-ref="oauth2AuthorizationServerUserApprovalHandler"
user-approval-page="oauth/authorize"
error-page="oauth/error" >
<oauth2:authorization-code />
<!--<oauth2:implicit />-->
<oauth2:refresh-token />
<!--<oauth2:client-credentials />-->
<oauth2:password />
</oauth2:authorization-server> <http pattern="/oauth/token" use-expressions="true" create-session="stateless"
authentication-manager-ref="oauth2AuthorizationServerAuthenticationManager"
entry-point-ref="oauth2AuthorizationServerAuthenticationEntryPoint">
<intercept-url pattern="/oauth/token" access="isFullyAuthenticated()"/>
<http-basic />
<access-denied-handler ref="oauth2AuthorizationServerAccessDeniedHandler"/>
<csrf disabled="true"/>
</http>
</beans:beans> <beans:beans profile="rest-security-oauth,oauth-resource-server">
<beans:bean id="oauth2ResourceServerJwtAccessTokenConverter" class="org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter" >
<beans:property name="verifierKey" ref="jwtVerifierKey"/>
</beans:bean> <beans:bean id="oauth2ResourceServerTokenStore" class="org.springframework.security.oauth2.provider.token.store.JwtTokenStore" >
<beans:constructor-arg ref="oauth2ResourceServerJwtAccessTokenConverter"/>
</beans:bean> <beans:bean id="oauth2ResourceServerTokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<beans:property name="tokenStore" ref="oauth2ResourceServerTokenStore" />
<beans:property name="clientDetailsService" ref="clientDetailsService" />
<beans:property name="tokenEnhancer" ref="oauth2ResourceServerJwtAccessTokenConverter" />
<beans:property name="supportRefreshToken" value="true" />
</beans:bean> <beans:bean id="oauth2ResourceServerAccessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/>
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</beans:list>
</beans:constructor-arg>
</beans:bean> <beans:bean id="oauth2ResourceServerAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" /> <beans:bean id="oauth2ResourceServerAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" /> <oauth2:resource-server id="oauth2ResourceServerFilter" resource-id="${oauth.resourceId}" token-services-ref="oauth2ResourceServerTokenServices" /> <http pattern="${rest.rooturl}/**" use-expressions="false" create-session="stateless"
entry-point-ref="oauth2ResourceServerAuthenticationEntryPoint"
access-decision-manager-ref="oauth2ResourceServerAccessDecisionManager"> <intercept-url pattern="${rest.rooturl}/security/**" access="SCOPE_SECURITY"/>
<intercept-url pattern="${rest.rooturl}/demo/**" access="IS_AUTHENTICATED_FULLY"/>
<intercept-url pattern="${rest.rooturl}/**" access="DENY_OAUTH"/> <custom-filter ref="oauth2ResourceServerFilter" before="PRE_AUTH_FILTER"/>
<access-denied-handler ref="oauth2ResourceServerAccessDeniedHandler"/>
<csrf disabled="true"/>
</http>
</beans:beans> <beans:beans profile="rest-security-basic">
<http pattern="${rest.rooturl}/**" use-expressions="true" create-session="stateless">
<intercept-url pattern="${rest.rooturl}/**" access="isFullyAuthenticated()"/>
<http-basic />
<csrf disabled="true"/>
</http>
</beans:beans> <beans:beans profile="rest-security-none">
<http security="none" pattern="${rest.rooturl}/**" />
</beans:beans> <beans:beans profile="web-security-none">
<http security="none" pattern="/**" />
</beans:beans> <beans:beans profile="web-security-local,web-security-ldap">
<http use-expressions="true"> <intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/login/**" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/oauth/**" access="isFullyAuthenticated()" />
<intercept-url pattern="/**" access="isFullyAuthenticated()" />
<form-login login-page="/login" login-processing-url="/login"
authentication-failure-url="/login?error"
default-target-url="/" username-parameter="username"
password-parameter="password" />
<logout logout-url="/logout" logout-success-url="/login?loggedOut"
invalidate-session="true" delete-cookies="JSESSIONID" /> <session-management invalid-session-url="/login"
session-fixation-protection="migrateSession">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="false"
session-registry-ref="sessionRegistry" />
</session-management> <csrf disabled="true" /> </http>
</beans:beans> <beans:beans profile="web-security-local">
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
</beans:beans> <beans:beans profile="web-security-ldap">
<authentication-manager>
<authentication-provider ref="ldapAuthenticationProvider" />
</authentication-manager> <beans:bean id="ldapAuthenticationProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg index="0"
ref="ldapAuthenticator" />
<beans:constructor-arg index="1"
ref="ldapAuthoritiesPopulator" />
</beans:bean> <beans:bean id="ldapAuthenticator"
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="ldapContextSource" />
<beans:property name="userSearch" ref="ldapUserSearch" />
</beans:bean> <beans:bean id="ldapUserSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0"
value="${ldap.searchBase}" />
<beans:constructor-arg index="1"
value="${ldap.searchFilter}" />
<beans:constructor-arg index="2"
ref="ldapContextSource" />
</beans:bean> <beans:bean id="ldapContextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="${ldap.url}" />
<beans:property name="userDn" value="${ldap.userDN}" />
<beans:property name="password" value="${ldap.password}" />
</beans:bean> <beans:bean id="ldapAuthoritiesPopulator"
class="org.springframework.security.ldap.authentication.UserDetailsServiceLdapAuthoritiesPopulator">
<beans:constructor-arg ref="userDetailsService" />
</beans:bean>
</beans:beans> <beans:beans profile="web-security-cas">
<http use-expressions="true" auto-config="false" entry-point-ref="casEntryPoint" servlet-api-provision="true">
<intercept-url pattern="${cas.localSystemLoginUrl}" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/**" access="isFullyAuthenticated()" />
<custom-filter position="CAS_FILTER" ref="casFilter"/>
<custom-filter before="CAS_FILTER" ref="singleLogoutFilter" />
<custom-filter before="LOGOUT_FILTER" ref="requestSingleLogoutFilter" />
<logout logout-url="/logout" logout-success-url="/login?loggedOut"
invalidate-session="true" delete-cookies="JSESSIONID" /> <session-management invalid-session-url="/login"
session-fixation-protection="migrateSession">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="false" />
</session-management> <csrf disabled="true" /> </http> <authentication-manager alias="authenticationManager">
<authentication-provider ref="casAuthenticationProvider" />
</authentication-manager> <beans:bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties">
<beans:property name="service"
value="${cas.localSystemUrl}${cas.localSystemLoginUrl}" />
<beans:property name="sendRenew" value="false" />
</beans:bean> <beans:bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<beans:property name="loginUrl" value="${cas.loginUrl}" />
<beans:property name="serviceProperties" ref="serviceProperties" />
</beans:bean> <beans:bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" />
<beans:property name="serviceProperties" ref="serviceProperties" />
<beans:property name="ticketValidator">
<beans:bean
class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<beans:constructor-arg index="0"
value="${cas.url}" />
</beans:bean>
</beans:property>
<beans:property name="key"
value="an_id_for_this_auth_provider_only" />
</beans:bean> <beans:bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="filterProcessesUrl" value="${cas.localSystemLoginUrl}" />
</beans:bean> <beans:bean id="singleLogoutFilter"
class="org.jasig.cas.client.session.SingleSignOutFilter" /> <beans:bean id="requestSingleLogoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="${cas.logoutUrl}" />
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/logout" />
</beans:bean>
</beans:beans> </beans:beans>
随附配置文件内容
#WEB_CONFIG
##Set WEB authenticate type: none || local || ldap || cas
web.authenticationType=local #REST_CONFIG
##Set REST request root url, please DO NOT end with '/' or '*', just like '/webservice/rest' for 'http://example.com/webservice/rest/*'
rest.rooturl=/rs
##Set REST authenticate type: none || oauth || basic
rest.authenticationType=oauth #OAUTH_CONFIG
oauth.resourceId=DEMO
oauth.jwtVerifierKeyFile=jwtPubKey.pem
oauth.jwtSigningKeyFile=jwtPrivKey.pem #CAS_CONFIG
cas.localSystemUrl=http://www.example.com
cas.localSystemLoginUrl=/j_spring_security_cas_check
cas.url=http://cas.server.com/cas
cas.loginUrl=http://cas.server.com/cas/login
cas.logoutUrl=http://cas.server.com/cas/logout?service=http://www.example.com/loggedOutPage #LDAP_CONFIG
ldap.url=ldap://ldap.server.com:389/
ldap.userDN=CN=XXX,OU=XXX,DC=server,DC=com
ldap.password=XXX
ldap.searchBase=OU=XXX,,DC=server,DC=com
ldap.searchFilter=(sAMAccountName={0})
