关于spring-oauth2的笔记

一直很困惑这中spring security 的链式的httpSecurity怎么配置,以下是笔记

来着stackoverflow

 Java Code 
1
2
3
4
5
6
7
8
9
10
11
http
.csrf().disable()
.authorizeRequests()
.antMatchers( "/shutdown").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage( "/authentication.html")
.loginProcessingUrl( "/login")
.failureUrl( "/authentication.html")
.permitAll();

自定义一个RequestMatcher

 Java Code 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
@Override
public  void configure(HttpSecurity http)  throws Exception
{
     // @formatter:off
    http.requestMatcher( new OAuth2RequestedMatcher()).authorizeRequests().antMatchers( "/api/**")
    .permitAll().anyRequest().authenticated();
     // @formatter:on
}


private  static  class OAuth2RequestedMatcher  implements RequestMatcher
{
    @Override
     public  boolean matches(HttpServletRequest request)
    {
         String auth = request.getHeader( "Authorization");
         // 判断来源请求是否包含oauth2授权信息,这里授权信息来源可能是头部的Authorization值以Bearer开头,
         //或者是请求参数中包含access_token参数,满足其中一个则匹配成功
         boolean haveOauth2Token = (auth != null) && auth.startsWith( "Bearer");
         boolean haveAccessToken = request.getParameter( "access_token") != null;
         return haveOauth2Token || haveAccessToken;
    }
}

来自:http://www.cnblogs.com/davidwang456/p/4549344.html

匿名用户控制:

 Java Code 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
@Configuration
@EnableWebSecurity
public  class AnononymousSecurityConfig  extends WebSecurityConfigurerAdapter
{

    @Override
     protected  void configure(HttpSecurity http)  throws Exception
    {
        http
        .authorizeRequests()
        .antMatchers( "/").hasRole( "USER")
        .and()
        .formLogin()
        .and()
         // sample anonymous customization
        .anonymous()
        .authorities( "ROLE_ANON");
    }

    @Override
     protected  void configure(AuthenticationManagerBuilder auth)
     throws Exception
    {
        auth
        .inMemoryAuthentication()
        .withUser( "user")
        .password( "password")
        .roles( "USER");
    }
}




 Java Code 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
@Configuration
@EnableWebSecurity
public  class MultiHttpSecurityConfig
{

    @Autowired
     public  void configureGlobal(AuthenticationManagerBuilder auth)  throws Exception
    {
        DefaultSpringSecurityContextSource contextSource =  new DefaultSpringSecurityContextSource(
             "ldap://127.0.0.1:389/dc=mycompany,dc=com");
        contextSource.setUserDn( "cn=admin,dc=mycompany,dc=com");
        contextSource.setPassword( "admin");
        contextSource.afterPropertiesSet();

        BindAuthenticator authenticator =  new BindAuthenticator(contextSource);
        authenticator.setUserDnPatterns( new  String[] {  "uid={0},ou=people" });

        DefaultLdapAuthoritiesPopulator populator =  new DefaultLdapAuthoritiesPopulator(
            contextSource,  "ou=groups");
        populator.setGroupRoleAttribute( "cn");
        populator.setGroupSearchFilter( "uniqueMember={0}");

        AuthenticationProvider authProvider =  new LdapAuthenticationProvider(
            authenticator, populator);
        auth.authenticationProvider(authProvider);
    }

    @Configuration
    @Order( 1)
     public  static  class IndexSecurityConfig  extends WebSecurityConfigurerAdapter
    {
        @Override
         public  void configure(HttpSecurity http)  throws Exception
        {
            http.antMatcher( "/index.jsp").anonymous();
        }
    }

    @Configuration
    @Order( 2)
     public  static  class HtmlSecurityConfig  extends WebSecurityConfigurerAdapter
    {
        @Override
         public  void configure(HttpSecurity http)  throws Exception
        {
            http.antMatcher( "/html/**")
            .authorizeRequests()
            .antMatchers( "/html/submit.jsp").hasRole( "BLACK")
            .antMatchers( "/html/forbidden.html").authenticated()
            .and().formLogin()
            .loginPage( "/html/login.jsp")
            .loginProcessingUrl( "/html/login")
            .defaultSuccessUrl( "/index.jsp")
            .permitAll()
            .and().logout().logoutUrl( "/html/logout")
            .and().exceptionHandling().accessDeniedPage( "/html/403.jsp");
        }

        @Override
         public  void configure(WebSecurity web)
        {
            web.ignoring().antMatchers( "/html/forbidden.html");
        }
    }

    @Configuration
    @Order( 3)
     public  static  class AjaxSecurityConfig  extends WebSecurityConfigurerAdapter
    {
        @Override
         public  void configure(HttpSecurity http)  throws Exception
        {
            http
            .antMatcher( "/ajax/**")
            .authorizeRequests().anyRequest().hasRole( "RED")
            .and()
            .httpBasic();
        }
    }
}

http://www.tuicool.com/articles/uqAR3m6

你可能感兴趣的:(关于spring-oauth2的笔记)