Path to architect-How to Build Secure Access to rest interfaces (dubbox + oatuh2 + rest) and dubboxoatuh2
Create the database and data table structure required for oau22.
Create schema if not exists 'oss 2' default character set utf8;
USE 'oss 2 ';
-------------------------------------------------------
-- Table 'oss 2'. 'clientdetails'
-------------------------------------------------------
Create table if not exists 'oss 2'. 'clientdetails '(
'Appid 'VARCHAR (128) not null,
'Resourceid' VARCHAR (256) null default null,
'Appsecret' VARCHAR (256) null default null,
'Scope 'VARCHAR (256) null default null,
'Granttypes 'VARCHAR (256) null default null,
'Redirecturl' VARCHAR (256) null default null,
'Authorities 'VARCHAR (256) null default null,
'Access _ token_validity 'INT (11) null default null,
'Refresh _ token_validity 'INT (11) null default null,
'Additionalinformation' VARCHAR (4096) null default null,
'Autoapprovescopes' VARCHAR (256) null default null,
Primary key ('appid '))
ENGINE = InnoDB
Default character set = utf8;
-------------------------------------------------------
-- Table 'oateh2 '. 'oauth _ access_token'
-------------------------------------------------------
Create table if not exists 'oss 2'. 'oss _ access_token '(
'Token _ id' VARCHAR (256) null default null,
'Token' blob null default null,
'Authentication _ id' VARCHAR (128) not null,
'User _ name' VARCHAR (256) null default null,
'Client _ id' VARCHAR (256) null default null,
'Authentication 'blob null default null,
'Refresh _ token' VARCHAR (256) null default null,
Primary key ('authentication _ id '))
ENGINE = InnoDB
Default character set = utf8;
-------------------------------------------------------
-- Table 'oateh2 '. 'oauth _ approvals'
-------------------------------------------------------
Create table if not exists 'oss 2'. 'oss _ approvals '(
'Userid' VARCHAR (256) null default null,
'Clientid' VARCHAR (256) null default null,
'Scope 'VARCHAR (256) null default null,
'Status' VARCHAR (10) null default null,
'Expiresat' datetime null default null,
'Lastmodifiedat 'datetime null default null)
ENGINE = InnoDB
Default character set = utf8;
-------------------------------------------------------
-- Table 'oateh2 '. 'oauth _ client_details'
-------------------------------------------------------
Create table if not exists 'oss 2'. 'oss _ client_details '(
'Client _ id' VARCHAR (128) not null,
'Resource _ id' VARCHAR (256) null default null,
'Client _ secret' VARCHAR (256) null default null,
'Scope 'VARCHAR (256) null default null,
'Authorized _ grant_types 'VARCHAR (256) null default null,
'Web _ server_redirect_uri 'VARCHAR (256) null default null,
'Authorities 'VARCHAR (256) null default null,
'Access _ token_validity 'INT (11) null default null,
'Refresh _ token_validity 'INT (11) null default null,
'Additional _ information' VARCHAR (4096) null default null,
'Autoapprove' VARCHAR (256) null default null,
Primary key ('client _ id '))
ENGINE = InnoDB
Default character set = utf8;
-------------------------------------------------------
-- Table 'oateh2 '. 'oauth _ client_token'
-------------------------------------------------------
Create table if not exists 'oss 2'. 'oss _ client_token '(
'Token _ id' VARCHAR (256) null default null,
'Token' blob null default null,
'Authentication _ id' VARCHAR (128) not null,
'User _ name' VARCHAR (256) null default null,
'Client _ id' VARCHAR (256) null default null,
Primary key ('authentication _ id '))
ENGINE = InnoDB
Default character set = utf8;
-------------------------------------------------------
-- Table 'oateh2 '. 'oauth _ Code'
-------------------------------------------------------
Create table if not exists 'oss 2'. 'oss _ Code '(
'Code' VARCHAR (256) null default null,
'Authentication 'blob null default null)
ENGINE = InnoDB
Default character set = utf8;
-------------------------------------------------------
-- Table 'oateh2 '. 'oauth _ refresh_token'
-------------------------------------------------------
Create table if not exists 'oss 2'. 'oss _ refresh_token '(
'Token _ id' VARCHAR (256) null default null,
'Token' blob null default null,
'Authentication 'blob null default null)
ENGINE = InnoDB
Default character set = utf8;
> Prerequisites: Use Maven to manage projects. The spring-security-oauth version is 2.0.10.RELEASE.
1. Add Maven dependencies. Only the main
<dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-coreartifactId> <version>${spring.security.version}version> dependency> <dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-webartifactId> <version>${spring.security.version}version> dependency> <dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-taglibsartifactId> <version>${spring.security.version}version> dependency> <dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-aclartifactId> <version>${spring.security.version}version> dependency> <dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-cryptoartifactId> <version>${spring.security.version}version> dependency> <dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-configartifactId> <version>${spring.security.version}version> dependency> <dependency> <groupId>org.springframework.security.oauthgroupId> <artifactId>spring-security-oauth2artifactId> <version>1.0.5.RELEASEversion> dependency>
2. web. xml configuration. This step is the same as configuring Spring Security only.
pre><pre code_snippet_id="73897" snippet_file_name="blog_20131119_2_2257675" name="code" class="html"> <filter> <filter-name>springSecurityFilterChainfilter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxyfilter-class> filter> <filter-mapping> <filter-name>springSecurityFilterChainfilter-name> <url-pattern>/*url-pattern> filter-mapping> <context-param> <param-name>contextConfigLocationparam-name> <param-value>classpath:spring/*.xmlparam-value> context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListenerlistener-class> listener> <servlet> <servlet-name>hyservlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServletservlet-class> <load-on-startup>2load-on-startup> servlet> <servlet-mapping> <servlet-name>hyservlet-name> <url-pattern>/url-pattern> servlet-mapping>
For Spring MVC, the configuration file hy-servlet.xml is required, which is not followed here (ignore );
Create the spring directory in classpath and create it in this directorySecurity. xmlFile, which is the focus of all step configuration.
3. security. xml configuration; Focus on starting.
3.1 annotation; TokenEndpoint and AuthorizationEndpoint need
<mvc:annotation-driven/> <mvc:default-servlet-handler/>
3.2 TokenServices Configuration
1). TokenStore: Use JdbcTokenStore to store the token information in the database. A dataSource object must be provided. You can also use InMemoryTokenStore to store the TokenStore in the memory.
<beans:bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.JdbcTokenStore"> <beans:constructor-arg index="0" ref="dataSource"/> beans:bean>
Note: You can find the corresponding SQL script in the spring-security-oauth2, address is https://github.com/spring-projects/spring-security-oauth/tree/master/spring-security-oauth2/src/test/resources, schema. SQL in the directory is. (The following does not describe the problem of the SQL script)
2). TokenServices; TokenStore needs to be injected
<beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices"> <beans:property name="tokenStore" ref="tokenStore"/> <beans:property name="supportRefreshToken" value="true"/> beans:bean>
If refresh token is allowed, set supportRefreshToken to true, which is not allowed by default.
3.3 ClientDetailsService configuration: Use JdbcClientDetailsService, and also provide dataSource. Replace the configuration in the demo directly in the configuration file
<beans:bean id="clientDetailsService" class="org.springframework.security.oauth2.provider.JdbcClientDetailsService"> <beans:constructor-arg index="0" ref="dataSource"/> beans:bean>
3.4 ClientDetailsUserDetailsService configuration, which implements the UserDetailsService interface in Spring security
<beans:bean id="oauth2ClientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService"> <beans:constructor-arg ref="clientDetailsService"/> beans:bean>
3.5 configure OAuth2AuthenticationEntryPoint
<beans:bean id="oauth2AuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"/>
3.6 oau2authenticationmanager configuration; two authenticationmanagers need to be configured throughout the configuration.
<authentication-manager id="oauth2AuthenticationManager"> <authentication-provider user-service-ref="oauth2ClientDetailsUserService"/> authentication-manager>
The second AuthenticationManager is used to obtain UserDetails information,
<authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="userService"> <password-encoder hash="md5"/> authentication-provider> authentication-manager>
UserService is a Bean that implements UserDetailsService.
3.7 configure OAuth2AccessDeniedHandler to implement the AccessDeniedHandler Interface
<beans:bean id="oauth2AccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>
3.8 configure UserApprovalHandler. Here DefaultUserApprovalHandler is used. Here is the key point to realize whether the client can be trusted. You can extend this interface to customize the approval behavior.
<beans:bean id="oauthUserApprovalHandler" class="org.springframework.security.oauth2.provider.approval.DefaultUserApprovalHandler"> beans:bean>
3.9 authorization-server configuration, Core
<oauth2:authorization-server client-details-service-ref="clientDetailsService" token-services-ref="tokenServices" user-approval-handler-ref="oauthUserApprovalHandler"> <oauth2:authorization-code/> <oauth2:implicit/> <oauth2:refresh-token/> <oauth2:client-credentials/> <oauth2:password/> oauth2:authorization-server>
Each label in this element can set each authorized-grant-type action. For example, if disable refresh-token is configured
<oauth2:refresh-token disabled="true"/>
3.10 configure oau2accessdecisionmanager. ScopeVoter is added based on the default Spring Security AccessDecisionManager.
<beans:bean id="oauth2AccessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"> <beans:constructor-arg> <beans:list> <beans:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/> <beans:bean class="org.springframework.security.access.vote.RoleVoter"/> <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/> beans:list> beans:constructor-arg> beans:bean>
3.11 resource-server configuration. Here we define two different resource
<oauth2:resource-server id="unityResourceServer" resource-id="unity-resource" token-services-ref="tokenServices"/> <oauth2:resource-server id="mobileResourceServer" resource-id="mobile-resource" token-services-ref="tokenServices"/>
Note:: The value of each resource-id must exist in the resourceIds value of the corresponding ClientDetails.
3.12 ClientCredentialsTokenEndpointFilter configuration, which will act on the chain of Spring Security
<beans:bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter"> <beans:property name="authenticationManager" ref="oauth2AuthenticationManager"/> beans:bean>
3.13/oauth/token http configuration, used to listen to the request of this URL, Core
3.14 http configuration for different resources. Because two resources are configured above, two
Note that each http corresponds to a different resourceServer. access-decison-manager-ref corresponds to the Oauth AccessDecisionManager.
3.15 default http configuration, Set permissions for/oauth /**
At this point, securiy. xml has been configured.
Of course, you need to do some additional work, such as configuring dataSource, creating a database, adding user information, and managing ClientDetails.
Oauth-related data is stored in the database, and we can create a domain Based on the table results for management.
More references: http://www.roncoo.com/article/index.html
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
