Iii. Web. xml file Configuration
Iv. Applicationcontext-security.xml
Oauth2 is part of security, configuration is also associated, no more single-build files
<!-- /oauth/token is the URL for oauth2 login authentication request to get Access_token , the default lifetime is 43,200 seconds, which is 12 hour -to
This tag handles/oauth/token's network request, which is Oauth2 's login authentication request, so what is required for login, first, like spring security, requires an authentication manager, Spring OAUTH2 requires two authentication manager, The first is the one that was configured in spring to verify the user name password,
<!--authentication rights control- <authentication-manager> <authentication-provider> <!--< Password-encoder hash= "MD5" > <salt-source user-property= "email"/> </password-encoder>-- <jdbc-user-service data-source-ref= "DataSource" users-by-username-query= "select username, password, 1 From user where username =? " authorities-by-username-query= "Select U.username, r.role from the user U left join role R on U.role_id=r.id where username =? "/> </authentication-provider> </authentication-manager>
Another is to distinguish the client user, give it a name called Oauth2authenticationmanager:
<oauth2:client-details-service id= "Clientdetailsservice" > <oauth2:client client-id= "Mobile_1" Authorized-grant-types= "password,authorization_code,refresh_token,implicit" secret= "secret_1" scope= "read, Write,trust " /> </oauth2:client-details-service> <beans:bean id=" Oauth2clientdetailsuserservice " class=" Org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService "> <beans: Constructor-arg ref= "Clientdetailsservice"/> </beans:bean> <authentication-manager id= " Oauth2authenticationmanager "> <authentication-provider user-service-ref=" Oauth2clientdetailsuserservice "/> </authentication-manager>
Here a client is set up, called Mobile_1,secret, called secret_1, which is valid for read, write, and trust several domains. These domains are used in access control.
When the login is successful, you will get a token and you will need to carry this token,spring-oauth2 according to this token to authenticate, then spring-oauth2 must save a token and the user relations correspondence, Because there is no session, this is equivalent to the session, then this token in the server How to save, there are two main storage methods, one is to create a data table, the token into the database , I now pursue simple, using the second way, Stored directly in the memory . Configure a service to manage tokens below:
<!--for spring oauth2 --<!--token inmemorytokenstore in the way the server is stored : memory is present ; Jdbctokenstore: Save in database-- <beans:bean id= "Tokenstore" class= " Org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore "/> <!--<beans:bean id= "Tokenservices" class= "Org.springframework.security.oauth2.provider.token.DefaultTokenServices" >--> <!--Token Service entity-- <beans:bean id= "tokenservices" class= " Org.zhangfc.demo4ssh.service.MyTokenService "> <!--self-overriding class--
Here are 4 basic beans: Handling access success, Access denied, authentication points, and access control, respectively:
<!--processing Access success-<beans:bean id= "Oauth2authenticationentrypoint" class= "org.springframework.security.o Auth2.provider.error.OAuth2AuthenticationEntryPoint "/> <!--handling Access Denied--<beans:bean id=" Oauth2accessdeniedhandler "class=" Org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler " /> <!--Processing certification points--<beans:bean id= "Oauthuserapprovalhandler" class= "Org.springframework.security.oau Th2.provider.approval.DefaultUserApprovalHandler "/> <!--handling access Control--<beans:bean id=" Oauth2accessdecisionmanager "class=" org.springframework.security.access.vote.UnanimousBased "> <beans:c onstructor-arg> <beans:list> <beans:bean class= "Org.springframewo Rk.security.oauth2.provider.vote.ScopeVoter "/> <beans:bean class=" org.springframework.security.acces S.vote.rolevoter "/> <beans:bean class= "Org.springframework.security.access.vote.AuthenticatedVoter"/> </beans:list> < ;/beans:constructor-arg> </beans:bean>
Configure the type of requests that this OAUTH2 server can support:
<!--OAUTH2 Server can support request types-- <oauth2:authorization-server client-details-service-ref= " Clientdetailsservice "token-services-ref=" tokenservices " user-approval-handler-ref=" Oauthuserapprovalhandler "> <oauth2:authorization-code/> <oauth2:implicit/> < Oauth2:refresh-token/> <oauth2:client-credentials/> <oauth2:password/> </ Oauth2:authorization-server>
In our request, to submit the authentication type and user name password as form parameters, you need to configure the following filter:
<beans:bean id= "Clientcredentialstokenendpointfilter" class= " Org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter "> <beans: Property Name= "AuthenticationManager" ref= "Oauth2authenticationmanager"/> </beans:bean>
The following defines a resource that specifies the resources that spring wants to protect, without which the access control will say no Authentication object:
<!--Specify the resources that spring wants to protect, and without this, the access control will say no authentication object:--> <oauth2:resource-server id= " Mobileresourceserver " resource-id=" Mobile-resource "token-services-ref=" Tokenservices "/>
All right, here's the basic configuration, here's the configuration for the access control: on the previous intercept chain, a/AUTH/TOKEN has been configured for login verification, and the two paths of/json and/admin are added under this tag.
We use Oauth2accessdecisionmanager to make decisions, this place needs to be noted, spring-security inside the configuration access= "Role_user,role_admin" is said that both USER and ADMIN can access, is a "or" relationship, but here is the "with" relationship, such as the second one, requires role_admin and the current scope contains read only, otherwise there is no permission. Authentication failure will return an XML, this can be customized handler to modify, for the moment, do not press the table.
The default 12-hour Access_token may be too long for us to generate a 36 unique Access_token through UUID.RANDOMUUID () and not the way we want to live. So we can copy org.springframework.security.oauth2.provider.token.DefaultTokenServices, and make certain changes to it, here I copied this class, modified into Mytokenservice, And configured in the configuration file above. The main change is to modify the following member variables:
private int refreshtokenvalidityseconds = 2592000; Refresh_token Timeout time default 2.592 million seconds private int accesstokenvalidityseconds = ten; Access_token Timeout time default 12 hours Private Boolean supportrefreshtoken = false; Whether Access_token refresh is supported, the default is False, in the configuration file to be configured to support, private Boolean reuserefreshtoken = true; Use Refresh_token Refresh after the Refresh_token is still used, the default is to still use the private Tokenstore tokenstore; Access_token is stored in a configuration file with the
Modify how the Access_token is generated by modifying its Createaccesstoken method:
Private Oauth2accesstoken Createaccesstoken (oauth2authentication authentication, Oauth2refreshtoken refreshToken) { String access_tokens = Uuid.randomuuid (). toString (). ReplaceAll ("-", ""); Defaultoauth2accesstoken token = new Defaultoauth2accesstoken (access_tokens); int validityseconds = This.getaccesstokenvalidityseconds (Authentication.getoauth2request ()); if (validitySeconds > 0) { token.setexpiration (new Date (System.currenttimemillis () + (long) validityseconds * 1000L)); Token.setrefreshtoken (Refreshtoken); Token.setscope (Authentication.getoauth2request (). Getscope ()); Return (Oauth2accesstoken) (This.accesstokenenhancer! = null?this.accesstokenenhancer.enhance (token, authentication ): token); }
SOURCE Download: Http://pan.baidu.com/s/1mhSfKFY
Get Access_token URL:
Http://localhost:8080/AOuth/oauth/token?client_id=mobile_1&client_secret=secret_1&grant_type=password &username=aa&password=aa
This will return a access_token:
{"Access_token": "4219a91f-45d5-4a07-9e8e-3acbadd0c23e", "Token_type": "Bearer", "Refresh_token": " d41df9fd-3d36-4a20-b0b7-1a1883c7439d "," expires_in ": 43199," scope ":" Read Write Trust "}
And then take this access_token to access the resources:
http://localhost:8080/AOuth/admin?access_token=4219a91f-45d5-4a07-9e8e-3acbadd0c23e
Refresh Access_token:
Http://localhost:8080/AOuth/oauth/token?client_id=mobile_1&client_secret=secret_1&grant_type=refresh_ Token&refresh_token=ad18fc89e1424278b675ca05bf8afbb3
Thanks: Thank you for reading!
Original: http://www.cnblogs.com/0201zcr/p/5328847.html
Spring Security oauth2.0 Implementation