关闭

springsecurity+oauth2+springmvc+hibernate

标签: springsecurityspringmvcoauth2bootstrap后台框架
3803人阅读 评论(0) 收藏 举报
分类:

最近整理的 基础框架在此备忘:

附上次配置的源码:

git:https://github.com/izhbg/typz

code:https://code.csdn.net/cai_chinasoft/typz/tree/master

一、springsecurity的xml配置

<!-- spring security 配置 -->   
    <security:http auto-config="true" create-session="never" use-expressions="true" access-denied-page="/common/403.jsp" >  
         <!-- 不要过滤图片等静态资源 -->    
        <security:intercept-url pattern="/**/*.jpg" access="permitAll"/>
        <security:intercept-url pattern="/**/*.png" access="permitAll"/>
        <security:intercept-url pattern="/**/*.gif" access="permitAll"/>
        <security:intercept-url pattern="/**/*.css" access="permitAll"/>
        <security:intercept-url pattern="/**/*.js" access="permitAll"/>
        
        <security:intercept-url pattern="/common/401.jsp" access="permitAll"/>
        <security:intercept-url pattern="/common/403.jsp" access="permitAll"/>
        <security:intercept-url pattern="/common/404.jsp" access="permitAll"/>
        <security:intercept-url pattern="/common/500.jsp" access="permitAll"/>
        <!-- 登录页面和忘记密码页面不过滤  -->  
        <security:intercept-url pattern="/auth/login.izhbg" access="permitAll"/>  
        <!-- 登录配置 -->   
        <security:form-login  
                login-page="/auth/login.izhbg"   
                authentication-failure-url="/auth/login.izhbg?error=true"   
                authentication-success-handler-ref="authenticationSuccessHandler"/>  
        <!-- 退出配置 -->       
        <security:logout   
                invalidate-session="true"   
                logout-success-url="/auth/login.izhbg"   
                logout-url="/auth/logout.izhbg"/>  
        
       <!-- "记住我"功能,采用持久化策略(将用户的登录信息存放在数据库表中)  --> 
       <security:remember-me data-source-ref="dataSource"
       			 		     token-validity-seconds="1209600"
       			 		     remember-me-parameter="remember-me" user-service-ref="customUserDetailsService"/>
       
       <!-- session处理 --> 
       <security:session-management session-authentication-strategy-ref="concurrentSessionControlStrategy" invalid-session-url="/auth/login.izhbg" session-authentication-error-url="/auth/login.izhbg" />
       
       <!-- 增加一个自定义的filter,放在FILTER_SECURITY_INTERCEPTOR之前, 实现用户、角色、权限、资源的数据库管理。  -->
       <security:custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR"/>
       
       <security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>  
         
    </security:http>
二、springsecurity中涉及自定义和相关引用的配置

<bean id="authenticationSuccessHandler" class="com.izhbg.typz.sso.security.handler.SimpleLoginSuccessHandler">  
	    <property name="defaultTargetUrl" value="/main/common.izhbg"></property>  
	    <property name="forwardToDestination" value="false"></property>  
	</bean>  
    <!-- 一个自定义的filter,必须包含authenticationManager, accessDecisionManager,securityMetadataSource三个属性。  -->  
    <bean id="filterSecurityInterceptor" class="com.izhbg.typz.sso.security.MyFilterSecurityInterceptor">
    	<property name="authenticationManager" ref="authenticationManager"/>
    	<property name="accessDecisionManager" ref="myAccessDecisionManager"/>
    	<property name="securityMetadataSource" ref="mySecurityMetadataSource"/>
    </bean>
    <bean id="myAccessDecisionManager" class="com.izhbg.typz.sso.security.MyAccessDecisionManager"/>
    <bean id="mySecurityMetadataSource" class="com.izhbg.typz.sso.security.service.MyInvocationSecurityMetadataSourceService"/>
    
    <!-- 指定一个自定义的authentication-manager :customUserDetailsService -->  
    <security:authentication-manager alias="authenticationManager">  
            <security:authentication-provider user-service-ref="customUserDetailsService">  
                    <security:password-encoder ref="passwordEncoder">
                    	<!-- <security:salt-source user-property="username"/> 盐值-->
                    </security:password-encoder>  
            </security:authentication-provider>  
    </security:authentication-manager>  
	<!-- 从数据库加载UserDetails的UserDetailsService -->
    <bean id="customUserDetailsService" class="com.izhbg.typz.sso.security.service.CustomUserDetailsService">
    	 <property name="userCache" ref="userCache"/>
    </bean>
    <!-- 密码加密器 -->
	<bean id="passwordEncoder" class="com.izhbg.typz.sso.util.PasswordEncoderFactoryBean">
		<property name="type" value="${security.passwordencoder.type}"/>
		<property name="salt" value="${security.passwordencoder.salt}"/><!-- 盐值 -->
	</bean>
   <!-- 又一个密码加密器? -->
	<bean id="customPasswordEncoder" factory-bean="&passwordEncoder" factory-method="getCustomPasswordEncoder"/>
    
    <!-- session 处理 -->
    <bean id="concurrentSessionControlStrategy"  
	    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">  
	    <constructor-arg name="sessionRegistry" ref="sessionRegistry" />  
	    <property name="maximumSessions" value="1"></property>  
	</bean>  
	  
	<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
	<bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">  
	    <constructor-arg name="sessionRegistry" ref="sessionRegistry" />  
	    <constructor-arg name="expiredUrl" value="/sessionOut.jsp" />  
	</bean>    
	 <!-- 启用用户的缓存功能  -->
	<bean id="userCache"
		class="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache">
		<property name="cache" ref="userEhCache" />
	</bean>

	<bean id="userEhCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
		<property name="cacheName" value="userCache" />
		<property name="cacheManager" ref="cacheManager" />
	</bean>

	<bean id="cacheManager"
		class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />
	
	  <!-- spring security自带的与权限有关的数据读写Jdbc模板  -->  
	 <bean id="jdbcTemplate" class="org.springframework.jdbc.core.JdbcTemplate">  
	  <property name="dataSource" ref="dataSource" />  
	 </bean>

三、oauth2的xml配置

<security:http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="oauth2AuthenticationManager"
          entry-point-ref="oauth2AuthenticationEntryPoint" use-expressions="true">
       <!--  <security:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/> -->
        <security:anonymous enabled="false"/>
        <security:http-basic entry-point-ref="oauth2AuthenticationEntryPoint"/>
        <security:custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER"/>
        <security:access-denied-handler ref="oauth2AccessDeniedHandler"/>
    </security:http>   
四、oauth2 自定义以及相关引用的配置

<security:authentication-manager id="oauth2AuthenticationManager">
        <security:authentication-provider user-service-ref="customUserDetailsService"/>
    </security:authentication-manager> 
    <!-- <bean id="oauth2ClientDetailsUserService"
                class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
        <constructor-arg ref="clientDetailsService"/>
    </bean>   -->
    <bean id="clientDetailsService" class="com.izhbg.typz.sso.auth2.service.CustomJdbcClientDetailsService">
        <constructor-arg index="0" ref="dataSource"/>
    </bean>
    <bean id="oauth2AuthenticationEntryPoint"
                class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"/>
                
     <bean id="clientCredentialsTokenEndpointFilter"
                class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
        <property name="authenticationManager" ref="oauth2AuthenticationManager"/>
     </bean>
     <bean id="oauth2AccessDeniedHandler"
                class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>
     <bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore">
        <constructor-arg index="0" ref="dataSource"/>
     </bean>
     <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
        <property name="tokenStore" ref="tokenStore"/>
        <property name="clientDetailsService" ref="clientDetailsService"/>
        <property name="supportRefreshToken" value="true"/>
     </bean>
     <bean class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory"
                id="oAuth2RequestFactory">
        <constructor-arg name="clientDetailsService" ref="clientDetailsService"/>
     </bean>
     <bean id="oauthUserApprovalHandler" class="com.izhbg.typz.sso.auth2.OauthUserApprovalHandler">
        <property name="tokenStore" ref="tokenStore"/>
        <property name="clientDetailsService" ref="clientDetailsService"/>
        <property name="requestFactory" ref="oAuth2RequestFactory"/>
        <property name="oauthService" ref="oauthService"/>
    </bean>
    <bean id="jdbcAuthorizationCodeServices"
                class="org.springframework.security.oauth2.provider.code.JdbcAuthorizationCodeServices">
        <constructor-arg index="0" ref="dataSource"/>
    </bean>
    <bean id="oauth2AccessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
        <constructor-arg>
            <list>
                <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/>
                <bean class="org.springframework.security.access.vote.RoleVoter"/>
                <bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
            </list>
        </constructor-arg>
    </bean>
     <oauth2:resource-server id="mobileResourceServer" resource-id="mobile-resource" token-services-ref="tokenServices"/>
     <oauth2:authorization-server client-details-service-ref="clientDetailsService" token-services-ref="tokenServices"
                                 user-approval-handler-ref="oauthUserApprovalHandler"
                                 user-approval-page="oauth_approval"
                                 error-page="oauth_error">
        <oauth2:authorization-code authorization-code-services-ref="jdbcAuthorizationCodeServices"/>
        <oauth2:implicit/>
        <oauth2:refresh-token/>
        <oauth2:client-credentials/>
        <oauth2:password/>
    </oauth2:authorization-server>

五、配置需要oauth2验证的资源

 <!--mobile http configuration-->
    <security:http pattern="/m/**" create-session="never" entry-point-ref="oauth2AuthenticationEntryPoint"
          access-decision-manager-ref="oauth2AccessDecisionManager" use-expressions="true">
        <security:anonymous enabled="false"/> 

        <!-- <security:intercept-url pattern="/m/**" access="ROLE_MOBILE,SCOPE_READ"/>  -->
        <security:custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR"/>
		<security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/> 
		
        <security:custom-filter ref="mobileResourceServer" before="PRE_AUTH_FILTER"/>
        <security:access-denied-handler ref="oauth2AccessDeniedHandler"/>
    </security:http>
源码 详见:

git:https://github.com/izhbg/typz
code:https://code.csdn.net/cai_chinasoft/typz/tree/master





0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场