AuthorizationServerConfigurerAdapter 与 WebSecurityConfigurerAdapter

One thing first. OAuth 2 is an authorization framework. It allows an application (client) to obtain limited access to a HTTP service on behalf of a resource owner (user). OAuth 2 is not an authentication protocol.

AuthorizationServerConfigurerAdapter is used to configure how the OAuth authorization server works.

Here are some aspects which can be configured:

• supported grant types (e.g. authorization code grant)
• authorization code service, to store authorization codes
• token store, to store access and refresh tokens (e.g. JwtTokenStore)
• client details service, which holds the client configurations
• ...

WebSecurityConfigurerAdapter is used to configure how the OAuth authorization server is secured.

Or in other words, how the user has to authenticate to grant a client access to his resources.

This can be:

• form authentication
• authentication via an identity provider (Facebook Login)
• ...

(I have intentionally omitted some details to keep the answer as simple as possible.)

---

Example authorization server configuration with an in-memory token store:

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore());
    }

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    ...

}

Example security configuration with form login:

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/login").permitAll()
                .antMatchers("/oauth/authorize").authenticated()
                .and()
            .formLogin();
    }

    ...

}