2 Nisan 2018 Pazartesi

SpringSecurity OAuth2 ResourceServerConfigurerAdapter Sınıfı - Kendi OAuth2 Resource Sunucumuz İçin

Giriş
Şu satırı dahil ederiz
import org.springframework.security.oauth2.config.annotation.web.configuration
.ResourceServerConfigurerAdapter;
OAuth ile roller şöyle
There are four different roles within OAuth2 we need to consider:

Resource Owner — an entity that is able to grant access to its protected resources
Authorization Server — grants access tokens to Clients after successfully authenticating Resource Owners and obtaining their authorization
Resource Server — a component that requires an access token to allow, or at least consider, access to its resources
Client — an entity that is capable of obtaining access tokens from authorization servers
Açıklaması şöyle
You need a WebSecurityConfigurerAdapter to secure the /authorize endpoint and to provide a way for users to authenticate. A Spring Boot application would do that for you (by adding its own WebSecurityConfigurerAdapter with HTTP basic auth). It creates a filter chain with order=0 by default, and protects all resources unless you provide a request matcher. The @EnableResourceServer does something similar, but the filter chain it adds is at order=3 by default, so it is a catch-all fallback for your own WebSecurityConfigurerAdapter at order=0.
Örnek
İskeleti şöyledir.
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
protected static class ResourceServerConfiguration extends
  ResourceServerConfigurerAdapter {
  ...
}
configure metodu - HttpSecurity
İmzası şöyle
@Override
public void configure(HttpSecurity http) throws Exception
Örnek
Önce erişime izin vermek için şöyle yaparız.
@Configuration
public class WebSecurityGlobalConfig extends WebSecurityConfigurerAdapter {

  ...
  @Override
  public void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
      // api security is handled elsewhere (See OAuth2ServerConfiguration)
      .antMatchers("/api/**", "/oauth/**", "/management/**")
      .permitAll()
       // end api security
      .anyRequest().hasRole(UserRole.ADMIN.name())
      .and()
       .formLogin().loginPage("/login")
       .permitAll()
       .and()
      .logout().permitAll();
  }
}
Daha sonra ResourceServerConfigurerAdapter sınıfında şöyle yaparız.
http
  .requestMatchers()
    .antMatchers("/api/**")
    .and()
    .authorizeRequests()
    .antMatchers(HttpMethod.OPTIONS, "/api/**")
    .permitAll()
    .and()
  .requestMatchers()
    .antMatchers("/api/**")
    .and()
    .authorizeRequests()
    .and()
  .requestMatchers()
      .antMatchers("/management/**")
      .and()
      .authorizeRequests()
      .antMatchers("/management/health", "/management/info").permitAll()
      .antMatchers("/management/**").hasRole(UserRole.ADMIN.name())
      .anyRequest()
       .authenticated()
configure 
Örnek - authenticationEntryPoint
Şöyle yaparız
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
  OAuth2AuthenticationEntryPoint authenticationEntryPoint = ...;
  authenticationEntryPoint.setExceptionTranslator(...);


  OAuth2AccessDeniedHandler accessDeniedHandler = new OAuth2AccessDeniedHandler();
  accessDeniedHandler.setExceptionTranslator(...);


  resources.authenticationEntryPoint(authenticationEntryPoint)
    .accessDeniedHandler(accessDeniedHandler)
    .resourceId(applicationResourceID)
    .tokenStore(tokenStore());
}

Örnek - TokenStore Atama
Şöyle yaparız. TokenStore nesnesi InMemoryTokenStore,JwtTokenStore olabilir. TokenStore nesnesi TokenStoreUserApprovalHandler tarafından kullanılır.
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
  @Autowired
  private TokenStore tokenStore;

  @Override
  public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
    resources.tokenStore(this.tokenStore);
  }
}

Hiç yorum yok:

Yorum Gönder