SpringSecurity OAuth2 ResourceServerConfigurerAdapter Sınıfı - Kendi OAuth2 Resource Sunucumuz İçin

Giriş
Şu satırı dahil ederiz

import org.springframework.security.oauth2.config.annotation.web.configuration
.ResourceServerConfigurerAdapter;

OAuth ile roller şöyle

There are four different roles within OAuth2 we need to consider:

- Resource Owner — an entity that is able to grant access to its protected resources
- Authorization Server — grants access tokens to Clients after successfully authenticating Resource Owners and obtaining their authorization
- Resource Server — a component that requires an access token to allow, or at least consider, access to its resources
- Client — an entity that is capable of obtaining access tokens from authorization servers

Açıklaması şöyle

You need a WebSecurityConfigurerAdapter to secure the /authorize endpoint and to provide a way for users to authenticate. A Spring Boot application would do that for you (by adding its own WebSecurityConfigurerAdapter with HTTP basic auth). It creates a filter chain with order=0 by default, and protects all resources unless you provide a request matcher. The @EnableResourceServer does something similar, but the filter chain it adds is at order=3 by default, so it is a catch-all fallback for your own WebSecurityConfigurerAdapter at order=0.

Örnek
İskeleti şöyledir.

@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
protected static class ResourceServerConfiguration extends
  ResourceServerConfigurerAdapter {
  ...
}

configure metodu - HttpSecurity
İmzası şöyle

@Override
public void configure(HttpSecurity http) throws Exception

Örnek
Önce erişime izin vermek için şöyle yaparız.

@Configuration
public class WebSecurityGlobalConfig extends WebSecurityConfigurerAdapter {

  ...
  @Override
  public void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
      // api security is handled elsewhere (See OAuth2ServerConfiguration)
      .antMatchers("/api/**", "/oauth/**", "/management/**")
      .permitAll()
       // end api security
      .anyRequest().hasRole(UserRole.ADMIN.name())
      .and()
       .formLogin().loginPage("/login")
       .permitAll()
       .and()
      .logout().permitAll();
  }
}

Daha sonra ResourceServerConfigurerAdapter sınıfında şöyle yaparız.

http
  .requestMatchers()
    .antMatchers("/api/**")
    .and()
    .authorizeRequests()
    .antMatchers(HttpMethod.OPTIONS, "/api/**")
    .permitAll()
    .and()
  .requestMatchers()
    .antMatchers("/api/**")
    .and()
    .authorizeRequests()
    .and()
  .requestMatchers()
      .antMatchers("/management/**")
      .and()
      .authorizeRequests()
      .antMatchers("/management/health", "/management/info").permitAll()
      .antMatchers("/management/**").hasRole(UserRole.ADMIN.name())
      .anyRequest()
       .authenticated()

configure 
Örnek - authenticationEntryPoint

Şöyle yaparız

@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
  OAuth2AuthenticationEntryPoint authenticationEntryPoint = ...;
  authenticationEntryPoint.setExceptionTranslator(...);


  OAuth2AccessDeniedHandler accessDeniedHandler = new OAuth2AccessDeniedHandler();
  accessDeniedHandler.setExceptionTranslator(...);


  resources.authenticationEntryPoint(authenticationEntryPoint)
    .accessDeniedHandler(accessDeniedHandler)
    .resourceId(applicationResourceID)
    .tokenStore(tokenStore());
}




Örnek - TokenStore Atama

Şöyle yaparız. TokenStore nesnesi InMemoryTokenStore,JwtTokenStore olabilir. TokenStore nesnesi TokenStoreUserApprovalHandler tarafından kullanılır.

public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
  @Autowired
  private TokenStore tokenStore;

  @Override
  public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
    resources.tokenStore(this.tokenStore);
  }
}