关于spring-oauth2的笔记

最新推荐文章于 2025-05-17 13:35:10 发布

原创最新推荐文章于 2025-05-17 13:35:10 发布 · 1.1k 阅读

1 ·

CC 4.0 BY-SA版权

本文详细介绍 Spring Security 的配置方法，包括禁用 CSRF、自定义 RequestMatcher、匿名用户控制及多配置示例等核心功能。适合希望深入了解 Spring Security 安全机制的开发者。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

一直很困惑这中spring security 的链式的httpSecurity怎么配置，以下是笔记

来着stackoverflow

 Java Code 

1
2
3
4
5
6
7
8
9
10
11

http
.csrf().disable()
.authorizeRequests()
.antMatchers("/shutdown").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/authentication.html")
.loginProcessingUrl("/login")
.failureUrl("/authentication.html")
.permitAll();

自定义一个RequestMatcher

 Java Code 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

@Override
public void configure(HttpSecurity http) throws Exception
{
    // @formatter:off
    http.requestMatcher(new OAuth2RequestedMatcher()).authorizeRequests().antMatchers("/api/**")
    .permitAll().anyRequest().authenticated();
    // @formatter:on
}

private static class OAuth2RequestedMatcher implements RequestMatcher
{
    @Override
    public boolean matches(HttpServletRequest request)
    {
        String auth = request.getHeader("Authorization");
        // 判断来源请求是否包含oauth2授权信息,这里授权信息来源可能是头部的Authorization值以Bearer开头,
        //或者是请求参数中包含access_token参数,满足其中一个则匹配成功
        boolean haveOauth2Token = (auth != null) && auth.startsWith("Bearer");
        boolean haveAccessToken = request.getParameter("access_token") != null;
        return haveOauth2Token || haveAccessToken;
    }
}

来自：http://www.cnblogs.com/davidwang456/p/4549344.html

匿名用户控制：

 Java Code 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

@Configuration
@EnableWebSecurity
public class AnononymousSecurityConfig extends WebSecurityConfigurerAdapter
{

    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http
        .authorizeRequests()
        .antMatchers("/").hasRole("USER")
        .and()
        .formLogin()
        .and()
        // sample anonymous customization
        .anonymous()
        .authorities("ROLE_ANON");
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
    throws Exception
    {
        auth
        .inMemoryAuthentication()
        .withUser("user")
        .password("password")
        .roles("USER");
    }
}

 Java Code 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

@Configuration
@EnableWebSecurity
public class MultiHttpSecurityConfig
{

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
    {
        DefaultSpringSecurityContextSource contextSource = new DefaultSpringSecurityContextSource(
            "ldap://127.0.0.1:389/dc=mycompany,dc=com");
        contextSource.setUserDn("cn=admin,dc=mycompany,dc=com");
        contextSource.setPassword("admin");
        contextSource.afterPropertiesSet();

        BindAuthenticator authenticator = new BindAuthenticator(contextSource);
        authenticator.setUserDnPatterns(new String[] { "uid={0},ou=people" });

        DefaultLdapAuthoritiesPopulator populator = new DefaultLdapAuthoritiesPopulator(
            contextSource, "ou=groups");
        populator.setGroupRoleAttribute("cn");
        populator.setGroupSearchFilter("uniqueMember={0}");

        AuthenticationProvider authProvider = new LdapAuthenticationProvider(
            authenticator, populator);
        auth.authenticationProvider(authProvider);
    }

    @Configuration
    @Order(1)
    public static class IndexSecurityConfig extends WebSecurityConfigurerAdapter
    {
        @Override
        public void configure(HttpSecurity http) throws Exception
        {
            http.antMatcher("/index.jsp").anonymous();
        }
    }

    @Configuration
    @Order(2)
    public static class HtmlSecurityConfig extends WebSecurityConfigurerAdapter
    {
        @Override
        public void configure(HttpSecurity http) throws Exception
        {
            http.antMatcher("/html/**")
            .authorizeRequests()
            .antMatchers("/html/submit.jsp").hasRole("BLACK")
            .antMatchers("/html/forbidden.html").authenticated()
            .and().formLogin()
            .loginPage("/html/login.jsp")
            .loginProcessingUrl("/html/login")
            .defaultSuccessUrl("/index.jsp")
            .permitAll()
            .and().logout().logoutUrl("/html/logout")
            .and().exceptionHandling().accessDeniedPage("/html/403.jsp");
        }

        @Override
        public void configure(WebSecurity web)
        {
            web.ignoring().antMatchers("/html/forbidden.html");
        }
    }

    @Configuration
    @Order(3)
    public static class AjaxSecurityConfig extends WebSecurityConfigurerAdapter
    {
        @Override
        public void configure(HttpSecurity http) throws Exception
        {
            http
            .antMatcher("/ajax/**")
            .authorizeRequests().anyRequest().hasRole("RED")
            .and()
            .httpBasic();
        }
    }
}

http://www.tuicool.com/articles/uqAR3m6