没有任何注释,表怪我(¬_¬)

更新:

2016.05.29: 将AuthorizationServer和ResourceServer分开配置

2016.05.29: Token获取采用Http Basic认证以符合RFC6749标准

2016.05.29: grant_type支持authorization_code, password, refresh_token

2016.05.27: 增加用于REST服务的安全配置

2016.05.27: 可选采用RSA JWT(Json Web Token, RSA加密)的OAUTH2.0或者HTTP BASIC

2016.05.27: REST安全验证和WEB安全验证均可通过配置文件关闭

 <?xml version="1.0" encoding="UTF-8"?>
 <beans:beans xmlns="http://www.springframework.org/schema/security"
              xmlns:beans="http://www.springframework.org/schema/beans"
              xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://www.springframework.org/schema/beans
                                  http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
                                  http://www.springframework.org/schema/security
                                  http://www.springframework.org/schema/security/spring-security-4.0.xsd
                                  http://www.springframework.org/schema/security/oauth2
                                  http://www.springframework.org/schema/security/spring-security-oauth2.xsd">

     <global-method-security pre-post-annotations="enabled" order="0"
                             proxy-target-class="true">
     </global-method-security>

     <beans:bean id="sessionRegistry"
                 class="org.springframework.security.core.session.SessionRegistryImpl" />

     <http security="none" pattern="/resources/**" />
     <http security="none" pattern="/favicon.ico" />

     <beans:beans profile="oauth-authorization-server">
         <beans:bean id="oauth2AuthorizationServerJwtAccessTokenConverter" class="org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter" >
             <beans:property name="signingKey" ref="jwtSigningKey"/>
             <beans:property name="verifierKey" ref="jwtVerifierKey"/>
         </beans:bean>

         <beans:bean id="oauth2AuthorizationServerTokenStore" class="org.springframework.security.oauth2.provider.token.store.JwtTokenStore" >
             <beans:constructor-arg ref="oauth2AuthorizationServerJwtAccessTokenConverter"/>
         </beans:bean>

         <beans:bean id="oauth2AuthorizationServerTokenServices"
                     class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
             <beans:property name="tokenStore" ref="oauth2AuthorizationServerTokenStore" />
             <beans:property name="clientDetailsService" ref="clientDetailsService" />
             <beans:property name="tokenEnhancer" ref="oauth2AuthorizationServerJwtAccessTokenConverter" />
             <beans:property name="supportRefreshToken" value="true" />
         </beans:bean>

         <beans:bean id="oauth2AuthorizationServerClientDetailsUserService"
                     class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
             <beans:constructor-arg ref="clientDetailsService"/>
             <beans:property name="passwordEncoder" ref="passwordEncoder"/>
         </beans:bean>

         <beans:bean id="oauth2AuthorizationServerAuthenticationEntryPoint"
                     class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" />

         <authentication-manager id="oauth2AuthorizationServerAuthenticationManager">
             <authentication-provider user-service-ref="oauth2AuthorizationServerClientDetailsUserService">
                 <password-encoder ref="passwordEncoder" />
             </authentication-provider>
         </authentication-manager>

         <beans:bean id="oauth2AuthorizationServerUserApprovalHandler"
                     class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler" >
             <beans:property name="tokenStore" ref="oauth2AuthorizationServerTokenStore" />
             <beans:property name="clientDetailsService" ref="clientDetailsService" />
             <beans:property name="requestFactory">
                 <beans:bean class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
                     <beans:constructor-arg ref="clientDetailsService"/>
                 </beans:bean>
             </beans:property>
         </beans:bean>

         <beans:bean id="oauth2AuthorizationServerAccessDeniedHandler"
                     class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

         <oauth2:authorization-server
                      token-services-ref="oauth2AuthorizationServerTokenServices"
                      client-details-service-ref="clientDetailsService"
                      user-approval-handler-ref="oauth2AuthorizationServerUserApprovalHandler"
                      user-approval-page="oauth/authorize"
                      error-page="oauth/error" >
             <oauth2:authorization-code />
             <!--<oauth2:implicit />-->
             <oauth2:refresh-token />
             <!--<oauth2:client-credentials />-->
             <oauth2:password />
         </oauth2:authorization-server>

         <http pattern="/oauth/token" use-expressions="true" create-session="stateless"
               authentication-manager-ref="oauth2AuthorizationServerAuthenticationManager"
               entry-point-ref="oauth2AuthorizationServerAuthenticationEntryPoint">
             <intercept-url pattern="/oauth/token" access="isFullyAuthenticated()"/>
             <http-basic />
             <access-denied-handler ref="oauth2AuthorizationServerAccessDeniedHandler"/>
             <csrf disabled="true"/>
         </http>
     </beans:beans>

     <beans:beans profile="rest-security-oauth,oauth-resource-server">
         <beans:bean id="oauth2ResourceServerJwtAccessTokenConverter" class="org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter" >
             <beans:property name="verifierKey" ref="jwtVerifierKey"/>
         </beans:bean>

         <beans:bean id="oauth2ResourceServerTokenStore" class="org.springframework.security.oauth2.provider.token.store.JwtTokenStore" >
             <beans:constructor-arg ref="oauth2ResourceServerJwtAccessTokenConverter"/>
         </beans:bean>

         <beans:bean id="oauth2ResourceServerTokenServices"
                     class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
             <beans:property name="tokenStore" ref="oauth2ResourceServerTokenStore" />
             <beans:property name="clientDetailsService" ref="clientDetailsService" />
             <beans:property name="tokenEnhancer" ref="oauth2ResourceServerJwtAccessTokenConverter" />
             <beans:property name="supportRefreshToken" value="true" />
         </beans:bean>

         <beans:bean id="oauth2ResourceServerAccessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
             <beans:constructor-arg>
                 <beans:list>
                     <beans:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/>
                     <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
                 </beans:list>
             </beans:constructor-arg>
         </beans:bean>

         <beans:bean id="oauth2ResourceServerAuthenticationEntryPoint"
                     class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" />

         <beans:bean id="oauth2ResourceServerAccessDeniedHandler"
                     class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

         <oauth2:resource-server id="oauth2ResourceServerFilter" resource-id="${oauth.resourceId}" token-services-ref="oauth2ResourceServerTokenServices" />

         <http pattern="${rest.rooturl}/**" use-expressions="false" create-session="stateless"
               entry-point-ref="oauth2ResourceServerAuthenticationEntryPoint"
               access-decision-manager-ref="oauth2ResourceServerAccessDecisionManager">

             <intercept-url pattern="${rest.rooturl}/security/**" access="SCOPE_SECURITY"/>
             <intercept-url pattern="${rest.rooturl}/demo/**" access="IS_AUTHENTICATED_FULLY"/>
             <intercept-url pattern="${rest.rooturl}/**" access="DENY_OAUTH"/>

             <custom-filter ref="oauth2ResourceServerFilter" before="PRE_AUTH_FILTER"/>
             <access-denied-handler ref="oauth2ResourceServerAccessDeniedHandler"/>
             <csrf disabled="true"/>
         </http>
     </beans:beans>

     <beans:beans profile="rest-security-basic">
         <http pattern="${rest.rooturl}/**" use-expressions="true" create-session="stateless">
             <intercept-url pattern="${rest.rooturl}/**" access="isFullyAuthenticated()"/>
             <http-basic />
             <csrf disabled="true"/>
         </http>
     </beans:beans>

     <beans:beans profile="rest-security-none">
         <http security="none" pattern="${rest.rooturl}/**" />
     </beans:beans>

     <beans:beans profile="web-security-none">
         <http security="none" pattern="/**" />
     </beans:beans>

     <beans:beans profile="web-security-local,web-security-ldap">
         <http use-expressions="true">

             <intercept-url pattern="/login" access="permitAll" />
             <intercept-url pattern="/login/**" access="permitAll" />
             <intercept-url pattern="/logout" access="permitAll" />
             <intercept-url pattern="/oauth/**" access="isFullyAuthenticated()" />
             <intercept-url pattern="/**" access="isFullyAuthenticated()" />
             <form-login login-page="/login" login-processing-url="/login"
                 authentication-failure-url="/login?error"
                 default-target-url="/" username-parameter="username"
                 password-parameter="password" />
             <logout logout-url="/logout" logout-success-url="/login?loggedOut"
                 invalidate-session="true" delete-cookies="JSESSIONID" />

             <session-management invalid-session-url="/login"
                 session-fixation-protection="migrateSession">
                 <concurrency-control max-sessions="1"
                     error-if-maximum-exceeded="false"
                     session-registry-ref="sessionRegistry" />
             </session-management>

             <csrf disabled="true" />

         </http>
     </beans:beans>

     <beans:beans profile="web-security-local">
         <authentication-manager>
             <authentication-provider user-service-ref="userDetailsService">
                 <password-encoder ref="passwordEncoder" />
             </authentication-provider>
         </authentication-manager>
     </beans:beans>

     <beans:beans profile="web-security-ldap">
         <authentication-manager>
             <authentication-provider ref="ldapAuthenticationProvider" />
         </authentication-manager>

         <beans:bean id="ldapAuthenticationProvider"
             class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
             <beans:constructor-arg index="0"
                 ref="ldapAuthenticator" />
             <beans:constructor-arg index="1"
                 ref="ldapAuthoritiesPopulator" />
         </beans:bean>

         <beans:bean id="ldapAuthenticator"
             class="org.springframework.security.ldap.authentication.BindAuthenticator">
             <beans:constructor-arg ref="ldapContextSource" />
             <beans:property name="userSearch" ref="ldapUserSearch" />
         </beans:bean>

         <beans:bean id="ldapUserSearch"
             class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
             <beans:constructor-arg index="0"
                 value="${ldap.searchBase}" />
             <beans:constructor-arg index="1"
                 value="${ldap.searchFilter}" />
             <beans:constructor-arg index="2"
                 ref="ldapContextSource" />
         </beans:bean>

         <beans:bean id="ldapContextSource"
             class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
             <beans:constructor-arg value="${ldap.url}" />
             <beans:property name="userDn" value="${ldap.userDN}" />
             <beans:property name="password" value="${ldap.password}" />
         </beans:bean>

         <beans:bean id="ldapAuthoritiesPopulator"
             class="org.springframework.security.ldap.authentication.UserDetailsServiceLdapAuthoritiesPopulator">
             <beans:constructor-arg ref="userDetailsService" />
         </beans:bean>
     </beans:beans>

     <beans:beans profile="web-security-cas">
         <http use-expressions="true" auto-config="false" entry-point-ref="casEntryPoint" servlet-api-provision="true">
             <intercept-url pattern="${cas.localSystemLoginUrl}" access="permitAll" />
             <intercept-url pattern="/logout" access="permitAll" />
             <intercept-url pattern="/**" access="isFullyAuthenticated()" />
             <custom-filter position="CAS_FILTER" ref="casFilter"/>
             <custom-filter before="CAS_FILTER" ref="singleLogoutFilter" />
             <custom-filter before="LOGOUT_FILTER" ref="requestSingleLogoutFilter" />
             <logout logout-url="/logout" logout-success-url="/login?loggedOut"
                 invalidate-session="true" delete-cookies="JSESSIONID" />

             <session-management invalid-session-url="/login"
                 session-fixation-protection="migrateSession">
                 <concurrency-control max-sessions="1"
                     error-if-maximum-exceeded="false" />
             </session-management>

             <csrf disabled="true" />

         </http>

         <authentication-manager alias="authenticationManager">
             <authentication-provider ref="casAuthenticationProvider" />
         </authentication-manager>

         <beans:bean id="serviceProperties"
             class="org.springframework.security.cas.ServiceProperties">
             <beans:property name="service"
                 value="${cas.localSystemUrl}${cas.localSystemLoginUrl}" />
             <beans:property name="sendRenew" value="false" />
         </beans:bean>

         <beans:bean id="casEntryPoint"
             class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
             <beans:property name="loginUrl" value="${cas.loginUrl}" />
             <beans:property name="serviceProperties" ref="serviceProperties" />
         </beans:bean>

         <beans:bean id="casAuthenticationProvider"
             class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
             <beans:property name="userDetailsService" ref="userDetailsService" />
             <beans:property name="serviceProperties" ref="serviceProperties" />
             <beans:property name="ticketValidator">
                 <beans:bean
                     class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                     <beans:constructor-arg index="0"
                         value="${cas.url}" />
                 </beans:bean>
             </beans:property>
             <beans:property name="key"
                 value="an_id_for_this_auth_provider_only" />
         </beans:bean>

         <beans:bean id="casFilter"
             class="org.springframework.security.cas.web.CasAuthenticationFilter">
             <beans:property name="authenticationManager" ref="authenticationManager" />
             <beans:property name="filterProcessesUrl" value="${cas.localSystemLoginUrl}" />
         </beans:bean>

         <beans:bean id="singleLogoutFilter"
             class="org.jasig.cas.client.session.SingleSignOutFilter" />

         <beans:bean id="requestSingleLogoutFilter"
             class="org.springframework.security.web.authentication.logout.LogoutFilter">
             <beans:constructor-arg value="${cas.logoutUrl}" />
             <beans:constructor-arg>
                 <beans:bean
                     class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
             </beans:constructor-arg>
             <beans:property name="filterProcessesUrl" value="/logout" />
         </beans:bean>
     </beans:beans>

 </beans:beans>

随附配置文件内容

 #WEB_CONFIG
 ##Set WEB authenticate type: none || local || ldap || cas
 web.authenticationType=local

 #REST_CONFIG
 ##Set REST request root url, please DO NOT end with '/' or '*', just like '/webservice/rest' for 'http://example.com/webservice/rest/*'
 rest.rooturl=/rs
 ##Set REST authenticate type: none || oauth || basic
 rest.authenticationType=oauth

 #OAUTH_CONFIG
 oauth.resourceId=DEMO
 oauth.jwtVerifierKeyFile=jwtPubKey.pem
 oauth.jwtSigningKeyFile=jwtPrivKey.pem

 #CAS_CONFIG
 cas.localSystemUrl=http://www.example.com
 cas.localSystemLoginUrl=/j_spring_security_cas_check
 cas.url=http://cas.server.com/cas
 cas.loginUrl=http://cas.server.com/cas/login
 cas.logoutUrl=http://cas.server.com/cas/logout?service=http://www.example.com/loggedOutPage

 #LDAP_CONFIG
 ldap.url=ldap://ldap.server.com:389/
 ldap.userDN=CN=XXX,OU=XXX,DC=server,DC=com
 ldap.password=XXX
 ldap.searchBase=OU=XXX,,DC=server,DC=com
 ldap.searchFilter=(sAMAccountName={0})

[更新]一份包含: 采用RSA JWT(Json Web Token, RSA加密)的OAUTH2.0,HTTP BASIC,本地数据库验证,Windows域验证,单点登录的Spring Security配置文件的更多相关文章

  1. Java JWT: JSON Web Token

    Java JWT: JSON Web Token for Java and Android JJWT aims to be the easiest to use and understand libr ...

  2. 深入浅出JWT(JSON Web Token )

    1. JWT 介绍 JSON Web Token(JWT)是一个开放式标准(RFC 7519),它定义了一种紧凑且自包含的方式,用于在各方之间以JSON对象安全传输信息. 这些信息可以通过数字签名进行 ...

  3. 如何在SpringBoot中集成JWT(JSON Web Token)鉴权

    这篇博客主要是简单介绍了一下什么是JWT,以及如何在Spring Boot项目中使用JWT(JSON Web Token). 1.关于JWT 1.1 什么是JWT 老生常谈的开头,我们要用这样一种工具 ...

  4. ( 转 ) 什么是 JWT -- JSON WEB TOKEN

    什么是JWT Json web token (JWT), 是为了在网络应用环境间传递声明而执行的一种基于JSON的开放标准((RFC 7519).该token被设计为紧凑且安全的,特别适用于分布式站点 ...

  5. 什么是JWT(Json Web Token)

    什么是 JWT (Json Web Token) 用户认证是计算机安全领域一个永恒的热点话题. JWT 是为了在网络应用环境间传递声明而执行的一种基于JSON的开放标准((RFC 7519). 该to ...

  6. JWT(JSON Web Token) 【转载】

    JWT(JSON Web Token) 什么叫JWTJSON Web Token(JWT)是目前最流行的跨域身份验证解决方案. 一般来说,互联网用户认证是这样子的. 1.用户向服务器发送用户名和密码. ...

  7. 关于JWT(Json Web Token)的思考及使用心得

    什么是JWT? JWT(Json Web Token)是一个开放的数据交换验证标准rfc7519(php 后端实现JWT认证方法一般用来做轻量级的API鉴权.由于许多API接口设计是遵循无状态的(比如 ...

  8. API安全验证之JWT(JSON WEB TOKEN) OLCMS

    假如www.olcms.com/getUserInfo获取用户信息,你怎么知道当前用户是谁?有人说登陆时候我把他UID写入session了,如果是API接口,没有session怎么办,那么就需要把UI ...

  9. 有关JWT(Json Web Token)的那些事

    用户认证是计算机安全领域一个永恒的热点话题,然而你会发现,开发者很少讨论有关Json Web Token的话题,其实使用Json Web Token集成到API身份验证机制中是容易,本文给大家普及基础 ...

随机推荐

  1. zepto和jquery的区别,zepto的不同使用8条小结

    说到诡异事件发生的原因,自然是想到两者之间的差异性. 首先是效果: jquery中有fadeIn和fadeOut两个效果,用来实现渐隐渐显的效果,这个在PC端自然是常用的效果.然后我们前端组的组员Mr ...

  2. Spring IoC源码解决——工具篇Eclipse

    题外话 对于Spring框架,平时都是点到为止,停留在会用的程度.一直以来都想深入学习下,刚好最近看到<Spring源码深度解析>,所以想随着书本深入学习一下. 如果用Maven 如果使用 ...

  3. mvc 开发razor模式注意事项

    1 情景为:mvc模式开发的.cshtml画面,里面有@if语句,if语句里面还有其他的代码,画面总是报错:if模块中没有对应的"}",什么问题 跟踪了之后,判定cs语句没问题,那 ...

  4. JavaScript中的类型转换(一)

    前言 JavaScript是一种非常灵活的弱类型的语言,它的灵活性的一方面体现在其繁杂多样的类型转换.比如当JavaScript期望使用一个布尔值的时候(比如if语句中)你可以提供任一类型的值,Jav ...

  5. idea生成JAVADOC 报java.lang.IllegalArgumentException解决方案[终极]

    idea生成javadoc文档,总是会报  java.lang.IllegalArgumentException     at sun.net.www.ParseUtil.decode(ParseUt ...

  6. 如何使得VIM显示行号

    如何使得VIM显示行号: :set number

  7. MVC中使用jquery的浏览器缓存问题

    jquery在浏览器ajax调用的时候,对缓存提供了很好的支持,POST方式不能被缓存,使用POST的原因,明确了数据不能被缓存,或者避免JSON攻击(JSON返回数据的时候可以被入侵) jquery ...

  8. 关于PHP单双引号解析变量的问题

    双引号可以解析变量,单引号不行 $qweqwe = 123; echo "$qweqwe"; 输出123 echo '$qweqqwe'; 输出$qweqwe

  9. Jeff Atwood:Google的头号UI问题

    谷歌在用户界面上追求的"极简主义"是让人叹为观止的.但是,他们首页上有个问题一直让我困惑不解.要知道,这个页面可是每天都被下载几百万次哦: 真有人在使用"I'm Feel ...

  10. 知识小罐头05(tomcat8请求源码分析 上)

    这一篇我们不看源码,就大概理一下Tomcat内部组成部分!前面花费了两篇博客的篇幅来说说了一般的maven web项目并部署到tomcat运行,其实都是为这篇做铺垫的! 其实我下载了tomcat7,t ...