View Javadoc

1   /*
2    * Copyright 2002-2013 the original author or authors.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *      http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package org.springframework.security.oauth.examples.sparklr.config;
17  
18  import org.springframework.beans.factory.annotation.Autowired;
19  import org.springframework.beans.factory.annotation.Qualifier;
20  import org.springframework.beans.factory.annotation.Value;
21  import org.springframework.context.annotation.Bean;
22  import org.springframework.context.annotation.Configuration;
23  import org.springframework.context.annotation.Lazy;
24  import org.springframework.context.annotation.Scope;
25  import org.springframework.context.annotation.ScopedProxyMode;
26  import org.springframework.core.annotation.Order;
27  import org.springframework.http.HttpMethod;
28  import org.springframework.security.authentication.AuthenticationManager;
29  import org.springframework.security.config.annotation.web.builders.HttpSecurity;
30  import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
31  import org.springframework.security.oauth.examples.sparklr.oauth.SparklrUserApprovalHandler;
32  import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
33  import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
34  import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
35  import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
36  import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
37  import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
38  import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
39  import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
40  import org.springframework.security.oauth2.provider.ClientDetailsService;
41  import org.springframework.security.oauth2.provider.approval.ApprovalStore;
42  import org.springframework.security.oauth2.provider.approval.TokenApprovalStore;
43  import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
44  import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory;
45  import org.springframework.security.oauth2.provider.token.TokenStore;
46  import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
47  
48  /**
49   * @author Rob Winch
50   * 
51   */
52  @Configuration
53  public class OAuth2ServerConfig {
54  
55  	private static final String SPARKLR_RESOURCE_ID = "sparklr";
56  
57  	@Configuration
58  	@Order(10)
59  	protected static class UiResourceConfiguration extends WebSecurityConfigurerAdapter {
60  		@Override
61  		protected void configure(HttpSecurity http) throws Exception {
62  			// @formatter:off
63  			http
64  				.requestMatchers().antMatchers("/photos/**","/me")
65  			.and()
66  				.authorizeRequests()
67  				.antMatchers("/me").access("hasRole('ROLE_USER')")
68  				.antMatchers("/photos").access("hasRole('ROLE_USER')")
69  				.antMatchers("/photos/trusted/**").access("hasRole('ROLE_USER')")
70  				.antMatchers("/photos/user/**").access("hasRole('ROLE_USER')")
71  				.antMatchers("/photos/**").access("hasRole('ROLE_USER')");
72  			// @formatter:on
73  		}
74  	}
75  
76  	@Configuration
77  	@EnableResourceServer
78  	protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
79  
80  		@Override
81  		public void configure(ResourceServerSecurityConfigurer resources) {
82  			resources.resourceId(SPARKLR_RESOURCE_ID);
83  		}
84  
85  		@Override
86  		public void configure(HttpSecurity http) throws Exception {
87  			// @formatter:off
88  			http
89  				.requestMatchers().antMatchers("/photos/**", "/oauth/users/**", "/oauth/clients/**","/me")
90  			.and()
91  				.authorizeRequests()
92  					.antMatchers("/me").access("#oauth2.hasScope('read')")					
93  					.antMatchers("/photos").access("#oauth2.hasScope('read') or hasRole('ROLE_USER')")                                        
94  					.antMatchers("/photos/trusted/**").access("#oauth2.hasScope('trust')")
95  					.antMatchers("/photos/user/**").access("#oauth2.hasScope('trust')")					
96  					.antMatchers("/photos/**").access("#oauth2.hasScope('read') or hasRole('ROLE_USER')")
97  					.regexMatchers(HttpMethod.DELETE, "/oauth/users/([^/].*?)/tokens/.*")
98  						.access("#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('write')")
99  					.regexMatchers(HttpMethod.GET, "/oauth/clients/([^/].*?)/users/.*")
100 						.access("#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('read')")
101 					.regexMatchers(HttpMethod.GET, "/oauth/clients/.*")
102 						.access("#oauth2.clientHasRole('ROLE_CLIENT') and #oauth2.isClient() and #oauth2.hasScope('read')");
103 			// @formatter:on
104 		}
105 
106 	}
107 
108 	@Configuration
109 	@EnableAuthorizationServer
110 	protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
111 
112 		@Autowired
113 		private TokenStore tokenStore;
114 
115 		@Autowired
116 		private UserApprovalHandler userApprovalHandler;
117 
118 		@Autowired
119 		@Qualifier("authenticationManagerBean")
120 		private AuthenticationManager authenticationManager;
121 
122 		@Value("${tonr.redirect:http://localhost:8080/tonr2/sparklr/redirect}")
123 		private String tonrRedirectUri;
124 
125 		@Override
126 		public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
127 
128 			// @formatter:off
129 			clients.inMemory().withClient("tonr")
130 			 			.resourceIds(SPARKLR_RESOURCE_ID)
131 			 			.authorizedGrantTypes("authorization_code", "implicit")
132 			 			.authorities("ROLE_CLIENT")
133 			 			.scopes("read", "write")
134 			 			.secret("secret")
135 			 		.and()
136 			 		.withClient("tonr-with-redirect")
137 			 			.resourceIds(SPARKLR_RESOURCE_ID)
138 			 			.authorizedGrantTypes("authorization_code", "implicit")
139 			 			.authorities("ROLE_CLIENT")
140 			 			.scopes("read", "write")
141 			 			.secret("secret")
142 			 			.redirectUris(tonrRedirectUri)
143 			 		.and()
144 		 		    .withClient("my-client-with-registered-redirect")
145 	 			        .resourceIds(SPARKLR_RESOURCE_ID)
146 	 			        .authorizedGrantTypes("authorization_code", "client_credentials")
147 	 			        .authorities("ROLE_CLIENT")
148 	 			        .scopes("read", "trust")
149 	 			        .redirectUris("http://anywhere?key=value")
150 		 		    .and()
151 	 		        .withClient("my-trusted-client")
152  			            .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
153  			            .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
154  			            .scopes("read", "write", "trust")
155  			            .accessTokenValiditySeconds(60)
156 		 		    .and()
157 	 		        .withClient("my-trusted-client-with-secret")
158  			            .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
159  			            .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
160  			            .scopes("read", "write", "trust")
161  			            .secret("somesecret")
162 	 		        .and()
163  		            .withClient("my-less-trusted-client")
164 			            .authorizedGrantTypes("authorization_code", "implicit")
165 			            .authorities("ROLE_CLIENT")
166 			            .scopes("read", "write", "trust")
167      		        .and()
168 		            .withClient("my-less-trusted-autoapprove-client")
169 		                .authorizedGrantTypes("implicit")
170 		                .authorities("ROLE_CLIENT")
171 		                .scopes("read", "write", "trust")
172 		                .autoApprove(true);
173 			// @formatter:on
174 		}
175 
176 		@Bean
177 		public TokenStore tokenStore() {
178 			return new InMemoryTokenStore();
179 		}
180 
181 		@Override
182 		public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
183 			endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler)
184 					.authenticationManager(authenticationManager);
185 		}
186 
187 		@Override
188 		public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
189 			oauthServer.realm("sparklr2/client");
190 		}
191 
192 	}
193 
194 	protected static class Stuff {
195 
196 		@Autowired
197 		private ClientDetailsService clientDetailsService;
198 
199 		@Autowired
200 		private TokenStore tokenStore;
201 
202 		@Bean
203 		public ApprovalStore approvalStore() throws Exception {
204 			TokenApprovalStore store = new TokenApprovalStore();
205 			store.setTokenStore(tokenStore);
206 			return store;
207 		}
208 
209 		@Bean
210 		@Lazy
211 		@Scope(proxyMode = ScopedProxyMode.TARGET_CLASS)
212 		public SparklrUserApprovalHandler userApprovalHandler() throws Exception {
213 			SparklrUserApprovalHandler handler = new SparklrUserApprovalHandler();
214 			handler.setApprovalStore(approvalStore());
215 			handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
216 			handler.setClientDetailsService(clientDetailsService);
217 			handler.setUseApprovalStore(true);
218 			return handler;
219 		}
220 	}
221 
222 }