1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 package org.springframework.security.oauth2.config.annotation.web.configuration;
17
18 import org.springframework.beans.factory.annotation.Autowired;
19 import org.springframework.context.annotation.Configuration;
20 import org.springframework.context.annotation.Import;
21 import org.springframework.core.annotation.Order;
22 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
23 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
24 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
25 import org.springframework.security.config.http.SessionCreationPolicy;
26 import org.springframework.security.core.userdetails.UserDetailsService;
27 import org.springframework.security.oauth2.config.annotation.configuration.ClientDetailsServiceConfiguration;
28 import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
29 import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
30 import org.springframework.security.oauth2.provider.ClientDetailsService;
31 import org.springframework.security.oauth2.provider.endpoint.FrameworkEndpointHandlerMapping;
32
33 import java.util.Collections;
34 import java.util.List;
35
36
37
38
39
40
41 @Configuration
42 @Order(0)
43 @Import({ ClientDetailsServiceConfiguration.class, AuthorizationServerEndpointsConfiguration.class })
44 public class AuthorizationServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
45
46 @Autowired
47 private List<AuthorizationServerConfigurer> configurers = Collections.emptyList();
48
49 @Autowired
50 private ClientDetailsService clientDetailsService;
51
52 @Autowired
53 private AuthorizationServerEndpointsConfiguration endpoints;
54
55 @Autowired
56 public void configure(ClientDetailsServiceConfigurer clientDetails) throws Exception {
57 for (AuthorizationServerConfigurer configurer : configurers) {
58 configurer.configure(clientDetails);
59 }
60 }
61
62 @Override
63 protected void configure(AuthenticationManagerBuilder auth) throws Exception {
64
65
66
67
68
69
70 }
71
72 @Override
73 protected void configure(HttpSecurity http) throws Exception {
74 AuthorizationServerSecurityConfigurer configurer = new AuthorizationServerSecurityConfigurer();
75 FrameworkEndpointHandlerMapping handlerMapping = endpoints.oauth2EndpointHandlerMapping();
76 http.setSharedObject(FrameworkEndpointHandlerMapping.class, handlerMapping);
77 configure(configurer);
78 http.apply(configurer);
79 String tokenEndpointPath = handlerMapping.getServletPath("/oauth/token");
80 String tokenKeyPath = handlerMapping.getServletPath("/oauth/token_key");
81 String checkTokenPath = handlerMapping.getServletPath("/oauth/check_token");
82 if (!endpoints.getEndpointsConfigurer().isUserDetailsServiceOverride()) {
83 UserDetailsService userDetailsService = http.getSharedObject(UserDetailsService.class);
84 endpoints.getEndpointsConfigurer().userDetailsService(userDetailsService);
85 }
86
87 http
88 .authorizeRequests()
89 .antMatchers(tokenEndpointPath).fullyAuthenticated()
90 .antMatchers(tokenKeyPath).access(configurer.getTokenKeyAccess())
91 .antMatchers(checkTokenPath).access(configurer.getCheckTokenAccess())
92 .and()
93 .requestMatchers()
94 .antMatchers(tokenEndpointPath, tokenKeyPath, checkTokenPath)
95 .and()
96 .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);
97
98 http.setSharedObject(ClientDetailsService.class, clientDetailsService);
99 }
100
101 protected void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
102 for (AuthorizationServerConfigurer configurer : configurers) {
103 configurer.configure(oauthServer);
104 }
105 }
106
107 }