View Javadoc
1   /*
2    * Copyright 2002-2013 the original author or authors.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *      https://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package org.springframework.security.oauth2.config.annotation.web.configuration;
17  
18  import org.springframework.beans.factory.annotation.Autowired;
19  import org.springframework.context.annotation.Configuration;
20  import org.springframework.context.annotation.Import;
21  import org.springframework.core.annotation.Order;
22  import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
23  import org.springframework.security.config.annotation.web.builders.HttpSecurity;
24  import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
25  import org.springframework.security.config.http.SessionCreationPolicy;
26  import org.springframework.security.core.userdetails.UserDetailsService;
27  import org.springframework.security.oauth2.config.annotation.configuration.ClientDetailsServiceConfiguration;
28  import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
29  import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
30  import org.springframework.security.oauth2.provider.ClientDetailsService;
31  import org.springframework.security.oauth2.provider.endpoint.FrameworkEndpointHandlerMapping;
32  
33  import java.util.Collections;
34  import java.util.List;
35  
36  /**
37   * @author Rob Winch
38   * @author Dave Syer
39   * 
40   */
41  @Configuration
42  @Order(0)
43  @Import({ ClientDetailsServiceConfiguration.class, AuthorizationServerEndpointsConfiguration.class })
44  public class AuthorizationServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
45  
46  	@Autowired
47  	private List<AuthorizationServerConfigurer> configurers = Collections.emptyList();
48  
49  	@Autowired
50  	private ClientDetailsService clientDetailsService;
51  
52  	@Autowired
53  	private AuthorizationServerEndpointsConfiguration endpoints;
54  
55  	@Autowired
56  	public void configure(ClientDetailsServiceConfigurer clientDetails) throws Exception {
57  		for (AuthorizationServerConfigurer configurer : configurers) {
58  			configurer.configure(clientDetails);
59  		}
60  	}
61  
62  	@Override
63  	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
64  		// Over-riding to make sure this.disableLocalConfigureAuthenticationBldr = false
65  		// This will ensure that when this configurer builds the AuthenticationManager it will not attempt
66  		// to find another 'Global' AuthenticationManager in the ApplicationContext (if available),
67  		// and set that as the parent of this 'Local' AuthenticationManager.
68  		// This AuthenticationManager should only be wired up with an AuthenticationProvider
69  		// composed of the ClientDetailsService (wired in this configuration) for authenticating 'clients' only.
70  	}
71  
72  	@Override
73  	protected void configure(HttpSecurity http) throws Exception {
74  		AuthorizationServerSecurityConfigurer configurer = new AuthorizationServerSecurityConfigurer();
75  		FrameworkEndpointHandlerMapping handlerMapping = endpoints.oauth2EndpointHandlerMapping();
76  		http.setSharedObject(FrameworkEndpointHandlerMapping.class, handlerMapping);
77  		configure(configurer);
78  		http.apply(configurer);
79  		String tokenEndpointPath = handlerMapping.getServletPath("/oauth/token");
80  		String tokenKeyPath = handlerMapping.getServletPath("/oauth/token_key");
81  		String checkTokenPath = handlerMapping.getServletPath("/oauth/check_token");
82  		if (!endpoints.getEndpointsConfigurer().isUserDetailsServiceOverride()) {
83  			UserDetailsService userDetailsService = http.getSharedObject(UserDetailsService.class);
84  			endpoints.getEndpointsConfigurer().userDetailsService(userDetailsService);
85  		}
86  		// @formatter:off
87  		http
88          	.authorizeRequests()
89              	.antMatchers(tokenEndpointPath).fullyAuthenticated()
90              	.antMatchers(tokenKeyPath).access(configurer.getTokenKeyAccess())
91              	.antMatchers(checkTokenPath).access(configurer.getCheckTokenAccess())
92          .and()
93          	.requestMatchers()
94              	.antMatchers(tokenEndpointPath, tokenKeyPath, checkTokenPath)
95          .and()
96          	.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);
97  		// @formatter:on
98  		http.setSharedObject(ClientDetailsService.class, clientDetailsService);
99  	}
100 
101 	protected void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
102 		for (AuthorizationServerConfigurer configurer : configurers) {
103 			configurer.configure(oauthServer);
104 		}
105 	}
106 
107 }