1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 package org.springframework.security.oauth.examples.sparklr.config;
17
18 import org.springframework.beans.factory.annotation.Autowired;
19 import org.springframework.beans.factory.annotation.Qualifier;
20 import org.springframework.beans.factory.annotation.Value;
21 import org.springframework.context.annotation.Bean;
22 import org.springframework.context.annotation.Configuration;
23 import org.springframework.context.annotation.Lazy;
24 import org.springframework.context.annotation.Scope;
25 import org.springframework.context.annotation.ScopedProxyMode;
26 import org.springframework.core.annotation.Order;
27 import org.springframework.http.HttpMethod;
28 import org.springframework.security.authentication.AuthenticationManager;
29 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
30 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
31 import org.springframework.security.oauth.examples.sparklr.oauth.SparklrUserApprovalHandler;
32 import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
33 import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
34 import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
35 import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
36 import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
37 import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
38 import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
39 import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
40 import org.springframework.security.oauth2.provider.ClientDetailsService;
41 import org.springframework.security.oauth2.provider.approval.ApprovalStore;
42 import org.springframework.security.oauth2.provider.approval.TokenApprovalStore;
43 import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
44 import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory;
45 import org.springframework.security.oauth2.provider.token.TokenStore;
46 import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
47
48
49
50
51
52 @Configuration
53 public class OAuth2ServerConfig {
54
55 private static final String SPARKLR_RESOURCE_ID = "sparklr";
56
57 @Configuration
58 @Order(10)
59 protected static class UiResourceConfiguration extends WebSecurityConfigurerAdapter {
60 @Override
61 protected void configure(HttpSecurity http) throws Exception {
62
63 http
64 .requestMatchers().antMatchers("/photos/**","/me")
65 .and()
66 .authorizeRequests()
67 .antMatchers("/me").access("hasRole('ROLE_USER')")
68 .antMatchers("/photos").access("hasRole('ROLE_USER')")
69 .antMatchers("/photos/trusted/**").access("hasRole('ROLE_USER')")
70 .antMatchers("/photos/user/**").access("hasRole('ROLE_USER')")
71 .antMatchers("/photos/**").access("hasRole('ROLE_USER')");
72
73 }
74 }
75
76 @Configuration
77 @EnableResourceServer
78 protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
79
80 @Override
81 public void configure(ResourceServerSecurityConfigurer resources) {
82 resources.resourceId(SPARKLR_RESOURCE_ID);
83 }
84
85 @Override
86 public void configure(HttpSecurity http) throws Exception {
87
88 http
89 .requestMatchers().antMatchers("/photos/**", "/oauth/users/**", "/oauth/clients/**","/me")
90 .and()
91 .authorizeRequests()
92 .antMatchers("/me").access("#oauth2.hasScope('read')")
93 .antMatchers("/photos").access("#oauth2.hasScope('read') or hasRole('ROLE_USER')")
94 .antMatchers("/photos/trusted/**").access("#oauth2.hasScope('trust')")
95 .antMatchers("/photos/user/**").access("#oauth2.hasScope('trust')")
96 .antMatchers("/photos/**").access("#oauth2.hasScope('read') or hasRole('ROLE_USER')")
97 .regexMatchers(HttpMethod.DELETE, "/oauth/users/([^/].*?)/tokens/.*")
98 .access("#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('write')")
99 .regexMatchers(HttpMethod.GET, "/oauth/clients/([^/].*?)/users/.*")
100 .access("#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('read')")
101 .regexMatchers(HttpMethod.GET, "/oauth/clients/.*")
102 .access("#oauth2.clientHasRole('ROLE_CLIENT') and #oauth2.isClient() and #oauth2.hasScope('read')");
103
104 }
105
106 }
107
108 @Configuration
109 @EnableAuthorizationServer
110 protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
111
112 @Autowired
113 private TokenStore tokenStore;
114
115 @Autowired
116 private UserApprovalHandler userApprovalHandler;
117
118 @Autowired
119 @Qualifier("authenticationManagerBean")
120 private AuthenticationManager authenticationManager;
121
122 @Value("${tonr.redirect:http://localhost:8080/tonr2/sparklr/redirect}")
123 private String tonrRedirectUri;
124
125 @Override
126 public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
127
128
129 clients.inMemory().withClient("tonr")
130 .resourceIds(SPARKLR_RESOURCE_ID)
131 .authorizedGrantTypes("authorization_code", "implicit")
132 .authorities("ROLE_CLIENT")
133 .scopes("read", "write")
134 .secret("secret")
135 .and()
136 .withClient("tonr-with-redirect")
137 .resourceIds(SPARKLR_RESOURCE_ID)
138 .authorizedGrantTypes("authorization_code", "implicit")
139 .authorities("ROLE_CLIENT")
140 .scopes("read", "write")
141 .secret("secret")
142 .redirectUris(tonrRedirectUri)
143 .and()
144 .withClient("my-client-with-registered-redirect")
145 .resourceIds(SPARKLR_RESOURCE_ID)
146 .authorizedGrantTypes("authorization_code", "client_credentials")
147 .authorities("ROLE_CLIENT")
148 .scopes("read", "trust")
149 .redirectUris("http://anywhere?key=value")
150 .and()
151 .withClient("my-trusted-client")
152 .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
153 .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
154 .scopes("read", "write", "trust")
155 .accessTokenValiditySeconds(60)
156 .and()
157 .withClient("my-trusted-client-with-secret")
158 .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
159 .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
160 .scopes("read", "write", "trust")
161 .secret("somesecret")
162 .and()
163 .withClient("my-less-trusted-client")
164 .authorizedGrantTypes("authorization_code", "implicit")
165 .authorities("ROLE_CLIENT")
166 .scopes("read", "write", "trust")
167 .and()
168 .withClient("my-less-trusted-autoapprove-client")
169 .authorizedGrantTypes("implicit")
170 .authorities("ROLE_CLIENT")
171 .scopes("read", "write", "trust")
172 .autoApprove(true);
173
174 }
175
176 @Bean
177 public TokenStore tokenStore() {
178 return new InMemoryTokenStore();
179 }
180
181 @Override
182 public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
183 endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler)
184 .authenticationManager(authenticationManager);
185 }
186
187 @Override
188 public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
189 oauthServer.realm("sparklr2/client");
190 }
191
192 }
193
194 protected static class Stuff {
195
196 @Autowired
197 private ClientDetailsService clientDetailsService;
198
199 @Autowired
200 private TokenStore tokenStore;
201
202 @Bean
203 public ApprovalStore approvalStore() throws Exception {
204 TokenApprovalStore store = new TokenApprovalStore();
205 store.setTokenStore(tokenStore);
206 return store;
207 }
208
209 @Bean
210 @Lazy
211 @Scope(proxyMode = ScopedProxyMode.TARGET_CLASS)
212 public SparklrUserApprovalHandler userApprovalHandler() throws Exception {
213 SparklrUserApprovalHandler handler = new SparklrUserApprovalHandler();
214 handler.setApprovalStore(approvalStore());
215 handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
216 handler.setClientDetailsService(clientDetailsService);
217 handler.setUseApprovalStore(true);
218 return handler;
219 }
220 }
221
222 }