How to provide custom security configuration for oauth2 with spring-boot 1.3.0.RC1

问题

With spring-cloud Angel.SR3 release I followed example in https://github.com/spring-cloud-samples/sso and things work fine with spring-boot 1.2.6.RELEASE.

However with spring-boot 1.3.0.RC1, the oauth2 stuff has moved into spring-boot itself, and the code below fails to compile because class OAuth2SsoConfigurerAdapter no longer exists.

What is the spring-boot only way to create equivalent configuration?

public static void main(String[] args) {
    SpringApplication.run(MainAppApplication.class, args);
}

...

@Component
public static class LoginConfigurer extends OAuth2SsoConfigurerAdapter  {

    @Override
    public void match(RequestMatchers matchers) {
        matchers.antMatchers("/dashboard/**");
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/dashboard/**").authorizeRequests().anyRequest()
        .authenticated().and().csrf()
        .csrfTokenRepository(csrfTokenRepository()).and()
        .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
    }

    private Filter csrfHeaderFilter() {
        return new OncePerRequestFilter() {
    ...
        };
    }

    ...

}

回答1:

You just have to use org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter and carefully use this annotation org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso

I've written carefully because its behaviour depends on where you add it. As stated in the javadoc:

Enable OAuth2 Single Sign On (SSO). If there is an existing WebSecurityConfigurerAdapter provided by the user and annotated with @EnableOAuth2Sso, it is enhanced by adding an authentication filter and an authentication entry point. If the user only has @EnableOAuth2Sso but not on a WebSecurityConfigurerAdapter then one is added with all paths secured and with an order that puts it ahead of the default HTTP Basic security chain in Spring Boot.

Hope that helps!

回答2:

Turns out not special adapter needed, just the regular WebSecurityConfigurerAdapter does the trick. You cannot tell the code from below if oauth2 SSO is involved, more transparent, sort to speak.

@Configuration 
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {

    @Autowired
    private SecurityProperties security;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
        .authorizeRequests()
            .antMatchers("/", "/ssologout").permitAll()
            .anyRequest().fullyAuthenticated()
        .and()
            .formLogin()
                .loginPage("/login").failureUrl("/login?error")
            .permitAll()
        .and()
            .logout().permitAll();
        // @formatter:on
    }

}

来源：https://stackoverflow.com/questions/33352661/how-to-provide-custom-security-configuration-for-oauth2-with-spring-boot-1-3-0-r

标签

java

Spring

spring-security

spring-boot

spring-cloud