Search in sources :

Example 1 with OAuth2ClientCredentialsAuthenticationConverter

use of org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2ClientCredentialsAuthenticationConverter in project eurynome-cloud by herodotus-cloud.

the class AuthorizationServerConfiguration method authorizationServerSecurityFilterChain.

@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity httpSecurity, JwtDecoder jwtDecoder, HttpCryptoProcessor httpCryptoProcessor) throws Exception {
    OAuth2AuthorizationServerConfigurer<HttpSecurity> authorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer<>();
    HerodotusAuthenticationFailureHandler failureHandler = new HerodotusAuthenticationFailureHandler();
    authorizationServerConfigurer.clientAuthentication(endpoint -> endpoint.errorResponseHandler(failureHandler));
    authorizationServerConfigurer.authorizationEndpoint(endpoint -> endpoint.errorResponseHandler(failureHandler));
    authorizationServerConfigurer.tokenRevocationEndpoint(endpoint -> endpoint.errorResponseHandler(failureHandler));
    authorizationServerConfigurer.tokenEndpoint(endpoint -> {
        AuthenticationConverter authenticationConverter = new DelegatingAuthenticationConverter(Arrays.asList(new OAuth2AuthorizationCodeAuthenticationConverter(), new OAuth2RefreshTokenAuthenticationConverter(), new OAuth2ClientCredentialsAuthenticationConverter(), new OAuth2ResourceOwnerPasswordAuthenticationConverter(httpCryptoProcessor)));
        endpoint.accessTokenRequestConverter(authenticationConverter);
        endpoint.errorResponseHandler(failureHandler);
    });
    RequestMatcher endpointsMatcher = authorizationServerConfigurer.getEndpointsMatcher();
    httpSecurity.requestMatcher(endpointsMatcher).authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().authenticated()).csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher)).oauth2ResourceServer(configurer -> configurer.jwt(jwt -> jwt.decoder(jwtDecoder)).bearerTokenResolver(new DefaultBearerTokenResolver()).accessDeniedHandler(new HerodotusAccessDeniedHandler()).authenticationEntryPoint(new HerodotusAuthenticationEntryPoint())).apply(authorizationServerConfigurer).oidc(oidc -> oidc.userInfoEndpoint(userInfo -> userInfo.userInfoMapper(context -> {
        OidcUserInfoAuthenticationToken authentication = context.getAuthentication();
        JwtAuthenticationToken principal = (JwtAuthenticationToken) authentication.getPrincipal();
        return new OidcUserInfo(principal.getToken().getClaims());
    })));
    SecurityFilterChain securityFilterChain = httpSecurity.formLogin(Customizer.withDefaults()).build();
    AuthenticationManager authenticationManager = httpSecurity.getSharedObject(AuthenticationManager.class);
    OAuth2AuthorizationService authorizationService = OAuth2ConfigurerUtils.getAuthorizationService(httpSecurity);
    OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator = OAuth2ConfigurerUtils.getTokenGenerator(httpSecurity);
    OAuth2ResourceOwnerPasswordAuthenticationProvider resourceOwnerPasswordAuthenticationProvider = new OAuth2ResourceOwnerPasswordAuthenticationProvider(authorizationService, tokenGenerator, authenticationManager);
    httpSecurity.authenticationProvider(resourceOwnerPasswordAuthenticationProvider);
    return securityFilterChain;
}
Also used : HerodotusTokenCustomizer(cn.herodotus.engine.oauth2.authorization.customizer.HerodotusTokenCustomizer) OAuth2Properties(cn.herodotus.engine.oauth2.core.properties.OAuth2Properties) KeyPair(java.security.KeyPair) Arrays(java.util.Arrays) JwtEncodingContext(org.springframework.security.oauth2.server.authorization.JwtEncodingContext) OAuth2AuthorizationServerConfiguration(org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration) OAuth2TokenGenerator(org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator) LoggerFactory(org.slf4j.LoggerFactory) HttpCryptoProcessor(cn.herodotus.engine.protect.web.crypto.processor.HttpCryptoProcessor) JWKSet(com.nimbusds.jose.jwk.JWKSet) OAuth2AuthorizationCodeAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationCodeAuthenticationConverter) OAuth2ConfigurerUtils(cn.herodotus.engine.oauth2.authorization.utils.OAuth2ConfigurerUtils) HttpSecurity(org.springframework.security.config.annotation.web.builders.HttpSecurity) OAuth2ResourceOwnerPasswordAuthenticationConverter(cn.herodotus.engine.oauth2.authorization.authentication.OAuth2ResourceOwnerPasswordAuthenticationConverter) RSAPublicKey(java.security.interfaces.RSAPublicKey) HerodotusAuthenticationFailureHandler(cn.herodotus.engine.oauth2.core.response.HerodotusAuthenticationFailureHandler) Resource(org.springframework.core.io.Resource) ProviderSettings(org.springframework.security.oauth2.server.authorization.config.ProviderSettings) KeyPairGenerator(java.security.KeyPairGenerator) JWKSource(com.nimbusds.jose.jwk.source.JWKSource) ResourceUtils(cn.herodotus.engine.assistant.core.utils.ResourceUtils) OidcUserInfoAuthenticationToken(org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcUserInfoAuthenticationToken) OAuth2ClientCredentialsAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2ClientCredentialsAuthenticationConverter) DelegatingAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.DelegatingAuthenticationConverter) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) UUID(java.util.UUID) HerodotusAccessDeniedHandler(cn.herodotus.engine.oauth2.core.response.HerodotusAccessDeniedHandler) RequestMatcher(org.springframework.security.web.util.matcher.RequestMatcher) Configuration(org.springframework.context.annotation.Configuration) HerodotusAuthenticationEntryPoint(cn.herodotus.engine.oauth2.core.response.HerodotusAuthenticationEntryPoint) OAuth2ResourceOwnerPasswordAuthenticationProvider(cn.herodotus.engine.oauth2.authorization.authentication.OAuth2ResourceOwnerPasswordAuthenticationProvider) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) PostConstruct(javax.annotation.PostConstruct) Certificate(cn.herodotus.engine.oauth2.core.enums.Certificate) OAuth2Token(org.springframework.security.oauth2.core.OAuth2Token) SecurityContext(com.nimbusds.jose.proc.SecurityContext) Ordered(org.springframework.core.Ordered) DefaultBearerTokenResolver(org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver) OAuth2AuthorizationServerConfigurer(org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer) ArrayUtils(org.apache.commons.lang3.ArrayUtils) EndpointProperties(cn.herodotus.engine.web.core.properties.EndpointProperties) OidcUserInfo(org.springframework.security.oauth2.core.oidc.OidcUserInfo) JwtAuthenticationToken(org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken) Order(org.springframework.core.annotation.Order) Logger(org.slf4j.Logger) AuthenticationManager(org.springframework.security.authentication.AuthenticationManager) Customizer(org.springframework.security.config.Customizer) IOException(java.io.IOException) OAuth2AuthorizationService(org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService) SecurityFilterChain(org.springframework.security.web.SecurityFilterChain) JwtDecoder(org.springframework.security.oauth2.jwt.JwtDecoder) RSAKey(com.nimbusds.jose.jwk.RSAKey) OAuth2TokenCustomizer(org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer) KeyStoreKeyFactory(org.springframework.security.rsa.crypto.KeyStoreKeyFactory) AuthenticationConverter(org.springframework.security.web.authentication.AuthenticationConverter) Bean(org.springframework.context.annotation.Bean) OAuth2RefreshTokenAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2RefreshTokenAuthenticationConverter) OAuth2AuthorizationCodeAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationCodeAuthenticationConverter) OAuth2ResourceOwnerPasswordAuthenticationConverter(cn.herodotus.engine.oauth2.authorization.authentication.OAuth2ResourceOwnerPasswordAuthenticationConverter) OAuth2ClientCredentialsAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2ClientCredentialsAuthenticationConverter) DelegatingAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.DelegatingAuthenticationConverter) AuthenticationConverter(org.springframework.security.web.authentication.AuthenticationConverter) OAuth2RefreshTokenAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2RefreshTokenAuthenticationConverter) RequestMatcher(org.springframework.security.web.util.matcher.RequestMatcher) OAuth2AuthorizationServerConfigurer(org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer) OAuth2AuthorizationCodeAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationCodeAuthenticationConverter) JwtAuthenticationToken(org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken) OAuth2ResourceOwnerPasswordAuthenticationProvider(cn.herodotus.engine.oauth2.authorization.authentication.OAuth2ResourceOwnerPasswordAuthenticationProvider) HerodotusAuthenticationEntryPoint(cn.herodotus.engine.oauth2.core.response.HerodotusAuthenticationEntryPoint) OAuth2RefreshTokenAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2RefreshTokenAuthenticationConverter) DelegatingAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.DelegatingAuthenticationConverter) OidcUserInfo(org.springframework.security.oauth2.core.oidc.OidcUserInfo) AuthenticationManager(org.springframework.security.authentication.AuthenticationManager) SecurityFilterChain(org.springframework.security.web.SecurityFilterChain) OAuth2ClientCredentialsAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2ClientCredentialsAuthenticationConverter) DefaultBearerTokenResolver(org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver) HerodotusAccessDeniedHandler(cn.herodotus.engine.oauth2.core.response.HerodotusAccessDeniedHandler) HttpSecurity(org.springframework.security.config.annotation.web.builders.HttpSecurity) OidcUserInfoAuthenticationToken(org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcUserInfoAuthenticationToken) OAuth2AuthorizationService(org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService) HerodotusAuthenticationFailureHandler(cn.herodotus.engine.oauth2.core.response.HerodotusAuthenticationFailureHandler) OAuth2ResourceOwnerPasswordAuthenticationConverter(cn.herodotus.engine.oauth2.authorization.authentication.OAuth2ResourceOwnerPasswordAuthenticationConverter) Order(org.springframework.core.annotation.Order) Bean(org.springframework.context.annotation.Bean)

Example 2 with OAuth2ClientCredentialsAuthenticationConverter

use of org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2ClientCredentialsAuthenticationConverter in project best-cloud by shanzhaozhen.

the class AuthorizationServerConfig method authorizationServerSecurityFilterChain.

/**
 *  uaa 挂载 Spring Authorization Server 认证服务器
 *  定义 spring uaa 拦击链规则
 * @param http
 * @return
 * @throws Exception
 */
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
    OAuth2AuthorizationServerConfigurer<HttpSecurity> authorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer<>();
    // 追加 password 认证方式
    // 这种追加方式太不优雅了,持续关注该项目的里程碑 https://github.com/spring-projects/spring-authorization-server/milestone/10
    http.apply(authorizationServerConfigurer.tokenEndpoint((tokenEndpoint) -> tokenEndpoint.accessTokenRequestConverter(new DelegatingAuthenticationConverter(Arrays.asList(new OAuth2AuthorizationCodeAuthenticationConverter(), new OAuth2RefreshTokenAuthenticationConverter(), new OAuth2ClientCredentialsAuthenticationConverter(), new OAuth2ResourceOwnerPasswordAuthenticationConverter())))));
    // 自定义确认 scope 页面
    authorizationServerConfigurer.authorizationEndpoint(authorizationEndpoint -> authorizationEndpoint.consentPage(CUSTOM_CONSENT_PAGE_URI));
    // 提取 确认 scope 页面的端点
    RequestMatcher endpointsMatcher = authorizationServerConfigurer.getEndpointsMatcher();
    DefaultSecurityFilterChain securityFilterChain = http.requestMatcher(endpointsMatcher).authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().authenticated()).csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher)).apply(authorizationServerConfigurer).and().formLogin(Customizer.withDefaults()).build();
    // 因为 build() 后会 在 OAuth2TokenEndpointConfigurer createDefaultAuthenticationProviders 中初始化 Oauth2 认证服务器的默认配置
    // 所以需要在 build 之后再追加 password 认证方式的鉴权
    addCustomOAuth2ResourceOwnerPasswordAuthenticationProvider(http);
    return securityFilterChain;
}
Also used : Ordered(org.springframework.core.Ordered) Arrays(java.util.Arrays) OAuth2AuthorizationServerConfigurer(org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer) RegisteredClientRepository(org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository) RequiredArgsConstructor(lombok.RequiredArgsConstructor) JdbcRegisteredClientRepository(org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository) OAuth2AuthorizationCodeAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationCodeAuthenticationConverter) DefaultSecurityFilterChain(org.springframework.security.web.DefaultSecurityFilterChain) HttpSecurity(org.springframework.security.config.annotation.web.builders.HttpSecurity) JwtEncoder(org.springframework.security.oauth2.jwt.JwtEncoder) JdbcTemplate(org.springframework.jdbc.core.JdbcTemplate) Value(org.springframework.beans.factory.annotation.Value) OAuth2ConfigurerUtils(org.shanzhaozhen.authorize.config.oauth2.authentication.OAuth2ConfigurerUtils) ProviderSettings(org.springframework.security.oauth2.server.authorization.config.ProviderSettings) Order(org.springframework.core.annotation.Order) SecurityJacksonConfig(org.shanzhaozhen.authorize.jackson.SecurityJacksonConfig) OAuth2ResourceOwnerPasswordAuthenticationConverter(org.shanzhaozhen.authorize.config.oauth2.authentication.OAuth2ResourceOwnerPasswordAuthenticationConverter) AuthenticationManager(org.springframework.security.authentication.AuthenticationManager) OAuth2ResourceOwnerPasswordAuthenticationProvider(org.shanzhaozhen.authorize.config.oauth2.authentication.OAuth2ResourceOwnerPasswordAuthenticationProvider) Customizer(org.springframework.security.config.Customizer) OAuth2ClientCredentialsAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2ClientCredentialsAuthenticationConverter) DelegatingAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.DelegatingAuthenticationConverter) RequestMatcher(org.springframework.security.web.util.matcher.RequestMatcher) SecurityFilterChain(org.springframework.security.web.SecurityFilterChain) Configuration(org.springframework.context.annotation.Configuration) org.springframework.security.oauth2.server.authorization(org.springframework.security.oauth2.server.authorization) Bean(org.springframework.context.annotation.Bean) OAuth2RefreshTokenAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2RefreshTokenAuthenticationConverter) RequestMatcher(org.springframework.security.web.util.matcher.RequestMatcher) OAuth2AuthorizationServerConfigurer(org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer) OAuth2AuthorizationCodeAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationCodeAuthenticationConverter) OAuth2ClientCredentialsAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2ClientCredentialsAuthenticationConverter) HttpSecurity(org.springframework.security.config.annotation.web.builders.HttpSecurity) OAuth2RefreshTokenAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2RefreshTokenAuthenticationConverter) DelegatingAuthenticationConverter(org.springframework.security.oauth2.server.authorization.web.authentication.DelegatingAuthenticationConverter) DefaultSecurityFilterChain(org.springframework.security.web.DefaultSecurityFilterChain) OAuth2ResourceOwnerPasswordAuthenticationConverter(org.shanzhaozhen.authorize.config.oauth2.authentication.OAuth2ResourceOwnerPasswordAuthenticationConverter) Order(org.springframework.core.annotation.Order) Bean(org.springframework.context.annotation.Bean)

Aggregations

Arrays (java.util.Arrays)2 Bean (org.springframework.context.annotation.Bean)2 Configuration (org.springframework.context.annotation.Configuration)2 Ordered (org.springframework.core.Ordered)2 Order (org.springframework.core.annotation.Order)2 AuthenticationManager (org.springframework.security.authentication.AuthenticationManager)2 Customizer (org.springframework.security.config.Customizer)2 HttpSecurity (org.springframework.security.config.annotation.web.builders.HttpSecurity)2 OAuth2AuthorizationServerConfigurer (org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer)2 ResourceUtils (cn.herodotus.engine.assistant.core.utils.ResourceUtils)1 OAuth2ResourceOwnerPasswordAuthenticationConverter (cn.herodotus.engine.oauth2.authorization.authentication.OAuth2ResourceOwnerPasswordAuthenticationConverter)1 OAuth2ResourceOwnerPasswordAuthenticationProvider (cn.herodotus.engine.oauth2.authorization.authentication.OAuth2ResourceOwnerPasswordAuthenticationProvider)1 HerodotusTokenCustomizer (cn.herodotus.engine.oauth2.authorization.customizer.HerodotusTokenCustomizer)1 OAuth2ConfigurerUtils (cn.herodotus.engine.oauth2.authorization.utils.OAuth2ConfigurerUtils)1 Certificate (cn.herodotus.engine.oauth2.core.enums.Certificate)1 OAuth2Properties (cn.herodotus.engine.oauth2.core.properties.OAuth2Properties)1 HerodotusAccessDeniedHandler (cn.herodotus.engine.oauth2.core.response.HerodotusAccessDeniedHandler)1 HerodotusAuthenticationEntryPoint (cn.herodotus.engine.oauth2.core.response.HerodotusAuthenticationEntryPoint)1 HerodotusAuthenticationFailureHandler (cn.herodotus.engine.oauth2.core.response.HerodotusAuthenticationFailureHandler)1 HttpCryptoProcessor (cn.herodotus.engine.protect.web.crypto.processor.HttpCryptoProcessor)1