spring boot oaauth2.0 (링크 정리 공유)

안녕하세요

oauth2.0정리 및 링크 공유 합니다.

참고할만한 링크 공유합니다.

http://www.baeldung.com/rest-api-spring-oauth2-angularjs

https://github.com/Baeldung/spring-security-oauth/tree/master/spring-security-oauth-server/src

 

 

http://projects.spring.io/spring-security-oauth/docs/oauth2.html

 

 

 

https://www.javacodegeeks.com/2015/10/spring-boot-oauth2-security.html

https://www.javacodegeeks.com/2015/10/spring-boot-oauth2-security.html

https://github.com/rajithd/spring-boot-oauth2

 

https://brunch.co.kr/@sbcoba/4

 

조대협님

http://jekalmin.tistory.com/entry/spring-bootoauth-%EC%84%B8%ED%8C%85-%ED%85%8C%EC%8A%A4%ED%8A%B8

 

https://spring.io/blog/2015/02/03/sso-with-oauth2-angular-js-and-spring-security-part-v

 

 

https://github.com/dynamind/spring-boot-security-oauth2-minimal

 

 

[Spring Boot]Rest with Spring Security OAuth2 Authentication using Mysql (진행중) http://m.blog.naver.com/wizardkyn/220650609325

1. 참조 URL

OAuth2 기본 개념

https://developers.daum.net/services/apis/docs/oauth2_0/reference

 

개발자 가이드 및 샘플 소스

http://projects.spring.io/spring-security-oauth/docs/oauth2.html
https://github.com/spring-projects/spring-security-oauth/tree/master/samples
https://github.com/spring-projects/spring-security-oauth/tree/master/tests/annotation/jdbc
https://brunch.co.kr/@sbcoba/4

http://www.baeldung.com/rest-api-spring-oauth2-angularjs
https://www.javacodegeeks.com/2015/10/spring-boot-oauth2-security.html

 

H2 SQL Scheme

https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/test/resources/schema.sql
 

 

인증서버 AuthorizationServer 설정

package com.khh.project.config.web.security.oauth;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;

//http://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-security.html

@EnableAuthorizationServer // OAuth2 권한 서버
@Configuration
@Order(1)
public class AuthorizationServerConfigurerAdapter extends org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter {


   @Autowired
   private AuthenticationManager authenticationManager;

   //

   @Override
   public void configure(final AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
      oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
   }

   @Override
   public void configure(final ClientDetailsServiceConfigurer clients) throws Exception { // @formatter:off
      clients.inMemory()
            .withClient("client")
            .secret("secret")
//          .authorizedGrantTypes("password", "client_credentials", "authorization_code", "refresh_token")
            .authorizedGrantTypes("password")
            .redirectUris("http://localhost:8080")
//          .authorities("ROLE_AUTH")
            .scopes("foo", "read", "write")
            .accessTokenValiditySeconds(3600) // 1 hour
      ;
   }


   @Override
   public void configure(final AuthorizationServerEndpointsConfigurer endpoints) {
      endpoints.tokenStore(tokenStore()).allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST)
            .accessTokenConverter(accessTokenConverter()).authenticationManager(authenticationManager);
   }

   @Bean
   @Primary
   public DefaultTokenServices tokenServices() {
      final DefaultTokenServices tokenServices = new DefaultTokenServices();
      tokenServices.setTokenStore(tokenStore());
      return tokenServices;
   }

   @Bean
   public TokenStore tokenStore() {
      return new JwtTokenStore(accessTokenConverter());
   }

   @Bean
   public JwtAccessTokenConverter accessTokenConverter() {
      final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
      return converter;
   }
}

리소스 서버ResourceServer

package com.khh.project.config.web.security.oauth;

import com.khh.project.config.web.security.AuthenticationProvider;
import com.khh.project.config.web.security.AuthenticationSuccessHandler;
import com.khh.project.config.web.security.LogoutSuccessHandler;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.vote.AuthenticatedVoter;
import org.springframework.security.access.vote.UnanimousBased;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.authentication.BearerTokenExtractor;
import org.springframework.security.oauth2.provider.authentication.TokenExtractor;
import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler;
import org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.vote.ScopeVoter;
import org.springframework.security.web.access.expression.WebExpressionVoter;
import org.springframework.security.web.authentication.RememberMeServices;
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Arrays;

@EnableResourceServer// API 서버 인증(또는 권한 설정   일반 웹뷰 서버랑 resource서버는 같이갈수없다
@Configuration
@Slf4j
@Order(-3)
public class ResourceServerConfigurerAdapter extends org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter{
   @Override
   public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
      super.configure(resources);
   }


   public static final String ROOT_PATH                   = "/";
   public static final String SECURITY_PATH               = "/security";
   public static final String ANON_PATH                   = "/anon";
   public static final String AUTH_PATH                   = "/auth";

   public static final String LOGIN_PAGE                  = SECURITY_PATH+"/login";
   public static final String LOGIN_PROCESSING_URL        = SECURITY_PATH+"/sign_in";
   public static final String FAILURE_URL                 = LOGIN_PAGE;
   public static final String USERNAME_PARAMETER          = "username";
   public static final String PASSWORD_PARAMETER          = "password";
   public static final String DEFAULT_SUCCESS_URL         = ROOT_PATH;
   public static final String LOGOUT_SUCCESS_URL          = ROOT_PATH;
   public static final String SESSION_EXPIRED_URL         = LOGIN_PAGE+"?expred";
   public static final String SESSION_INVALIDSESSION_URL  = LOGIN_PAGE+"?invalid";
   public static final String LOGOUT_URL                  = SECURITY_PATH+"/sign_out";
   public static final String REMEMBER_ME_KEY             = "REMEBMER_ME_KEY";
   public static final String REMEMBER_ME_COOKE_NAME      = "REMEMBER_ME_COOKE";

   @Autowired
   AuthenticationProvider authenticationProvider;
   @Autowired
   AuthenticationSuccessHandler authenticationSuccessHandler;
   @Autowired
   LogoutSuccessHandler logoutSuccessHandler;
   @Autowired
   RememberMeServices tokenBasedRememberMeServices;


   private TokenExtractor tokenExtractor = new BearerTokenExtractor();


   @Override
   public void configure(HttpSecurity http) throws Exception {
      log.debug("-----security HttpSecurity-----"+http);
        http
            .anonymous()
                .and()
         //커스텀 시큐리티 인텁셉터 하려면 아래를 사용하면된다
//       .addFilterBefore(filterSecurityInterceptor(), UsernamePasswordAuthenticationFilter.class)
            .authorizeRequests()
                .antMatchers("/", ANON_PATH +"/**")       .permitAll()
                .antMatchers("/admin/**")           .hasRole("ADMIN")
                .antMatchers("/board/**")           .hasRole("USER")
//                .antMatchers(AUTH_PATH +"/**")         .authenticated()
                .anyRequest().authenticated()
                .and()
         .sessionManagement()                     //http://niees.tistory.com/17
            .maximumSessions(1)
            .expiredUrl(SESSION_EXPIRED_URL)         //중복 로그인이 일어났을 경우 이동 할 주소​
            .maxSessionsPreventsLogin(false)         //만약 두번째 인증을 거부하게 하고 싶은 경우concurrency-control에​ error-if-maximum-exceeded="true"속성을 지정하면 된다.​
            .and()
            .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
            .invalidSessionUrl(SESSION_INVALIDSESSION_URL)
            .and()
            .formLogin()
                .loginPage(LOGIN_PAGE)                       //로그인 페이지
                .loginProcessingUrl(LOGIN_PROCESSING_URL)     //login-processing-url  로그인 페이지 form action에 입력할 주소 지정
                .failureUrl(FAILURE_URL)                     //실패시 이동될 페이지
                .usernameParameter(USERNAME_PARAMETER)
                .passwordParameter(PASSWORD_PARAMETER)
                .defaultSuccessUrl(DEFAULT_SUCCESS_URL)       //성공시 이동될 페이지
                //.failureHandler(authenticationFailureHandler())
                .successHandler(authenticationSuccessHandler)
                .permitAll()
                .and()
            .rememberMe()
                .key(REMEMBER_ME_KEY)
                .rememberMeServices(tokenBasedRememberMeServices)
                .and()
            .logout()
                .deleteCookies(REMEMBER_ME_COOKE_NAME)
                .deleteCookies("JSESSIONID")
                .logoutUrl(LOGOUT_URL)
                .invalidateHttpSession(true)
                .logoutSuccessUrl(LOGOUT_SUCCESS_URL)
//                .logoutSuccessHandler(logoutSuccessHandler())      //커스텀으로 로그아웃된거에 대한 처리를 해주면 로그아웃성공URL로 가지 않으니 커스텀할떄 사용해여라
                .logoutRequestMatcher(new AntPathRequestMatcher(LOGOUT_URL))
                .permitAll()
                .and()
            .authenticationProvider(authenticationProvider)    //configure(AuthenticationManagerBuilder auth) 오버라이딩해서 추가할수도있다.
            .csrf().disable();
   }

// @Override
// public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
//    resources.resourceId("visualkhh");
// }
}