Spring boot使用Spring Security和OAuth2保护REST接口

INSERT INTO OAUTH_CLIENT_DETAILS(CLIENT_ID, RESOURCE_IDS, CLIENT_SECRET, SCOPE, AUTHORIZED_GRANT_TYPES, AUTHORITIES, ACCESS_TOKEN_VALIDITY, REFRESH_TOKEN_VALIDITY) VALUES ('spring-security-oauth2-read-client', 'resource-server-rest-api', /*spring-security-oauth2-read-client-password1234*/'$2a$04$WGq2P9egiOYoOFemBRfsiO9qTcyJtNRnPKNBl5tokP7IP.eZn93km', 'read', 'password,authorization_code,refresh_token,implicit', 'USER', 10800, 2592000);INSERT INTO OAUTH_CLIENT_DETAILS(CLIENT_ID, RESOURCE_IDS, CLIENT_SECRET, SCOPE, AUTHORIZED_GRANT_TYPES, AUTHORITIES, ACCESS_TOKEN_VALIDITY, REFRESH_TOKEN_VALIDITY) VALUES ('spring-security-oauth2-read-write-client', 'resource-server-rest-api', /*spring-security-oauth2-read-write-client-password1234*/'$2a$04$soeOR.QFmClXeFIrhJVLWOQxfHjsJLSpWrU1iGxcMGdu.a5hvfY4W', 'read,write', 'password,authorization_code,refresh_token,implicit', 'USER', 10800, 2592000);

INSERT INTO AUTHORITY(ID, NAME) VALUES (1, 'COMPANY_CREATE');INSERT INTO AUTHORITY(ID, NAME) VALUES (2, 'COMPANY_READ');INSERT INTO AUTHORITY(ID, NAME) VALUES (3, 'COMPANY_UPDATE');INSERT INTO AUTHORITY(ID, NAME) VALUES (4, 'COMPANY_DELETE');INSERT INTO AUTHORITY(ID, NAME) VALUES (5, 'DEPARTMENT_CREATE');INSERT INTO AUTHORITY(ID, NAME) VALUES (6, 'DEPARTMENT_READ');INSERT INTO AUTHORITY(ID, NAME) VALUES (7, 'DEPARTMENT_UPDATE');INSERT INTO AUTHORITY(ID, NAME) VALUES (8, 'DEPARTMENT_DELETE');

INSERT INTO USER_(ID, USER_NAME, PASSWORD, ACCOUNT_EXPIRED, ACCOUNT_LOCKED, CREDENTIALS_EXPIRED, ENABLED)  VALUES (1, 'admin', /*admin1234*/'$2a$08$qvrzQZ7jJ7oy2p/msL4M0.l83Cd0jNsX6AJUitbgRXGzge4j035ha', FALSE, FALSE, FALSE, TRUE);INSERT INTO USER_(ID, USER_NAME, PASSWORD, ACCOUNT_EXPIRED, ACCOUNT_LOCKED, CREDENTIALS_EXPIRED, ENABLED)  VALUES (2, 'reader', /*reader1234*/'$2a$08$dwYz8O.qtUXboGosJFsS4u19LHKW7aCQ0LXXuNlRfjjGKwj5NfKSe', FALSE, FALSE, FALSE, TRUE);INSERT INTO USER_(ID, USER_NAME, PASSWORD, ACCOUNT_EXPIRED, ACCOUNT_LOCKED, CREDENTIALS_EXPIRED, ENABLED)  VALUES (3, 'modifier', /*modifier1234*/'$2a$08$kPjzxewXRGNRiIuL4FtQH.mhMn7ZAFBYKB3ROz.J24IX8vDAcThsG', FALSE, FALSE, FALSE, TRUE);INSERT INTO USER_(ID, USER_NAME, PASSWORD, ACCOUNT_EXPIRED, ACCOUNT_LOCKED, CREDENTIALS_EXPIRED, ENABLED)  VALUES (4, 'reader2', /*reader1234*/'$2a$08$vVXqh6S8TqfHMs1SlNTu/.J25iUCrpGBpyGExA.9yI.IlDRadR6Ea', FALSE, FALSE, FALSE, TRUE);INSERT INTO USERS_AUTHORITIES(USER_ID, AUTHORITY_ID) VALUES (1, 1);INSERT INTO USERS_AUTHORITIES(USER_ID, AUTHORITY_ID) VALUES (1, 2);INSERT INTO USERS_AUTHORITIES(USER_ID, AUTHORITY_ID) VALUES (1, 3);INSERT INTO USERS_AUTHORITIES(USER_ID, AUTHORITY_ID) VALUES (1, 4);INSERT INTO USERS_AUTHORITIES(USER_ID, AUTHORITY_ID) VALUES (1, 5);INSERT INTO USERS_AUTHORITIES(USER_ID, AUTHORITY_ID) VALUES (1, 6);INSERT INTO USERS_AUTHORITIES(USER_ID, AUTHORITY_ID) VALUES (1, 7);INSERT INTO USERS_AUTHORITIES(USER_ID, AUTHORITY_ID) VALUES (1, 8);INSERT INTO USERS_AUTHORITIES(USER_ID, AUTHORITY_ID) VALUES (1, 9);INSERT INTO USERS_AUTHORITIES(USER_ID, AUTHORITY_ID) VALUES (2, 2);INSERT INTO USERS_AUTHORITIES(USER_ID, AUTHORITY_ID) VALUES (2, 6);INSERT INTO USERS_AUTHORITIES(USER_ID, AUTHORITY_ID) VALUES (3, 3);INSERT INTO USERS_AUTHORITIES(USER_ID, AUTHORITY_ID) VALUES (3, 7);INSERT INTO USERS_AUTHORITIES(USER_ID, AUTHORITY_ID) VALUES (4, 9);

@RestController@RequestMapping("/secured/company")public class CompanyController {    @Autowired    private CompanyService companyService;    @RequestMapping(method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)    @ResponseStatus(value = HttpStatus.OK)    public @ResponseBody    List<Company> getAll() {        return companyService.getAll();    }    @RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)    @ResponseStatus(value = HttpStatus.OK)    public @ResponseBody    Company get(@PathVariable Long id) {        return companyService.get(id);    }    @RequestMapping(value = "/filter", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)    @ResponseStatus(value = HttpStatus.OK)    public @ResponseBody    Company get(@RequestParam String name) {        return companyService.get(name);    }    @RequestMapping(method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)    @ResponseStatus(value = HttpStatus.OK)    public ResponseEntity<?> create(@RequestBody Company company) {        companyService.create(company);        HttpHeaders headers = new HttpHeaders();        ControllerLinkBuilder linkBuilder = linkTo(methodOn(CompanyController.class).get(company.getId()));        headers.setLocation(linkBuilder.toUri());        return new ResponseEntity<>(headers, HttpStatus.CREATED);    }    @RequestMapping(method = RequestMethod.PUT, produces = MediaType.APPLICATION_JSON_VALUE)    @ResponseStatus(value = HttpStatus.OK)    public void update(@RequestBody Company company) {        companyService.update(company);    }    @RequestMapping(value = "/{id}", method = RequestMethod.DELETE, produces = MediaType.APPLICATION_JSON_VALUE)    @ResponseStatus(value = HttpStatus.OK)    public void delete(@PathVariable Long id) {        companyService.delete(id);    }}

@Configurationpublic class Encoders {    @Bean    public PasswordEncoder oauthClientPasswordEncoder() {        return new BCryptPasswordEncoder(4);    }    @Bean    public PasswordEncoder userPasswordEncoder() {        return new BCryptPasswordEncoder(8);

@Servicepublic class UserDetailsServiceImpl implements UserDetailsService {    @Autowired    private UserRepository userRepository;    @Override    @Transactional(readOnly = true)    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {        User user = userRepository.findByUsername(username);        if (user != null) {            return user;        }        throw new UsernameNotFoundException(username);    }}

@Repositorypublic interface UserRepository extends JpaRepository<User, Long> {    @Query("SELECT DISTINCT user FROM User user " +            "INNER JOIN FETCH user.authorities AS authorities " +            "WHERE user.username = :username")    User findByUsername(@Param("username") String username);}

@Configuration@EnableWebSecurity@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)@Import(Encoders.class)public class ServerSecurityConfig extends WebSecurityConfigurerAdapter {    @Autowired    private UserDetailsService userDetailsService;    @Autowired    private PasswordEncoder userPasswordEncoder;    @Override    @Bean    public AuthenticationManager authenticationManagerBean() throws Exception {        return super.authenticationManagerBean();    }    @Override    protected void configure(AuthenticationManagerBuilder auth) throws Exception {        auth.userDetailsService(userDetailsService).passwordEncoder(userPasswordEncoder);    }}

@Configuration@EnableAuthorizationServer@EnableGlobalMethodSecurity(prePostEnabled = true)@Import(ServerSecurityConfig.class)public class AuthServerOAuth2Config extends AuthorizationServerConfigurerAdapter {    @Autowired    @Qualifier("dataSource")    private DataSource dataSource;    @Autowired    private AuthenticationManager authenticationManager;    @Autowired    private UserDetailsService userDetailsService;    @Autowired    private PasswordEncoder oauthClientPasswordEncoder;    @Bean    public TokenStore tokenStore() {        return new JdbcTokenStore(dataSource);    }    @Bean    public OAuth2AccessDeniedHandler oauthAccessDeniedHandler() {        return new OAuth2AccessDeniedHandler();    }    @Override    public void configure(AuthorizationServerSecurityConfigurer oauthServer) {        oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()").passwordEncoder(oauthClientPasswordEncoder);    }    @Override    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {        clients.jdbc(dataSource);    }    @Override    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {        endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager).userDetailsService(userDetailsService);    }}

@Configuration@EnableResourceServerpublic class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {    private static final String RESOURCE_ID = "resource-server-rest-api";    private static final String SECURED_READ_SCOPE = "#oauth2.hasScope('read')";    private static final String SECURED_WRITE_SCOPE = "#oauth2.hasScope('write')";    private static final String SECURED_PATTERN = "/secured/**";    @Override    public void configure(ResourceServerSecurityConfigurer resources) {        resources.resourceId(RESOURCE_ID);    }    @Override    public void configure(HttpSecurity http) throws Exception {        http.requestMatchers()                .antMatchers(SECURED_PATTERN).and().authorizeRequests()                .antMatchers(HttpMethod.POST, SECURED_PATTERN).access(SECURED_WRITE_SCOPE)                .anyRequest().access(SECURED_READ_SCOPE);    }}

curl -X POST   http://localhost:8080/oauth/token   -H 'authorization: Basic c3ByaW5nLXNlY3VyaXR5LW9hdXRoMi1yZWFkLXdyaXRlLWNsaWVudDpzcHJpbmctc2VjdXJpdHktb2F1dGgyLXJlYWQtd3JpdGUtY2xpZW50LXBhc3N3b3JkMTIzNA=='   -F grant_type=password   -F username=admin   -F password=admin1234   -F client_id=spring-security-oauth2-read-write-client

{    "access_token": "e6631caa-bcf9-433c-8e54-3511fa55816d",    "token_type": "bearer",    "refresh_token": "015fb7cf-d09e-46ef-a686-54330229ba53",    "expires_in": 9472,    "scope": "read write"}

@Servicepublic class CompanyServiceImpl implements CompanyService {    @Autowired    private CompanyRepository companyRepository;    @Override    @Transactional(readOnly = true)    @PreAuthorize("hasAuthority('COMPANY_READ') and hasAuthority('DEPARTMENT_READ')")    public Company get(Long id) {        return companyRepository.find(id);    }    @Override    @Transactional(readOnly = true)    @PreAuthorize("hasAuthority('COMPANY_READ') and hasAuthority('DEPARTMENT_READ')")    public Company get(String name) {        return companyRepository.find(name);    }    @Override    @Transactional(readOnly = true)    @PreAuthorize("hasRole('COMPANY_READER')")    public List<Company> getAll() {        return companyRepository.findAll();    }    @Override    @Transactional    @PreAuthorize("hasAuthority('COMPANY_CREATE')")    public void create(Company company) {        companyRepository.create(company);    }    @Override    @Transactional    @PreAuthorize("hasAuthority('COMPANY_UPDATE')")    public Company update(Company company) {        return companyRepository.update(company);    }    @Override    @Transactional    @PreAuthorize("hasAuthority('COMPANY_DELETE')")    public void delete(Long id) {        companyRepository.delete(id);    }    @Override    @Transactional    @PreAuthorize("hasAuthority('COMPANY_DELETE')")    public void delete(Company company) {        companyRepository.delete(company);    }}

curl -X GET   http://localhost:8080/secured/company/   -H 'authorization: Bearer e6631caa-bcf9-433c-8e54-3511fa55816d'

curl -X POST   http://localhost:8080/oauth/token   -H 'authorization: Basic c3ByaW5nLXNlY3VyaXR5LW9hdXRoMi1yZWFkLWNsaWVudDpzcHJpbmctc2VjdXJpdHktb2F1dGgyLXJlYWQtY2xpZW50LXBhc3N3b3JkMTIzNA=='   -F grant_type=password   -F username=admin   -F password=admin1234   -F client_id=spring-security-oauth2-read-client

http://localhost:8080/secured/company   -H 'authorization: Bearer f789c758-81a0-4754-8a4d-cbf6eea69222'   -H 'content-type: application/json'   -d '{    "name": "TestCompany",    "departments": null,    "cars": null}'

{    "error": "insufficient_scope",    "error_description": "Insufficient scope for this resource",    "scope": "write"}