grant_type :
authorization_code — authorization code mode (that is, first log in to get the code, and then get the token)
password — password mode (pass the user name and password, and get the token directly)
client_credentials — client mode (no user, user to The client registers, and then the client obtains resources from the 'server' in its own name)
implicit — simplified mode (passes the token in the Hash of redirect_uri; the Auth client runs in the browser, such as JS, Flash)
refresh_token — refreshes the access_token
JWT The way
is that the token does not need to be stored in the server. The token contains user information (without password) and permission information. The resource server needs to go to the authorization server to compare whether the information of the token is correct, and compare the correctness of the token by verifying the signature. sex.
Of course, the encryption key of the authorization and resource server must be the same in order to obtain the AccessToken through the signature consistency.
password — password mode http
://localhost:8080/oauth/token?grant_type=password&username=xing&password=123456
Client authorization mode
//localhost:8080/oauth/token?grant_type=client_credentialsAuthorization
code mode
http://localhost:8080/oauth/authorize?client_id=normal-app&response_type=code&scope=read&redirect_uri=http://localhost:8080/resources/user
localhost:8088/resources/user2?access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsic3ByaW5nLWJvb3QtYXBwbGljYXRpb24iXSwidXNlcl9uYW1lIjoieGluZyIsInNjb3BlIjpbInJlYWQiXSwicm9sZXMiOlt7ImF1dGhvcml0eSI6IlJPTEVfVVNFUiJ9XSwiZXhwIjoxNTAzOTk1ODI1LCJ1c2VyTmFtZSI6InhpbmciLCJhdXRob3JpdGllcyI6WyJST0xFX1VTRVIiXSwianRpIjoiOWU2ZjM2NmItYTI1Ni00N2FiLTk2YWUtMTU1M2RkYTZiN2M1IiwiY2xpZW50X2lkIjoibm9ybWFsLWFwcCJ9.qOI-x9Jhcr34UtyjQ-6JQY0qvD1VVDF8HNhuXUsTaTo
检验token
http://localhost:8080/oauth/check_token?token=3f44c676-11eb-4c13-8cf3-b337f5079d33
跨服务器可用
http://localhost:8080/oauth/token?grant_type=password&username=xing&password=123456
http://localhost:9090/resources/user2?access_token=592dcf44-568f-419b-b24b-9c31bb9fae75
HttpSecurity
anonymous().disable() //anonymous
formLogin().permitAll()//Allow all users to access this page
hasRole("USER")//You have this permission to access
antMatchers("/").hasRole("USER")
authorizeRequests()//Authorization request
authenticated()//Requires that you must be logged in when executing the request Application.anyRequest
().permitAll();//Other requests
csrf().disable() //CSRF
attack.httpBasic() //Use Basic authentication.antMatchers
("/css/**", "/js/* *", "/fonts/**", "/index").permitAll() // all have access to
.antMatchers("/h2-console/**").permitAll() // all have access to
.antMatchers( "/users/**").hasRole("USER") // Requires the corresponding role to access
. antMatchers("/admins/**").hasRole("ADMIN") // Requires the corresponding role to access
@EnableAuthorizationServer The
user is responsible for ensuring the security of the authorization Endpoint (/oauth/authorize), but the Token Endpoint (/oauth/token) will automatically use the http basic client credentials to ensure security
. @EnableResourceServer
Oauth2 resource server convenience method, which opens a spring The security filter, which performs authentication requests through an Oauth2 token.
The user should add this annotation and provide a bean of type ResourceServerConfigurer (eg via ResouceServerConfigurerAdapter ) to specify the details of the resource (url path and resource id).
The @EnableResourceServer annotation adds a filter of type OAuth2AuthenticationProcessingFilter to the Spring Security filter chain.
The order of configuration on ResourceServerConfiguration and SecurityConfiguration, SecurityConfiguration must be before ResourceServerConfiguration,
because spring implements security by adding filters, and basic security filtering should be before oauth filtering, so set @Order(2) in SecurityConfiguration ,
set @Order(6)
@EnableOAuth2Client on ResourceServerConfiguration
http.authorizeRequests().antMatchers(
"/swagger*/**"
, "/v2/api-docs/**"
, "/**/**" // All resources can be accessed without login
)
.permitAll();
(Detailed explanation of spring-security-oauth2 annotations): http://www.cnblogs.com/davidwang456/p/6480681.html
(The principle and practice of OAuth 2.0 authentication): http://blog.csdn.net/kkkloveyou/article /details/65531491
http://blog.csdn.net/u014453515/article/details/53406557
http://blog.csdn.net/zhoucheng05_13/article/details/60467234
http://blog.csdn.net/libaineu2004/ article/details/38384487 When
multiple authentication modules are configured, only one of them will pass. After the previous authentication has passed, the latter will not be authenticated.
Reference: http://www.comy.iteye.com/blog/2230265
Reference: http://www.oschina.net/translate/oauth-2-developers-guide
Reference: http://lxgandlz.cn/403.html
Reference: http://lxgandlz.cn/404.html
Reference: http://andaily.com/spring-oauth-server/db_table_description.html
Reference: http:/ /blog.csdn.net/neosmith/article/details/52539927
Reference: http://www.jfox.info/%E4%BB%8E%E9%9B%B6%E5%BC%80%E5%A7%8B%E7%9A%84springsecurityoauth2%E4%B8%80.html
Reference: http://www.oschina.net/code/snippet_2429270_56647
Reference: http://blog.csdn.net/neosmith/article/details/52539927
Reference: http://blog.csdn.net/haiyan_qi/article/ details/52384734
Reference: https://github.com/niuyuzhou/staffManager
Reference: http://www.leftso.com/blog/136.html