How to specify which resources to protect with Spring Security OAuth2 provider configuration_问答_开发者

How to specify which resources to protect with Spring Security OAuth2 provider configuration

开发者 https://www.devze.com 2023-03-25 22:23 出处：网络

I\'m currently implementing a Spring MVC application that is both an OAuth client (in the sense that it consumes data from third party service providers), and an OAuth2 Service Provider (in the sense

I'm currently implementing a Spring MVC application that is both an OAuth client (in the sense that it consumes data from third party service providers), and an OAuth2 Service Provider (in the sense that it should provide the means for third party oauth clients to consume data from this application from a dedicated REST api).

While I have no issue with the implementation of the application in its capacity as OAuth client, my OAuth2 service provider configuration is interfering with the applications ability to authenticate with service providers- if I enable the Oauth2 config, it appears to intercept callba开发者_Python百科cks to the application from third party service providers. Disabling it returns the application back to its normal working state.

I'm assuming that this is because I am not specifying which urls I want to the oauth2 provider to govern exclusively- but I can't see any way of specifying this.

To simplify the question how do I configure Spring Security OAuth2 provider to manage one url root (e.g. '/restapi/*'), and this url only, with it ignoring all other urls entirely? I've had a look at the resources at the projects homepage, but nothing is jumping out at me...

This may well be down to how I've defined my security intercept-urls, in which case it may not be an OAuth2 specific question, but how to apply different security schemes to different url schemes. Any advice on how to do that would be great!

Out of the box you won't be able to do it with Spring Security 3.0, but you can in 3.1. According to this blog post:

In Spring Security 3.1, you will be able to use more than one http element to create multiple filter chains. Each chain handles different paths within the application, for example a stateless API under the URL /rest/** and a stateful web application configuration for all other requests.

To do what you want you can subclass the provider security filters and override doFilter() to only apply to certain URLs.

If you are using namespace configuration you'll need to have your subclassed filters replace the corresponding filter in the filter chain. Kindof a pain, but doable. For example, here's how I am doing it for my custom VerificationCodeFilter:

override def afterPropertiesSet() {
  setVerificationServices(springVerificationCodeFilter.getVerificationServices)
  setClientDetailsService(springVerificationCodeFilter.getClientDetailsService)
  setUserApprovalHandler(springVerificationCodeFilter.getUserApprovalHandler)
  super.afterPropertiesSet()

  val filterChainMap = filterChainProxy.getFilterChainMap
  val filterChain = filterChainMap.find(_._2.exists(_.isInstanceOf[SpringVerificationCodeFilter])).
                    getOrElse(throw new Exception("Could not find VerificationCodeFilter in FilterChainMap"))._2
  val index = filterChain.indexOf(springVerificationCodeFilter)
  filterChain.remove(index)
  filterChain.add(index, this)
}