如何讓Spring引導和的OAuth2例如使用其他的密碼授予證書不是默認

Question

我下面來自Dave Syer基本春天啓動的OAuth2例如：https://github.com/dsyer/sparklr-boot/blob/master/src/main/java/demo/Application.java

@Configuration 
@ComponentScan 
@EnableAutoConfiguration 
@RestController 
public class Application { 

    public static void main(String[] args) { 
     SpringApplication.run(Application.class, args); 
    } 

    @RequestMapping("/") 
    public String home() { 
     return "Hello World"; 
    } 

    @Configuration 
    @EnableResourceServer 
    protected static class ResourceServer extends ResourceServerConfigurerAdapter { 

     @Override 
     public void configure(HttpSecurity http) throws Exception { 
      // @formatter:off 
      http 
       // Just for laughs, apply OAuth protection to only 2 resources 
       .requestMatchers().antMatchers("/","/admin/beans").and() 
       .authorizeRequests() 
       .anyRequest().access("#oauth2.hasScope('read')"); 
      // @formatter:on 
     } 

     @Override 
     public void configure(ResourceServerSecurityConfigurer resources) throws Exception { 
      resources.resourceId("sparklr"); 
     } 

    } 

    @Configuration 
    @EnableAuthorizationServer 
    protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter { 

     @Autowired 
     private AuthenticationManager authenticationManager; 

     @Override 
     public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { 
      endpoints.authenticationManager(authenticationManager); 
     } 

     @Override 
     public void configure(ClientDetailsServiceConfigurer clients) throws Exception { 
      // @formatter:off 
      clients.inMemory() 
       .withClient("my-trusted-client") 
        .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit") 
        .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT") 
        .scopes("read", "write", "trust") 
        .resourceIds("sparklr") 
        .accessTokenValiditySeconds(60) 
      .and() 
       .withClient("my-client-with-registered-redirect") 
        .authorizedGrantTypes("authorization_code") 
        .authorities("ROLE_CLIENT") 
        .scopes("read", "trust") 
        .resourceIds("sparklr") 
        .redirectUris("http://anywhere?key=value") 
      .and() 
       .withClient("my-client-with-secret") 
        .authorizedGrantTypes("client_credentials", "password") 
        .authorities("ROLE_CLIENT") 
        .scopes("read") 
        .resourceIds("sparklr") 
        .secret("secret"); 
     // @formatter:on 
     } 

    } 
} 

的例子都非常好，這兩種類型的授權，但密碼授權使用Spring Boot默認安全用戶（在啓動過程中回顯爲「使用默認安全密碼：927ca0a0-634a-4671-bd1c-1323a866618a」）。

我的問題是你如何覆蓋默認的用戶帳戶，實際上依賴WebSecurityConfig？我已經添加了這樣一個部分：

@Configuration 
@EnableWebSecurity 
@EnableGlobalMethodSecurity(prePostEnabled = true) 
protected static class WebSecurityConfig extends WebSecurityConfigurerAdapter { 
    @Override 
    protected void configure(AuthenticationManagerBuilder authManagerBuilder) 
      throws Exception { 
     authManagerBuilder.inMemoryAuthentication().withUser("user") 
       .password("password").roles("USER"); 
    } 
} 

但它似乎並沒有重寫默認的Spring用戶/密碼，即使文檔建議它應該。

我錯過了什麼讓它工作？

Answer 1

@Configuration 
protected static class AuthenticationManagerConfiguration extends GlobalAuthenticationConfigurerAdapter { 

     @Override 
     public void init(AuthenticationManagerBuilder auth) throws Exception { 
      auth.inMemoryAuthentication().withUser("min").password("min").roles("USER"); 
     } 

    } 

Answer 2

正如我仍然在2.0.3，我嘗試了一些更多的東西，這似乎是工作：

@Configuration 
@EnableWebSecurity 
@EnableGlobalMethodSecurity(prePostEnabled = true) 
protected static class WebSecurityConfig extends WebSecurityConfigurerAdapter { 

    @Override 
    protected void configure(AuthenticationManagerBuilder authManagerBuilder) throws Exception { 
     authManagerBuilder 
      .inMemoryAuthentication() 
       .withUser("user1").password("password1").roles("USER").and() 
       .withUser("admin1").password("password1").roles("ADMIN"); 
    } 

    @Bean 
    @Override 
    public AuthenticationManager authenticationManager() throws Exception { 
     return super.authenticationManager(); 
    } 
} 

通過明確定義的AuthenticationManager豆，內置的用戶認證走了，它開始依靠我自己的inMemoryAuthentication。當2.0.4發佈時，我會重新評估Dave在上面發佈的解決方案，因爲它看起來會更優雅。

Answer 3

的例子指出以上 -
https://github.com/dsyer/sparklr-boot/blob/master/src/main/java/demo/Application.java
爲春季1.3

如果使用Spring 1.5及以上（其通常將是現在的情況下）需要添加額外的屬性。

正如其他人所指出的，我們可以使用

@Configuration 
@EnableWebSecurity 
public class EmployeeSecurityConfiguration extends WebSecurityConfigurerAdapter { 

    @Override 
    public void configure(WebSecurity web) throws Exception { 
     web.ignoring().antMatchers("/resources/**"); 
    } 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/user/getEmployeesList") 
      .hasAnyRole("ADMIN").anyRequest().authenticated().and().formLogin() 
      .permitAll().and().logout().permitAll(); 

     http.csrf().disable(); 
    } 

    @Override 
    public void configure(AuthenticationManagerBuilder authenticationMgr) throws Exception { 
     authenticationMgr.inMemoryAuthentication().withUser("javainuse").password("javainuse") 
      .authorities("ROLE_ADMIN"); 
    } 
} 

重要的一點是，如果使用Spring啓動1.5及以上還需要添加以下屬性 -

security.oauth2.resource.filter-order = 3 

面臨諸多問題試圖識別這一點。 還發現上述問題陳述了很好的借鑑 - Spring Boot + OAuth2 Example