Use resource id for realm in resource server by default

matta-perc · May 2, 2014 · 9e3da75 · 9e3da75
1 parent b704faa
commit 9e3da75
Show file tree

Hide file tree

Showing 6 changed files with 59 additions and 7 deletions.
diff --git a/...ringframework/security/oauth2/config/annotation/builders/ClientDetailsServiceBuilder.java b/...ringframework/security/oauth2/config/annotation/builders/ClientDetailsServiceBuilder.java
@@ -30,6 +30,9 @@
 import org.springframework.security.oauth2.provider.client.BaseClientDetails;
 
 /**
+ * Builder for OAuth2 client details service. Can be used to construct either an in-memory or a JDBC implementation of
+ * the {@link ClientDetailsService} and populate it with data.
+ * 
  * @author Dave Syer
  * 
  */
@@ -113,7 +116,8 @@ private ClientDetails build() {
 			result.setResourceIds(resourceIds);
 			if (autoApprove) {
 				result.setAutoApproveScopes(scopes);
-			} else {
+			}
+			else {
 				result.setAutoApproveScopes(autoApproveScopes);
 			}
 			return result;

diff --git a/...rk/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurer.java b/...rk/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurer.java
@@ -13,20 +13,49 @@
 
 package org.springframework.security.oauth2.config.annotation.web.configuration;
 
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
 import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
 import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
+import org.springframework.security.oauth2.provider.ClientDetailsService;
 
 /**
+ * Convenient strategy for configuring an OAUth2 Authorization Server. Beans of this type are applied to the Spring
+ * context automatically if you {@link EnableAuthorizationServer @EnableAuthorizationServer}.
+ * 
  * @author Dave Syer
- *
+ * 
  */
 public interface AuthorizationServerConfigurer {
 
-	void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception;
+	/**
+	 * Configure the security of the Authorization Server, which means in practical terms the /oauth/token endpoint. The
+	 * /oauth/authorize endpoint also needs to be secure, but that is a normal user-facing endpoint and should be
+	 * secured the same way as the rest of your UI, so is not covered here. The default settings cover the most common
+	 * requirements, following recommendations from the OAuth2 spec, so you don't need to do anything here to get a
+	 * basic server up and running.
+	 * 
+	 * @param security a fluent configurer for security features
+	 */
+	void configure(AuthorizationServerSecurityConfigurer security) throws Exception;
 
+	/**
+	 * Configure the {@link ClientDetailsService}, e.g. declaring individual clients and their properties. Note that
+	 * password grant is not enabled (even if some clients are allowed it) unless an {@link AuthenticationManager} is
+	 * supplied to the {@link #configure(AuthorizationServerEndpointsConfigurer)}. At least one client, or a fully
+	 * formed custom {@link ClientDetailsService} must be declared or the server will not start.
+	 * 
+	 * @param clients the client details configurer
+	 */
 	void configure(ClientDetailsServiceConfigurer clients) throws Exception;
 
+	/**
+	 * Configure the non-security features of the Authorization Server endpoints, like token store, token
+	 * customizations, user approvals and grant types. You shouldn't need to do anything by default, unless you need
+	 * password grants, in which case you need to provide an {@link AuthenticationManager}.
+	 * 
+	 * @param endpoints the endpoints configurer
+	 */
 	void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception;
 
 }
diff --git a/...work/security/oauth2/config/annotation/web/configuration/ResourceServerConfiguration.java b/...work/security/oauth2/config/annotation/web/configuration/ResourceServerConfiguration.java
@@ -22,7 +22,7 @@
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.core.annotation.Order;
+import org.springframework.core.Ordered;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity.RequestMatcherConfigurer;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@@ -40,8 +40,9 @@
  * 
  */
 @Configuration
-@Order(3)
-public class ResourceServerConfiguration extends WebSecurityConfigurerAdapter {
+public class ResourceServerConfiguration extends WebSecurityConfigurerAdapter implements Ordered {
+
+	private int order = 3;
 
 	@Autowired(required = false)
 	private TokenStore tokenStore;
@@ -55,6 +56,15 @@ public class ResourceServerConfiguration extends WebSecurityConfigurerAdapter {
 
 	@Autowired(required = false)
 	private AuthorizationServerEndpointsConfiguration endpoints;
+
+	@Override
+	public int getOrder() {
+		return order;
+	}
+
+	public void setOrder(int order) {
+		this.order = order;
+	}
 
 	/**
 	 * @param configurers the configurers to set

diff --git a/...amework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurer.java b/...amework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurer.java
@@ -30,7 +30,8 @@
 public interface ResourceServerConfigurer {
 
 	/**
-	 * Add resource-server specific properties (like a resource id).
+	 * Add resource-server specific properties (like a resource id). The defaults should work for many applications, but
+	 * you might want to change at least the resource id.
 	 * 
 	 * @param resources configurer for the resource server
 	 * @throws Exception if there is a problem

diff --git a/...rity/oauth2/config/annotation/web/configurers/AuthorizationServerEndpointsConfigurer.java b/...rity/oauth2/config/annotation/web/configurers/AuthorizationServerEndpointsConfigurer.java
@@ -57,6 +57,7 @@
 import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;
 
 /**
+ * Configure the properties and enhanced functionality of the Authorization Server endpoints. 
  * 
  * @author Rob Winch
  * @author Dave Syer

diff --git a/...k/security/oauth2/config/annotation/web/configurers/ResourceServerSecurityConfigurer.java b/...k/security/oauth2/config/annotation/web/configurers/ResourceServerSecurityConfigurer.java
@@ -66,6 +66,10 @@ public final class ResourceServerSecurityConfigurer extends
 	private String resourceId = "oauth2-resource";
 
 	private SecurityExpressionHandler<FilterInvocation> expressionHandler = new OAuth2WebSecurityExpressionHandler();
+
+	public ResourceServerSecurityConfigurer() {
+		resourceId(resourceId);
+	}
 
 	private ClientDetailsService clientDetails() {
 		return getBuilder().getSharedObject(ClientDetailsService.class);
@@ -120,6 +124,9 @@ private void registerDefaultAuthenticationEntryPoint(HttpSecurity http) {
 
 	public ResourceServerSecurityConfigurer resourceId(String resourceId) {
 		this.resourceId = resourceId;
+		if (authenticationEntryPoint instanceof OAuth2AuthenticationEntryPoint) {
+			((OAuth2AuthenticationEntryPoint) authenticationEntryPoint).setRealmName(resourceId);
+		}
 		return this;
 	}