如何让Spring引导和的OAuth2例如使用其他的密码授予证书不是默认

Question

我下面来自Dave Syer基本春天启动的OAuth2例如：https://github.com/dsyer/sparklr-boot/blob/master/src/main/java/demo/Application.java

@Configuration 
@ComponentScan 
@EnableAutoConfiguration 
@RestController 
public class Application { 

    public static void main(String[] args) { 
     SpringApplication.run(Application.class, args); 
    } 

    @RequestMapping("/") 
    public String home() { 
     return "Hello World"; 
    } 

    @Configuration 
    @EnableResourceServer 
    protected static class ResourceServer extends ResourceServerConfigurerAdapter { 

     @Override 
     public void configure(HttpSecurity http) throws Exception { 
      // @formatter:off 
      http 
       // Just for laughs, apply OAuth protection to only 2 resources 
       .requestMatchers().antMatchers("/","/admin/beans").and() 
       .authorizeRequests() 
       .anyRequest().access("#oauth2.hasScope('read')"); 
      // @formatter:on 
     } 

     @Override 
     public void configure(ResourceServerSecurityConfigurer resources) throws Exception { 
      resources.resourceId("sparklr"); 
     } 

    } 

    @Configuration 
    @EnableAuthorizationServer 
    protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter { 

     @Autowired 
     private AuthenticationManager authenticationManager; 

     @Override 
     public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { 
      endpoints.authenticationManager(authenticationManager); 
     } 

     @Override 
     public void configure(ClientDetailsServiceConfigurer clients) throws Exception { 
      // @formatter:off 
      clients.inMemory() 
       .withClient("my-trusted-client") 
        .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit") 
        .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT") 
        .scopes("read", "write", "trust") 
        .resourceIds("sparklr") 
        .accessTokenValiditySeconds(60) 
      .and() 
       .withClient("my-client-with-registered-redirect") 
        .authorizedGrantTypes("authorization_code") 
        .authorities("ROLE_CLIENT") 
        .scopes("read", "trust") 
        .resourceIds("sparklr") 
        .redirectUris("http://anywhere?key=value") 
      .and() 
       .withClient("my-client-with-secret") 
        .authorizedGrantTypes("client_credentials", "password") 
        .authorities("ROLE_CLIENT") 
        .scopes("read") 
        .resourceIds("sparklr") 
        .secret("secret"); 
     // @formatter:on 
     } 

    } 
} 

的例子都非常好，这两种类型的授权，但密码授权使用Spring Boot默认安全用户（在启动过程中回显为“使用默认安全密码：927ca0a0-634a-4671-bd1c-1323a866618a”）。

我的问题是你如何覆盖默认的用户帐户，实际上依赖WebSecurityConfig？我已经添加了这样一个部分：

@Configuration 
@EnableWebSecurity 
@EnableGlobalMethodSecurity(prePostEnabled = true) 
protected static class WebSecurityConfig extends WebSecurityConfigurerAdapter { 
    @Override 
    protected void configure(AuthenticationManagerBuilder authManagerBuilder) 
      throws Exception { 
     authManagerBuilder.inMemoryAuthentication().withUser("user") 
       .password("password").roles("USER"); 
    } 
} 

但它似乎并没有重写默认的Spring用户/密码，即使文档建议它应该。

我错过了什么让它工作？

Answer 1

@Configuration 
protected static class AuthenticationManagerConfiguration extends GlobalAuthenticationConfigurerAdapter { 

     @Override 
     public void init(AuthenticationManagerBuilder auth) throws Exception { 
      auth.inMemoryAuthentication().withUser("min").password("min").roles("USER"); 
     } 

    } 

Answer 2

正如我仍然在2.0.3，我尝试了一些更多的东西，这似乎是工作：

@Configuration 
@EnableWebSecurity 
@EnableGlobalMethodSecurity(prePostEnabled = true) 
protected static class WebSecurityConfig extends WebSecurityConfigurerAdapter { 

    @Override 
    protected void configure(AuthenticationManagerBuilder authManagerBuilder) throws Exception { 
     authManagerBuilder 
      .inMemoryAuthentication() 
       .withUser("user1").password("password1").roles("USER").and() 
       .withUser("admin1").password("password1").roles("ADMIN"); 
    } 

    @Bean 
    @Override 
    public AuthenticationManager authenticationManager() throws Exception { 
     return super.authenticationManager(); 
    } 
} 

通过明确定义的AuthenticationManager豆，内置的用户认证走了，它开始依靠我自己的inMemoryAuthentication。当2.0.4发布时，我会重新评估Dave在上面发布的解决方案，因为它看起来会更优雅。

Answer 3

的例子指出以上 -
https://github.com/dsyer/sparklr-boot/blob/master/src/main/java/demo/Application.java
为春季1.3

如果使用Spring 1.5及以上（其通常将是现在的情况下）需要添加额外的属性。

正如其他人所指出的，我们可以使用

@Configuration 
@EnableWebSecurity 
public class EmployeeSecurityConfiguration extends WebSecurityConfigurerAdapter { 

    @Override 
    public void configure(WebSecurity web) throws Exception { 
     web.ignoring().antMatchers("/resources/**"); 
    } 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/user/getEmployeesList") 
      .hasAnyRole("ADMIN").anyRequest().authenticated().and().formLogin() 
      .permitAll().and().logout().permitAll(); 

     http.csrf().disable(); 
    } 

    @Override 
    public void configure(AuthenticationManagerBuilder authenticationMgr) throws Exception { 
     authenticationMgr.inMemoryAuthentication().withUser("javainuse").password("javainuse") 
      .authorities("ROLE_ADMIN"); 
    } 
} 

重要的一点是，如果使用Spring启动1.5及以上还需要添加以下属性 -

security.oauth2.resource.filter-order = 3 

面临诸多问题试图识别这一点。 还发现上述问题陈述了很好的借鉴 - Spring Boot + OAuth2 Example