Spring OAUTH - different login for web e REST

0 投票
最新提问 用户: (120 分)

Hello I'have a web application secured with Spring security, with a login page. This is my Security Configuration

@Configuration
@ComponentScan("it.besmart")
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{

    @Autowired
    @Qualifier("customUserDetailsService")
    UserDetailsService userDetailsService;

    @Autowired
    CustomSuccessHandler customSuccessHandler;

    @Autowired
    CustomAuthenticationFailureHandler customAuthenticationFailureHandler;

    @Autowired
    DataSource dataSource;

    @Autowired
    private ConnectionFactoryLocator connectionFactoryLocator;

    @Autowired
    private UsersConnectionRepository usersConnectionRepository;

    @Autowired
    private FacebookConnectionSignup facebookConnectionSignup;



    private final static Logger logger = LoggerFactory.getLogger(SecurityConfiguration.class);

    @Autowired
    public void configureGlobalService(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());

    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }


        protected void configure(HttpSecurity http) throws Exception {
            logger.debug("Webapp security configured");
            http.

            authorizeRequests()

                    .antMatchers("/",  "/register", "/registrationConfirm", "/resendRegistrationToken", "/park/**")
                    .permitAll()

                    .antMatchers("/edit/**", "/payment/**", "/plate/**", "/book/**", "/home", "/stop/**",
                            "/notification/**", "/include/**")
                    .access("hasRole('USER') or hasRole('ADMIN') or hasRole('PARK')").antMatchers("/admin/**")
                    .access("hasRole('ADMIN') or hasRole('PARK')").antMatchers("/updatePassword")
                    .hasAuthority("CHANGE_PASSWORD_PRIVILEGE")

                    .and().formLogin().loginPage("/")
                    .successHandler(customSuccessHandler).failureHandler(customAuthenticationFailureHandler)
                    .usernameParameter("email").passwordParameter("password").and().rememberMe()
                    .rememberMeParameter("remember-me").tokenRepository(persistentTokenRepository())
                    .tokenValiditySeconds(86400).and().exceptionHandling().accessDeniedPage("/Access_Denied").and()
                    .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                    .logoutSuccessUrl("/?logout=true").permitAll();
        }


        @Override
        @Bean
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();
        }

    @Bean
    public PersistentTokenRepository persistentTokenRepository() {
        JdbcTokenRepositoryImpl db = new JdbcTokenRepositoryImpl();
        db.setDataSource(dataSource);
        return db;
    }

}

This works good by securing all my web application.

In the same application I have also a Resource/Authorization Server to protect some REST api.

Some resources are protected with an authorization code grant, so the untrusted Mobile App should take the access token from my application with a login form. I would like that the application use a different login page when trying to login from the Mobile App.

This is my resourceServer configuration

@EnableResourceServer
@ComponentScan("it.besmart.easyparking")
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class ResourceServerConfig {

    private final Logger logger = LoggerFactory.getLogger(ResourceServerConfig.class);

    @Autowired
    DataSource dataSource;

    private static final String RESOURCE_ID = "easyparking_api";

    @Configuration
    // @Order(2)
    public class grantCredentialsConfiguration extends ResourceServerConfigurerAdapter {
        @Override
        public void configure(HttpSecurity http) throws Exception {
            logger.debug("Api security configured");

            http

                    .requestMatchers().antMatchers("/api/oauth/**").and().authorizeRequests()
                    .antMatchers("/api/oauth/**").access("hasRole('USER')").and().formLogin().loginPage("/apilogin")
                    .permitAll();
        }

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) throws Exception {

            resources.tokenStore(tokenStore()).resourceId(RESOURCE_ID);
        }
    }

    @Configuration
    // @Order(4)
    public class clientCredentialsConfiguration extends ResourceServerConfigurerAdapter {
        @Override
        public void configure(HttpSecurity http) throws Exception {
            logger.debug("Client security configured");
            http
                    .requestMatchers().antMatchers("/oauth2/**", "/api/registration", "/api/park/**").and()
                    .authorizeRequests().antMatchers("/oauth2/**", "/api/registration", "/api/park/**").authenticated();
        }

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) throws Exception {

            resources.tokenStore(tokenStore()).resourceId(RESOURCE_ID);
        }
    }

    @Bean
    public TokenStore tokenStore() {
        return new JdbcTokenStore(dataSource);
    }

}

so, grantCredentialsConfiguration should redirect the requests to /apilogin form, but it does not, i am redirected to the main web app login page... How it can be accomplished?

登录 或者 注册 后回答这个问题。

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。
...