系統采用前後端分離的架構，采用OAuth2協議是很自然的事情。

下面開始實戰，主要依賴以下兩個組件：

<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
   <groupId>org.springframework.security.oauth</groupId>
   <artifactId>spring-security-oauth2</artifactId>
</dependency>

例外還要配置兩個Config：

一、認證服務器

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

    @Autowired
 private UserApprovalHandler userApprovalHandler;

    @Autowired
 private AuthenticationManager authenticationManager;

    @Autowired
 private TokenStore tokenStore;

    @Autowired
 private MyUserService userService;

    @Autowired
 private ClientDetailsService clientDetailsService;

    @Override
 public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("aizoukeji")
// .authorizedGrantTypes("password", "authorization_code", "implicit")
 .authorizedGrantTypes("password")
                .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
                .scopes("read", "write", "trust")
                .secret("18657189775")
                .accessTokenValiditySeconds(60 * 2);//Access token is only valid for 2 minutes.
// refreshTokenValiditySeconds(600);//Refresh token is only valid for 10 minutes.
 }

    @Override
 public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore)
                .userApprovalHandler(userApprovalHandler)
                .authenticationManager(authenticationManager)
                .userDetailsService(userService);
    }

    @Bean
 public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Bean
 @Autowired
 public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore){
        TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
        handler.setTokenStore(tokenStore);
        handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
        handler.setClientDetailsService(clientDetailsService);
        return handler;
    }

    @Bean
 @Autowired
 public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception {
        TokenApprovalStore store = new TokenApprovalStore();
        store.setTokenStore(tokenStore);
        return store;
    }
}

二、資源服務器

@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
    private static final String RESOURCE_ID = "my_rest_api";

    @Override
 public void configure(ResourceServerSecurityConfigurer resources) {
        resources.resourceId(RESOURCE_ID).stateless(true);
    }

    @Override
 public void configure(HttpSecurity http) throws Exception {
// http.requestMatchers().antMatchers("/**")
// .and()
// .authorizeRequests().antMatchers("/v1/**").authenticated()
// .and()
// .exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());

 http.authorizeRequests().antMatchers("/v1/**").authenticated()
                .and()
                .exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
    }
}

踩過的坑

一開始一直在配置WebSecurityConfigurerAdapter，其實這個跟ResourceServerConfigurerAdapter是沖突的，如果用OAuth來做認證的話，那麽只要配置ResourceServerConfigurerAdapter就可以了

延伸

Spring OAuth中有個SSO註解，可以幫助實現單點登錄。等項目發展起來以後，我們可以用這個來實現賬號的統一授權。

Spring Boot Restful WebAPI集成 OAuth2