Add javadoc for the OAuth 2.0 Security Configurer's

Fixes gh-4972
This commit is contained in:
Joe Grandja 2018-01-24 06:18:08 -05:00
parent 6b24aaf6f5
commit 900ab1df81
2 changed files with 202 additions and 2 deletions

View File

@ -23,22 +23,60 @@ import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequest
import org.springframework.util.Assert; import org.springframework.util.Assert;
/** /**
* A security configurer for the Implicit Grant type. * An {@link AbstractHttpConfigurer} for the OAuth 2.0 Implicit Grant type.
*
* <h2>Security Filters</h2>
*
* The following {@code Filter}'s are populated:
*
* <ul>
* <li>{@link OAuth2AuthorizationRequestRedirectFilter}</li>
* </ul>
*
* <h2>Shared Objects Created</h2>
*
* The following shared objects are populated:
*
* <ul>
* <li>{@link ClientRegistrationRepository} (required)</li>
* </ul>
*
* <h2>Shared Objects Used</h2>
*
* The following shared objects are used:
*
* <ul>
* <li>{@link ClientRegistrationRepository}</li>
* </ul>
* *
* @author Joe Grandja * @author Joe Grandja
* @since 5.0 * @since 5.0
* @see OAuth2AuthorizationRequestRedirectFilter
* @see ClientRegistrationRepository
*/ */
public final class ImplicitGrantConfigurer<B extends HttpSecurityBuilder<B>> extends public final class ImplicitGrantConfigurer<B extends HttpSecurityBuilder<B>> extends
AbstractHttpConfigurer<ImplicitGrantConfigurer<B>, B> { AbstractHttpConfigurer<ImplicitGrantConfigurer<B>, B> {
private String authorizationRequestBaseUri; private String authorizationRequestBaseUri;
/**
* Sets the base {@code URI} used for authorization requests.
*
* @param authorizationRequestBaseUri the base {@code URI} used for authorization requests
* @return the {@link ImplicitGrantConfigurer} for further configuration
*/
public ImplicitGrantConfigurer<B> authorizationRequestBaseUri(String authorizationRequestBaseUri) { public ImplicitGrantConfigurer<B> authorizationRequestBaseUri(String authorizationRequestBaseUri) {
Assert.hasText(authorizationRequestBaseUri, "authorizationRequestBaseUri cannot be empty"); Assert.hasText(authorizationRequestBaseUri, "authorizationRequestBaseUri cannot be empty");
this.authorizationRequestBaseUri = authorizationRequestBaseUri; this.authorizationRequestBaseUri = authorizationRequestBaseUri;
return this; return this;
} }
/**
* Sets the repository of client registrations.
*
* @param clientRegistrationRepository the repository of client registrations
* @return the {@link ImplicitGrantConfigurer} for further configuration
*/
public ImplicitGrantConfigurer<B> clientRegistrationRepository(ClientRegistrationRepository clientRegistrationRepository) { public ImplicitGrantConfigurer<B> clientRegistrationRepository(ClientRegistrationRepository clientRegistrationRepository) {
Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null"); Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null");
this.getBuilder().setSharedObject(ClientRegistrationRepository.class, clientRegistrationRepository); this.getBuilder().setSharedObject(ClientRegistrationRepository.class, clientRegistrationRepository);

View File

@ -20,7 +20,9 @@ import org.springframework.context.ApplicationContext;
import org.springframework.core.ResolvableType; import org.springframework.core.ResolvableType;
import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.web.HttpSecurityBuilder; import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer; import org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper; import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
@ -62,11 +64,57 @@ import java.util.List;
import java.util.Map; import java.util.Map;
/** /**
* A security configurer for OAuth 2.0 / OpenID Connect 1.0 login. * An {@link AbstractHttpConfigurer} for OAuth 2.0 Login,
* which leverages the OAuth 2.0 Authorization Code Grant Flow.
*
* <p>
* OAuth 2.0 Login provides an application with the capability to have users log in
* by using their existing account at an OAuth 2.0 or OpenID Connect 1.0 Provider.
*
* <p>
* Defaults are provided for all configuration options with the only required configuration
* being {@link #clientRegistrationRepository(ClientRegistrationRepository)}.
* Alternatively, a {@link ClientRegistrationRepository} {@code @Bean} may be registered instead.
*
* <h2>Security Filters</h2>
*
* The following {@code Filter}'s are populated:
*
* <ul>
* <li>{@link OAuth2AuthorizationRequestRedirectFilter}</li>
* <li>{@link OAuth2LoginAuthenticationFilter}</li>
* </ul>
*
* <h2>Shared Objects Created</h2>
*
* The following shared objects are populated:
*
* <ul>
* <li>{@link ClientRegistrationRepository} (required)</li>
* <li>{@link OAuth2AuthorizedClientService} (optional)</li>
* <li>{@link GrantedAuthoritiesMapper} (optional)</li>
* </ul>
*
* <h2>Shared Objects Used</h2>
*
* The following shared objects are used:
*
* <ul>
* <li>{@link ClientRegistrationRepository}</li>
* <li>{@link OAuth2AuthorizedClientService}</li>
* <li>{@link GrantedAuthoritiesMapper}</li>
* <li>{@link DefaultLoginPageGeneratingFilter} - if {@link #loginPage(String)} is not configured
* and {@code DefaultLoginPageGeneratingFilter} is available, than a default login page will be made available</li>
* </ul>
* *
* @author Joe Grandja * @author Joe Grandja
* @author Kazuki Shimizu * @author Kazuki Shimizu
* @since 5.0 * @since 5.0
* @see HttpSecurity#oauth2Login()
* @see OAuth2AuthorizationRequestRedirectFilter
* @see OAuth2LoginAuthenticationFilter
* @see ClientRegistrationRepository
* @see AbstractAuthenticationFilterConfigurer
*/ */
public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> extends public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> extends
AbstractAuthenticationFilterConfigurer<B, OAuth2LoginConfigurer<B>, OAuth2LoginAuthenticationFilter> { AbstractAuthenticationFilterConfigurer<B, OAuth2LoginConfigurer<B>, OAuth2LoginAuthenticationFilter> {
@ -77,12 +125,24 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
private final UserInfoEndpointConfig userInfoEndpointConfig = new UserInfoEndpointConfig(); private final UserInfoEndpointConfig userInfoEndpointConfig = new UserInfoEndpointConfig();
private String loginPage; private String loginPage;
/**
* Sets the repository of client registrations.
*
* @param clientRegistrationRepository the repository of client registrations
* @return the {@link OAuth2LoginConfigurer} for further configuration
*/
public OAuth2LoginConfigurer<B> clientRegistrationRepository(ClientRegistrationRepository clientRegistrationRepository) { public OAuth2LoginConfigurer<B> clientRegistrationRepository(ClientRegistrationRepository clientRegistrationRepository) {
Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null"); Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null");
this.getBuilder().setSharedObject(ClientRegistrationRepository.class, clientRegistrationRepository); this.getBuilder().setSharedObject(ClientRegistrationRepository.class, clientRegistrationRepository);
return this; return this;
} }
/**
* Sets the service for authorized client(s).
*
* @param authorizedClientService the authorized client service
* @return the {@link OAuth2LoginConfigurer} for further configuration
*/
public OAuth2LoginConfigurer<B> authorizedClientService(OAuth2AuthorizedClientService authorizedClientService) { public OAuth2LoginConfigurer<B> authorizedClientService(OAuth2AuthorizedClientService authorizedClientService) {
Assert.notNull(authorizedClientService, "authorizedClientService cannot be null"); Assert.notNull(authorizedClientService, "authorizedClientService cannot be null");
this.getBuilder().setSharedObject(OAuth2AuthorizedClientService.class, authorizedClientService); this.getBuilder().setSharedObject(OAuth2AuthorizedClientService.class, authorizedClientService);
@ -96,10 +156,18 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
return this; return this;
} }
/**
* Returns the {@link AuthorizationEndpointConfig} for configuring the Authorization Server's Authorization Endpoint.
*
* @return the {@link AuthorizationEndpointConfig}
*/
public AuthorizationEndpointConfig authorizationEndpoint() { public AuthorizationEndpointConfig authorizationEndpoint() {
return this.authorizationEndpointConfig; return this.authorizationEndpointConfig;
} }
/**
* Configuration options for the Authorization Server's Authorization Endpoint.
*/
public class AuthorizationEndpointConfig { public class AuthorizationEndpointConfig {
private String authorizationRequestBaseUri; private String authorizationRequestBaseUri;
private AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository; private AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository;
@ -107,33 +175,64 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
private AuthorizationEndpointConfig() { private AuthorizationEndpointConfig() {
} }
/**
* Sets the base {@code URI} used for authorization requests.
*
* @param authorizationRequestBaseUri the base {@code URI} used for authorization requests
* @return the {@link AuthorizationEndpointConfig} for further configuration
*/
public AuthorizationEndpointConfig baseUri(String authorizationRequestBaseUri) { public AuthorizationEndpointConfig baseUri(String authorizationRequestBaseUri) {
Assert.hasText(authorizationRequestBaseUri, "authorizationRequestBaseUri cannot be empty"); Assert.hasText(authorizationRequestBaseUri, "authorizationRequestBaseUri cannot be empty");
this.authorizationRequestBaseUri = authorizationRequestBaseUri; this.authorizationRequestBaseUri = authorizationRequestBaseUri;
return this; return this;
} }
/**
* Sets the repository used for storing {@link OAuth2AuthorizationRequest}'s.
*
* @param authorizationRequestRepository the repository used for storing {@link OAuth2AuthorizationRequest}'s
* @return the {@link AuthorizationEndpointConfig} for further configuration
*/
public AuthorizationEndpointConfig authorizationRequestRepository(AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository) { public AuthorizationEndpointConfig authorizationRequestRepository(AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository) {
Assert.notNull(authorizationRequestRepository, "authorizationRequestRepository cannot be null"); Assert.notNull(authorizationRequestRepository, "authorizationRequestRepository cannot be null");
this.authorizationRequestRepository = authorizationRequestRepository; this.authorizationRequestRepository = authorizationRequestRepository;
return this; return this;
} }
/**
* Returns the {@link OAuth2LoginConfigurer} for further configuration.
*
* @return the {@link OAuth2LoginConfigurer}
*/
public OAuth2LoginConfigurer<B> and() { public OAuth2LoginConfigurer<B> and() {
return OAuth2LoginConfigurer.this; return OAuth2LoginConfigurer.this;
} }
} }
/**
* Returns the {@link TokenEndpointConfig} for configuring the Authorization Server's Token Endpoint.
*
* @return the {@link TokenEndpointConfig}
*/
public TokenEndpointConfig tokenEndpoint() { public TokenEndpointConfig tokenEndpoint() {
return this.tokenEndpointConfig; return this.tokenEndpointConfig;
} }
/**
* Configuration options for the Authorization Server's Token Endpoint.
*/
public class TokenEndpointConfig { public class TokenEndpointConfig {
private OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient; private OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient;
private TokenEndpointConfig() { private TokenEndpointConfig() {
} }
/**
* Sets the client used for requesting the access token credential from the Token Endpoint.
*
* @param accessTokenResponseClient the client used for requesting the access token credential from the Token Endpoint
* @return the {@link TokenEndpointConfig} for further configuration
*/
public TokenEndpointConfig accessTokenResponseClient( public TokenEndpointConfig accessTokenResponseClient(
OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient) { OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient) {
@ -142,36 +241,68 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
return this; return this;
} }
/**
* Returns the {@link OAuth2LoginConfigurer} for further configuration.
*
* @return the {@link OAuth2LoginConfigurer}
*/
public OAuth2LoginConfigurer<B> and() { public OAuth2LoginConfigurer<B> and() {
return OAuth2LoginConfigurer.this; return OAuth2LoginConfigurer.this;
} }
} }
/**
* Returns the {@link RedirectionEndpointConfig} for configuring the Client's Redirection Endpoint.
*
* @return the {@link RedirectionEndpointConfig}
*/
public RedirectionEndpointConfig redirectionEndpoint() { public RedirectionEndpointConfig redirectionEndpoint() {
return this.redirectionEndpointConfig; return this.redirectionEndpointConfig;
} }
/**
* Configuration options for the Client's Redirection Endpoint.
*/
public class RedirectionEndpointConfig { public class RedirectionEndpointConfig {
private String authorizationResponseBaseUri; private String authorizationResponseBaseUri;
private RedirectionEndpointConfig() { private RedirectionEndpointConfig() {
} }
/**
* Sets the {@code URI} where the authorization response will be processed.
*
* @param authorizationResponseBaseUri the {@code URI} where the authorization response will be processed
* @return the {@link RedirectionEndpointConfig} for further configuration
*/
public RedirectionEndpointConfig baseUri(String authorizationResponseBaseUri) { public RedirectionEndpointConfig baseUri(String authorizationResponseBaseUri) {
Assert.hasText(authorizationResponseBaseUri, "authorizationResponseBaseUri cannot be empty"); Assert.hasText(authorizationResponseBaseUri, "authorizationResponseBaseUri cannot be empty");
this.authorizationResponseBaseUri = authorizationResponseBaseUri; this.authorizationResponseBaseUri = authorizationResponseBaseUri;
return this; return this;
} }
/**
* Returns the {@link OAuth2LoginConfigurer} for further configuration.
*
* @return the {@link OAuth2LoginConfigurer}
*/
public OAuth2LoginConfigurer<B> and() { public OAuth2LoginConfigurer<B> and() {
return OAuth2LoginConfigurer.this; return OAuth2LoginConfigurer.this;
} }
} }
/**
* Returns the {@link UserInfoEndpointConfig} for configuring the Authorization Server's UserInfo Endpoint.
*
* @return the {@link UserInfoEndpointConfig}
*/
public UserInfoEndpointConfig userInfoEndpoint() { public UserInfoEndpointConfig userInfoEndpoint() {
return this.userInfoEndpointConfig; return this.userInfoEndpointConfig;
} }
/**
* Configuration options for the Authorization Server's UserInfo Endpoint.
*/
public class UserInfoEndpointConfig { public class UserInfoEndpointConfig {
private OAuth2UserService<OAuth2UserRequest, OAuth2User> userService; private OAuth2UserService<OAuth2UserRequest, OAuth2User> userService;
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService; private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;
@ -180,18 +311,38 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
private UserInfoEndpointConfig() { private UserInfoEndpointConfig() {
} }
/**
* Sets the OAuth 2.0 service used for obtaining the user attributes of the End-User from the UserInfo Endpoint.
*
* @param userService the OAuth 2.0 service used for obtaining the user attributes of the End-User from the UserInfo Endpoint
* @return the {@link UserInfoEndpointConfig} for further configuration
*/
public UserInfoEndpointConfig userService(OAuth2UserService<OAuth2UserRequest, OAuth2User> userService) { public UserInfoEndpointConfig userService(OAuth2UserService<OAuth2UserRequest, OAuth2User> userService) {
Assert.notNull(userService, "userService cannot be null"); Assert.notNull(userService, "userService cannot be null");
this.userService = userService; this.userService = userService;
return this; return this;
} }
/**
* Sets the OpenID Connect 1.0 service used for obtaining the user attributes of the End-User from the UserInfo Endpoint.
*
* @param oidcUserService the OpenID Connect 1.0 service used for obtaining the user attributes of the End-User from the UserInfo Endpoint
* @return the {@link UserInfoEndpointConfig} for further configuration
*/
public UserInfoEndpointConfig oidcUserService(OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService) { public UserInfoEndpointConfig oidcUserService(OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService) {
Assert.notNull(oidcUserService, "oidcUserService cannot be null"); Assert.notNull(oidcUserService, "oidcUserService cannot be null");
this.oidcUserService = oidcUserService; this.oidcUserService = oidcUserService;
return this; return this;
} }
/**
* Sets a custom {@link OAuth2User} type and associates it to the provided
* client {@link ClientRegistration#getRegistrationId() registration identifier}.
*
* @param customUserType a custom {@link OAuth2User} type
* @param clientRegistrationId the client registration identifier
* @return the {@link UserInfoEndpointConfig} for further configuration
*/
public UserInfoEndpointConfig customUserType(Class<? extends OAuth2User> customUserType, String clientRegistrationId) { public UserInfoEndpointConfig customUserType(Class<? extends OAuth2User> customUserType, String clientRegistrationId) {
Assert.notNull(customUserType, "customUserType cannot be null"); Assert.notNull(customUserType, "customUserType cannot be null");
Assert.hasText(clientRegistrationId, "clientRegistrationId cannot be empty"); Assert.hasText(clientRegistrationId, "clientRegistrationId cannot be empty");
@ -199,12 +350,23 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
return this; return this;
} }
/**
* Sets the {@link GrantedAuthoritiesMapper} used for mapping {@link OAuth2User#getAuthorities()}.
*
* @param userAuthoritiesMapper the {@link GrantedAuthoritiesMapper} used for mapping the user's authorities
* @return the {@link UserInfoEndpointConfig} for further configuration
*/
public UserInfoEndpointConfig userAuthoritiesMapper(GrantedAuthoritiesMapper userAuthoritiesMapper) { public UserInfoEndpointConfig userAuthoritiesMapper(GrantedAuthoritiesMapper userAuthoritiesMapper) {
Assert.notNull(userAuthoritiesMapper, "userAuthoritiesMapper cannot be null"); Assert.notNull(userAuthoritiesMapper, "userAuthoritiesMapper cannot be null");
OAuth2LoginConfigurer.this.getBuilder().setSharedObject(GrantedAuthoritiesMapper.class, userAuthoritiesMapper); OAuth2LoginConfigurer.this.getBuilder().setSharedObject(GrantedAuthoritiesMapper.class, userAuthoritiesMapper);
return this; return this;
} }
/**
* Returns the {@link OAuth2LoginConfigurer} for further configuration.
*
* @return the {@link OAuth2LoginConfigurer}
*/
public OAuth2LoginConfigurer<B> and() { public OAuth2LoginConfigurer<B> and() {
return OAuth2LoginConfigurer.this; return OAuth2LoginConfigurer.this;
} }