Package com.broadleafcommerce.auth.authorization.security.autoconfigure

Class SpringAuthorizationServerComponentsConfiguration

java.lang.Object
com.broadleafcommerce.auth.authorization.security.autoconfigure.SpringAuthorizationServerComponentsConfiguration
@Configuration(proxyBeanMethods=false) public class SpringAuthorizationServerComponentsConfiguration extends Object
Configuration for components related to Spring Authorization Server. This is engaged by SecurityAutoConfiguration.SpringAuthorizationServerSecurityConfiguration
See Also:

  • Constructor Details

    • SpringAuthorizationServerComponentsConfiguration

      public SpringAuthorizationServerComponentsConfiguration()

  • Method Details

    • authorizationServerSecurityFilterChain

      @Bean("authorizationServerSecurityFilterChain") @ConditionalOnMissingBean(name="authorizationServerSecurityFilterChain") @Order(-2147473648) public org.springframework.security.web.SecurityFilterChain authorizationServerSecurityFilterChain(org.springframework.security.config.annotation.web.builders.HttpSecurity http, @Qualifier("oAuth2AuthorizationServerConfigurer") org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer oAuth2AuthorizationServerConfigurer, @Autowired(required=false) @Nullable List<EarlyAuthorizationServerSecurityChainCustomizer> earlyAuthorizationServerSecurityCustomizers, @Autowired(required=false) @Nullable List<LateAuthorizationServerSecurityChainCustomizer> lateAuthorizationServerSecurityCustomizers, org.springframework.security.web.AuthenticationEntryPoint authenticationEntryPoint, org.springframework.security.web.savedrequest.RequestCache requestCache, ClientIdFilter clientIdFilter, DefaultOAuth2ParamFilter oauth2ParamFilter, Optional<RelaxedOAuth2RequestParameterPlacementFilter> relaxedOAuth2RequestParameterPlacementFilter, AuthorizationServerTokenGeneratorConfigurationCustomizer authorizationServerTokenGeneratorConfigurationCustomizer, AuthorizationServerAuthenticationFilterConfigurationCustomizer authorizationServerAuthenticationFilterConfigurationCustomizer, OAuth2AuthorizationServerConfigurerCustomizer oAuth2AuthorizationServerConfigurerCustomizer) throws Exception
      This security filter chain is intentionally separate and only applies for the 'protocol endpoints' that Spring Authorization Server deals with.

      This applies to a very narrow, targeted set of paths, so we assign the bean a higher precedence.

      See OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(HttpSecurity) for reference on some of the configuration here.

      Parameters:
      http - the security filter chain builder
      Returns:
      a security filter chain engaging Spring Authorization Server support
      Throws:
      Exception - if something fails
      See Also:

    • configureRequestCache

      protected void configureRequestCache(org.springframework.security.config.annotation.web.builders.HttpSecurity http, org.springframework.security.web.savedrequest.RequestCache requestCache, Class<? extends jakarta.servlet.Filter> filterToPositionOthersAfter)

      This aims to do the same thing as what RequestCacheConfigurer does when you use HttpSecurity.requestCache(Customizer). We can't use that DSL directly because it doesn't allow any way to change the ordering of the RequestCacheAwareFilter. Thus, we have to duplicate its logic here and manually register the filter with our customizations.

      The key difference in this configuration is that we ensure RequestCacheAwareFilter applies earlier than the OAuth2 endpoint filters such as OAuth2AuthorizationEndpointFilter. This allows it to engage and perform appropriate clearing of saved request state. Otherwise, the OAuth2 filters will run to completion and skip the rest of the filter chain, which would leave RequestCacheAwareFilter unused (and therefore leave cached requests orphaned).

      Parameters:
      http - the security filter chain to customize
      requestCache - the request cache instance to use. This must be consistent with the request cache we use in the authentication security filter chain, as it will be responsible for loading/deleting saved requests.
      filterToPositionOthersAfter - the filter after which to order the RequestCacheAwareFilter. This should be something that is earlier than the OAuth2 endpoint filters.

    • authorizationServerAuthenticationFilterConfigurationCustomizer

      @Bean @ConditionalOnMissingBean public AuthorizationServerAuthenticationFilterConfigurationCustomizer authorizationServerAuthenticationFilterConfigurationCustomizer(OAuth2SessionAuthenticationFilter oAuth2SessionAuthenticationFilter)

    • registeredClientRepository

      @Bean @ConditionalOnMissingBean public org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository registeredClientRepository(AuthorizedClientService<AuthorizedClient> authorizedClientService)

    • authorizationServerSettings

      @Bean @ConditionalOnMissingBean public org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings authorizationServerSettings()

    • oAuth2AuthorizationCodeRequestAuthenticationValidator

      @Bean(name="oAuth2AuthorizationCodeRequestAuthenticationValidator") @ConditionalOnMissingBean(name="oAuth2AuthorizationCodeRequestAuthenticationValidator") public DefaultOAuth2AuthorizationCodeRequestAuthenticationValidator oAuth2AuthorizationCodeRequestAuthenticationValidator()

    • authorizationServerTokenGeneratorConfigurationCustomizer

      @Bean @ConditionalOnMissingBean public AuthorizationServerTokenGeneratorConfigurationCustomizer authorizationServerTokenGeneratorConfigurationCustomizer()

    • publicRefreshPublicClientAuthenticationConverter

      @Bean @ConditionalOnMissingBean protected PublicRefreshPublicClientAuthenticationConverter publicRefreshPublicClientAuthenticationConverter()

    • oAuth2AuthorizationServerConfigurer

      @Bean(name="oAuth2AuthorizationServerConfigurer") @ConditionalOnMissingBean(name="oAuth2AuthorizationServerConfigurer") public org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer oAuth2AuthorizationServerConfigurer()

    • oAuth2AuthorizationServerConfigurerCustomizer

      @Bean @ConditionalOnMissingBean public OAuth2AuthorizationServerConfigurerCustomizer oAuth2AuthorizationServerConfigurerCustomizer(org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService authorizationService, SecurityService securityService, org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository registeredClientRepository, DefaultClientScopeAuthorizationCodeRequestConverter defaultClientScopeAuthorizationCodeRequestConverter, DefaultClientScopeClientCredentialsRequestConverter defaultClientScopeClientCredentialsRequestConverter, @Qualifier("oAuth2AuthorizationCodeRequestAuthenticationValidator") Consumer<org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationContext> oAuth2AuthorizationCodeRequestAuthenticationValidator, TokenProperties tokenProperties, @Nullable EmbeddedLoginProperties embeddedLoginProperties, @Nullable EmbeddedLoginCodeAuthenticationConverter embeddedLoginCodeAuthenticationConverter, PasscodeService<PasswordToken,User> passcodeService, OAuth2UserDetailsService userDetailsService, UserService<User> userService, PublicRefreshPublicClientAuthenticationConverter authenticationConverter, AuthorizedClientService<AuthorizedClient> clientService)