在本來spring security的基礎上使用了spring security oauth2，控制/api下的請求。瀏覽了很多網(wǎng)上的配置，但是測試時發(fā)現(xiàn)spring security的資源控制和spring securtiy oauth2的資源控制會互相覆蓋，沒法做到分離控制。如果配置添加了security.oauth2.resource.filter-order=3，則使用spring security的控制，反之則為oauth2的控制。

代碼中我的配置如下：

Spring security配置：

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserManagerService userManagerService;
    
    @Override
    @Bean //分享到oauth2
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
    
    /**
     * 密碼加密
     */
    @Bean
    public BCryptPasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            // 關閉csrf保護功能（跨域訪問）
            .csrf().disable()
            .authorizeRequests()
                .antMatchers("/oauth/**").permitAll()
                .antMatchers("/**/*.js", "/**/*.css", "/**/*.png",
                        "/**/*.gif", "/**/*.jpg", "/**/*.jpeg", "/**/*.map",
                        "/**/*.ico").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/user/login_page")
                .loginProcessingUrl("/login")
                .usernameParameter("username")
                .passwordParameter("password")
                .successHandler(new CustomSimpleUrlAuthenticationSuccessHandler())
                .failureHandler(new CustomSimpleUrlAuthenticationFailureHandler())
                .permitAll()
                 .and()
             .logout()
                 .logoutUrl("/logout")
                 .logoutSuccessUrl("/user/login_page")
                 .permitAll();
    }
    
    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.userDetailsService(userManagerService)
        .passwordEncoder(passwordEncoder());
    }
    
}

Spring security oatuth2配置：

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration
        extends AuthorizationServerConfigurerAdapter {
    @Autowired
    AuthenticationManager authenticationManager;
    @Autowired
    private UserManagerService userManagerService;
    
    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {
        endpoints.tokenStore(tokenStore())
                .userDetailsService(userManagerService)
                .authenticationManager(authenticationManager);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security)
            throws Exception {
        // 允許表單認證
        security
                .allowFormAuthenticationForClients();
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients)
            throws Exception {
        clients.inMemory()
                .withClient("cmdb")
                .authorizedGrantTypes("password", "refresh_token")
                .secret("api")
                .scopes("xxx");
    }
}

@Configuration
@EnableResourceServer
public class ResourceServerConfiguration
        extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/api/**").authenticated();
    }
}

之前查閱過很多博客，也查過spring oauth2的幾種模式的授權流程，但是都沒有找到原因