我有带有标准表单例份验证的应用程序(用户名和密码)。我尝试在我的应用程序中配置 OAuth2。我有xml配置。我有一个问题,客户端 ID 和客户端密码必须是用户登录名和密码之一(例如,如果我有用户 abc123,密码为 qwerty 我必须将客户端 ID 设置为 abc123 和客户端 key qwerty)。我可以将用户名和密码的客户端 ID 和客户端 key 分开吗?
我的配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd" >
<http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<http pattern="/API/**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/API/**" access="ROLE_RESTREAD" method="GET" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<http auto-config="false" use-expressions="true"
disable-url-rewriting="true">
<intercept-url pattern="/isSessionValid" access="permitAll"
requires-channel="any" />
<intercept-url pattern="/**" access="isAuthenticated()"
requires-channel="any" />
<form-login login-page="/login" authentication-failure-url="/loginFailed"
default-target-url="/loginSuccess" always-use-default-target="true" />
<logout logout-success-url="/login" />
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
</http>
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices">
<oauth:client-credentials />
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter" token-services-ref="tokenServices" />
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
<beans:bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore" >
<beans:constructor-arg ref="dataSource" />
</beans:bean>
<beans:bean id="clientDetails" class="org.springframework.security.oauth2.provider.client.JdbcClientDetailsService" >
<beans:constructor-arg ref="dataSource" />
</beans:bean>
<beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<beans:property name="tokenStore" ref="tokenStore" />
<beans:property name="supportRefreshToken" value="false" />
<beans:property name="clientDetailsService" ref="clientDetails" />
<beans:property name="accessTokenValiditySeconds" value="400000" />
<beans:property name="refreshTokenValiditySeconds" value="0" />
</beans:bean>
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" >
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<beans:property name="realmName" value="theRealm" />
</beans:bean>
<beans:bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<beans:property name="realmName" value="theRealm/client" />
<beans:property name="typeName" value="Basic" />
</beans:bean>
<beans:bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<beans:property name="authenticationManager" ref="aManager" />
</beans:bean>
<beans:bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<beans:constructor-arg ref="clientDetails" />
</beans:bean>
<beans:bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<global-method-security pre-post-annotations="enabled" proxy-target-class="true">
<expression-handler ref="oauthExpressionHandler" />
</global-method-security>
<authentication-manager alias="aManager">
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
<beans:bean id="userRepository" class="pl.execon.grm.repository.UserRepository">
<beans:property name="sessionFactory" ref="sessionFactory" />
</beans:bean>
<beans:bean id="userDetailsService" class="pl.execon.grm.auth.GRMUserDataService">
<beans:property name="userRepository" ref="userRepository" />
</beans:bean>
<authentication-manager alias="authManager">
<authentication-provider user-service-ref='userDetailsService'>
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager>
最佳答案
我解决了我的问题。它位于身份验证管理器的配置中。在 XML 中我有:
<authentication-manager alias="aManager">
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
和
<authentication-manager alias="authManager">
<authentication-provider user-service-ref='userDetailsService'/>
</authentication-manager>
这两个身份验证管理器已提交别名,因此第一个身份验证管理器不会进行身份验证,只有第二个有效(当我设置用户名和密码时)。在第一个身份验证管理器中将 alias 更改为 id 解决了我的问题。现在,如果我在获取 token 时进行身份验证,则会使用客户端 ID 和客户端 key 。
关于java - 如何正确配置 Spring Security OAuth 2.0 客户端凭据?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33032990/