我在无状态的应用程序中使用 Spring Security Oauth2 进行身份验证。下面是spring配置文件的代码片段
我也用过 <%@ page session="false" %>在所有jsp中。
<http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request -->
<!-- parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter"
after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<http auto-config="true" create-session="stateless">
<intercept-url pattern="/oauth/**" access="ROLE_USER" />
<intercept-url pattern="/welcome*" access="ROLE_USER" />
<intercept-url pattern="/test" access="ROLE_USER" />
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed"
authentication-success-handler-ref="customAuthenticationSuccessHandler" />
<logout logout-success-url="/logout" />
<custom-filter ref="preAuthFilter" after="PRE_AUTH_FILTER" />
<custom-filter ref="oauth2ClientFilter" after="EXCEPTION_TRANSLATION_FILTER" />
</http>`
此外,我还创建了自己的授权端点(/authorizeTest),因为 Ouath2(/oauth/authorize)提供的授权端点将 AuthorizationRequest 作为 session 属性。以下是 CustomAuthorizationEndPoint 的代码片段
<beans:bean id="customAuthorizationEndpoint"
class="com.mkyong.common.controller.CustomAuthorizationEndpoint">
<beans:property name="tokenGranter" ref="authorizationCodeTokenGranter" />
<beans:property name="clientDetailsService" ref="clientDetails" />
<beans:property name="oAuth2RequestFactory" ref="customOAuth2RequestFactory" />
<beans:property name="authorizationCodeServices"
ref="inMemoryAuthorizationCodeServices" />
<beans:property name="dataSource" ref="dataSource" />
</beans:bean>
<beans:bean id="authorizationCodeTokenGranter"
class="org.springframework.security.oauth2.provider.code.AuthorizationCodeTokenGranter">
<beans:constructor-arg index="0" ref="tokenServices" />
<beans:constructor-arg index="1"
ref="authorizationCodeServices" />
<beans:constructor-arg index="2" ref="clientDetails" />
<beans:constructor-arg index="3"
ref="customOAuth2RequestFactory" />
</beans:bean>
<beans:bean id="customOAuth2RequestFactory"
class="com.mkyong.common.controller.CustomOAuth2RequestFactory">
<beans:constructor-arg ref="clientDetails" />
<beans:property name="dataSource" ref="dataSource" />
<beans:property name="customAuthorizationRequest" ref="customAuthorizationRequest" />
</beans:bean>
<beans:bean id="customAuthorizationRequest"
class="com.mkyong.common.controller.CustomAuthorizationRequest">
</beans:bean>
<beans:bean id="authorizationCodeServices"
class="org.springframework.security.oauth2.provider.code.JdbcAuthorizationCodeServices">
<beans:constructor-arg ref="dataSource" />
</beans:bean>
但我仍然生成了 jsession。
最佳答案
使用create-session="stateless"意味着您告诉Spring Security不要创建 session 或存储用户的身份验证信息。如果其他库认为有必要,它不会阻止它们创建 session (oauth 是一个单独的项目)。
我真的不明白为什么你将应用程序标记为无状态,因为你正在使用表单登录之类的东西。如果您不允许创建 session ,那么授权代码流程之类的内容将如何工作?授权请求是如何缓存的?当用户重定向回该请求时,服务器如何知道用户已通过身份验证?由于没有 session 可以绑定(bind)身份验证,因此身份验证将丢失。
关于java - 即使使用 create-session ="stateless",Spring Security Oauth2 也会生成 jsessiond,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/20897515/