Java 我可以在请求正文而不是标头中发送OAuth 2.0凭据吗?
目前我正在使用Java 我可以在请求正文而不是标头中发送OAuth 2.0凭据吗?,java,spring,spring-security,oauth,spring-data,Java,Spring,Spring Security,Oauth,Spring Data,目前我正在使用spring-security,启用了OAuth 2.0,一切就绪,工作正常 我在请求头中发送客户端凭据,如上所示 i、 e.用户名=kalynpradhan@gmail.com和密码=abc 我可以在请求正文而不是请求头中发送OAuth 2.0配置吗 是否有任何配置可以让spring中的OAuth接受请求体中的令牌 下面是我使用OAuth 2.0的spring安全配置文件 @Configuration @EnableAuthorizationServer public clas
spring-securityOAuth 2.0用户名=kalynpradhan@gmail.com密码=abc@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
private static String REALM = "MY_OAUTH_REALM";
/*
* The token store is the store where all the tokens are stored, It can be
* InMemory, JDBC, etc.
*/
@Autowired
private TokenStore tokenStore;
@Autowired
private UserApprovalHandler userApprovalHandler;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
/**
* SpringData JPA dataSource injected.
*/
@Autowired
private DataSource dataSource;
/**
* Autowiring the {@link CustomUserDetailsService} for configuring the
* {@link UserDetailsService} which provides the required user details to
* the security context.
*
* This extra implementation of the userDetailsService is necessary because
* after OAuth 2.0 version - 2.0.10.RELEASE the UserDetails service is not
* automatically extracted from the context.
*
* Here is a link to the documentation in the gitHub community. <a href=
* "https://github.com/royclarkson/spring-rest-service-oauth/issues/19">
* Documentation</a>
*/
@Autowired
private UserDetailsService userDetailsService;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
//@formatter:off
clients.jdbc(dataSource);/*.withClient("my-trusted-client")
.authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT").scopes("read", "write", "trust").secret("secret")
.accessTokenValiditySeconds(120).// Access token is only valid for 2 minutes.
refreshTokenValiditySeconds(600);// Refresh token is only valid for 10 minutes.
//@Formatter:on
*/ }
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler)
.authenticationManager(authenticationManager).userDetailsService(userDetailsService);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.realm(REALM + "/client");
}
}
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
private static final String RESOURCE_ID = "my_rest_api";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID).stateless(false);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.anonymous().disable().requestMatchers().antMatchers("/user/**").and().authorizeRequests()
.antMatchers("/user/**").access("hasRole('ADMIN')").and().exceptionHandling()
.accessDeniedHandler(new OAuth2AccessDeniedHandler());
}
}
您已覆盖AuthorizationServerConfigurerAdapter中的配置方法:
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.realm(REALM + "/client");
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.allowFormAuthenticationForClients().realm(REALM + "/client");
}
好的,我尝试在请求正文中添加用户名和密码,但是{“用户名”:kalynpradhan@gmail.com“,“password”:“abc”}这是一个错误,这可能是因为OAuth在头中需要用户名和密码。有没有办法告诉spring security和OAuth凭据将在请求体中而不是在头中?首先,您似乎没有在头中发送它,而是在查询(URL)中发送它。没有添加“allowFormauthentication…”更改任何内容吗?我是否应该尝试验证筛选器,无论如何,感谢您指出这一点!!是的,它改变了我发送凭证的方式,但我希望以json格式在请求正文中发送凭证
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.allowFormAuthenticationForClients().realm(REALM + "/client");
}