Java Spring Security OAuth2-如何关闭HTTP基本身份验证,哪个令牌端点(/oauth/Token)是自动安全的?
我有一些问题 令牌端点(/oauth/Token)通过对客户端凭据使用HTTP基本身份验证自动进行保护。 但我想将POST请求发送到我的Spring授权服务器,以获取带有参数的访问令牌: 授予\类型=客户端\凭据, 客户id, 客户的秘密 像这样:Java Spring Security OAuth2-如何关闭HTTP基本身份验证,哪个令牌端点(/oauth/Token)是自动安全的?,java,spring-security-oauth2,Java,Spring Security Oauth2,我有一些问题 令牌端点(/oauth/Token)通过对客户端凭据使用HTTP基本身份验证自动进行保护。 但我想将POST请求发送到我的Spring授权服务器,以获取带有参数的访问令牌: 授予\类型=客户端\凭据, 客户id, 客户的秘密 像这样: curl -H "Accept: application/json" http://localhost:9091/oauth/token -d grant_type=client_credentials -d client_id=d1a4528607
curl -H "Accept: application/json" http://localhost:9091/oauth/token -d grant_type=client_credentials -d client_id=d1a45286071f38fd7b4c5de726e1aab50b3e0056524bbfeed984050c5c4c20ee -d clent_secret=$2a$10$Wbnh2ApE7NVBf2H3Zuww5urW/27QmCMZ0JargKk8uaqMl0SuA4kMa
现在,我应该使用基本身份验证发送此请求,如:
curl -H "Accept: application/json" d1a45286071f38fd7b4c5de726e1aab50b3e0056524bbfeed984050c5c4c20e:secret@localhost:9091/oauth/token -d grant_type=client_credentials
如何配置Spring Security Oauth项目?
请帮帮我
多谢各位
以下是oauth授权服务器配置:
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager auth;
@Autowired
private DataSource dataSource;
private BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
@Bean
public JdbcTokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Bean
protected AuthorizationCodeServices authorizationCodeServices() {
return new JdbcAuthorizationCodeServices(dataSource);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security)
throws Exception {
security.passwordEncoder(passwordEncoder);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints.authorizationCodeServices(authorizationCodeServices())
.authenticationManager(auth)
.tokenStore(tokenStore())
.approvalStoreDisabled();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
clients.jdbc(dataSource)
.passwordEncoder(passwordEncoder)
.withClient("my-trusted-client")
.authorizedGrantTypes("password", "authorization_code",
"refresh_token", "implicit")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write", "trust")
.resourceIds("oauth2-resource")
.accessTokenValiditySeconds(60)
.and()
.withClient("my-client-with-registered-redirect")
.authorizedGrantTypes("authorization_code")
.authorities("ROLE_CLIENT").scopes("read", "trust")
.resourceIds("oauth2-resource")
.redirectUris("http://anywhere?key=value")
.and()
.withClient("my-client-with-secret")
.authorizedGrantTypes("client_credentials", "password")
.authorities("ROLE_CLIENT").scopes("read")
.resourceIds("oauth2-resource").secret("secret")
.and() .withClient("d1a45286071f38fd7b4c5de726e1aab50b3e0056524bbfeed984050c5c4c20ee")
.authorizedGrantTypes("client_credentials")
.authorities("ROLE_CLIENT")
.scopes("read")
.resourceIds("oauth2-resource")
.secret("secret")
.redirectUris("http://localhost:9090");;
// @formatter:on
}
}
以下是安全配置:
@Configuration
@EnableWebSecurity
public class WebSecurityConfigOauth extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.anonymous()
.disable();
http
.requestMatchers()
.antMatchers("/oauth/token")
.and()
.authorizeRequests()
.anyRequest()
.fullyAuthenticated();
http
.httpBasic().disable()
//.authenticationEntryPoint(oAuth2AuthenticationEntryPoint())
.addFilterAfter(clientCredentialsTokenEndpointFilter(), BasicAuthenticationFilter.class);
http
.exceptionHandling()
.accessDeniedHandler(oAuth2AccessDeniedHandler())
.and()
.csrf().disable();
}
@Bean
OAuth2AuthenticationEntryPoint oAuth2AuthenticationEntryPoint() {
OAuth2AuthenticationEntryPoint oAuth2AuthenticationEntryPoint = new OAuth2AuthenticationEntryPoint();
oAuth2AuthenticationEntryPoint.setRealmName("oauth/client");
oAuth2AuthenticationEntryPoint.setTypeName("Basic");
return oAuth2AuthenticationEntryPoint;
}
@Bean
AuthenticationSuccessHandler authenticationSuccessHandler() {
return new OAuth2AuthenticationSuccessHandler();
}
@Bean
AuthenticationFailureHandler authenticationFailureHandler() {
return new OAuth2AuthenticationFailureHandler();
}
@Bean
OAuth2AccessDeniedHandler oAuth2AccessDeniedHandler() {
return new OAuth2AccessDeniedHandler();
}
@Bean
ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter() {
ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter = new CustomClientCredentialsTokenEndpointFilter();
try {
clientCredentialsTokenEndpointFilter.setAuthenticationManager(authenticationManager);
clientCredentialsTokenEndpointFilter.setAuthenticationEntryPoint(oAuth2AuthenticationEntryPoint());
clientCredentialsTokenEndpointFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler());
clientCredentialsTokenEndpointFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
return clientCredentialsTokenEndpointFilter;
}
catch (Exception e) {
throw new IllegalStateException(e);
}
}
static final class CustomClientCredentialsTokenEndpointFilter extends ClientCredentialsTokenEndpointFilter {
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
final Authentication authentication = super.attemptAuthentication(request, response);
return authentication;
}
}
static final class OAuth2AuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
String s = request.toString();
}
}
static final class OAuth2AuthenticationSuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
String s = request.toString();
}
}
}
您的第二个
curl
看起来不正确;无论如何,BasicAuthenticationFilter
将处理“基本”身份验证。但过滤器仅在存在授权标头时执行处理。您可以提供您的安全配置吗?这是第二个curl请求的示例:curl-H“Accept:application/json”my client with secret:secret@quiet-atoll-70789.herokuapp.com/oauth/token-d grant\u type=client\u凭证。我已经通过这个请求和我的请求得到了令牌。这是我的安全配置:我在上面添加了代码,也许这可以帮助你。你的第二个curl
看起来不正确;无论如何,BasicAuthenticationFilter
将处理“基本”身份验证。但过滤器仅在存在授权标头时执行处理。您可以提供您的安全配置吗?这是第二个curl请求的示例:curl-H“Accept:application/json”my client with secret:secret@quiet-atoll-70789.herokuapp.com/oauth/token-d grant\u type=client\u凭证。我已经通过这个请求和我的请求得到了令牌。这是我的安全配置:我在上面添加了代码,也许这可以帮助你。