Java Spring Security OAuth2-如何关闭HTTP基本身份验证，哪个令牌端点（/oauth/Token）是自动安全的？

我有一些问题

令牌端点（/oauth/Token）通过对客户端凭据使用HTTP基本身份验证自动进行保护。 但我想将POST请求发送到我的Spring授权服务器，以获取带有参数的访问令牌： 授予\类型=客户端\凭据， 客户id， 客户的秘密

像这样：

curl -H "Accept: application/json" http://localhost:9091/oauth/token -d grant_type=client_credentials -d client_id=d1a45286071f38fd7b4c5de726e1aab50b3e0056524bbfeed984050c5c4c20ee -d clent_secret=$2a$10$Wbnh2ApE7NVBf2H3Zuww5urW/27QmCMZ0JargKk8uaqMl0SuA4kMa

现在，我应该使用基本身份验证发送此请求，如：

curl -H "Accept: application/json" d1a45286071f38fd7b4c5de726e1aab50b3e0056524bbfeed984050c5c4c20e:secret@localhost:9091/oauth/token -d grant_type=client_credentials 

如何配置Spring Security Oauth项目？ 请帮帮我

多谢各位

以下是oauth授权服务器配置：

@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

  @Autowired
    private AuthenticationManager auth;

  @Autowired
    private DataSource dataSource;

  private BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();

  @Bean
    public JdbcTokenStore tokenStore() {
      return new JdbcTokenStore(dataSource);
    }

  @Bean
    protected AuthorizationCodeServices authorizationCodeServices() {
      return new JdbcAuthorizationCodeServices(dataSource);
    }

  @Override
    public void configure(AuthorizationServerSecurityConfigurer security)
    throws Exception {
      security.passwordEncoder(passwordEncoder);
    }

  @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
    throws Exception {
      endpoints.authorizationCodeServices(authorizationCodeServices())
        .authenticationManager(auth)
        .tokenStore(tokenStore())
        .approvalStoreDisabled();
    }



  @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
      // @formatter:off
      clients.jdbc(dataSource)
        .passwordEncoder(passwordEncoder)
        .withClient("my-trusted-client")
        .authorizedGrantTypes("password", "authorization_code",
            "refresh_token", "implicit")
        .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
        .scopes("read", "write", "trust")
        .resourceIds("oauth2-resource")
        .accessTokenValiditySeconds(60)
        .and()
        .withClient("my-client-with-registered-redirect")
        .authorizedGrantTypes("authorization_code")
        .authorities("ROLE_CLIENT").scopes("read", "trust")
        .resourceIds("oauth2-resource")
        .redirectUris("http://anywhere?key=value")
        .and()
        .withClient("my-client-with-secret")
        .authorizedGrantTypes("client_credentials", "password")
        .authorities("ROLE_CLIENT").scopes("read")
        .resourceIds("oauth2-resource").secret("secret")

        .and()    .withClient("d1a45286071f38fd7b4c5de726e1aab50b3e0056524bbfeed984050c5c4c20ee")
        .authorizedGrantTypes("client_credentials")
        .authorities("ROLE_CLIENT")
        .scopes("read")
        .resourceIds("oauth2-resource")
        .secret("secret")
        .redirectUris("http://localhost:9090");;


      // @formatter:on
    }
}

以下是安全配置：

@Configuration
@EnableWebSecurity
public class WebSecurityConfigOauth extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .anonymous()
                .disable();
        http
                .requestMatchers()
                .antMatchers("/oauth/token")
                .and()
                .authorizeRequests()
                .anyRequest()
                .fullyAuthenticated();
        http
                .httpBasic().disable()

                //.authenticationEntryPoint(oAuth2AuthenticationEntryPoint())

                .addFilterAfter(clientCredentialsTokenEndpointFilter(), BasicAuthenticationFilter.class);
        http
                .exceptionHandling()
                .accessDeniedHandler(oAuth2AccessDeniedHandler())
                .and()
                .csrf().disable();
    }

    @Bean
    OAuth2AuthenticationEntryPoint oAuth2AuthenticationEntryPoint() {
        OAuth2AuthenticationEntryPoint oAuth2AuthenticationEntryPoint = new OAuth2AuthenticationEntryPoint();
        oAuth2AuthenticationEntryPoint.setRealmName("oauth/client");
        oAuth2AuthenticationEntryPoint.setTypeName("Basic");
        return oAuth2AuthenticationEntryPoint;
    }

    @Bean
    AuthenticationSuccessHandler authenticationSuccessHandler() {
        return new OAuth2AuthenticationSuccessHandler();
    }

    @Bean
    AuthenticationFailureHandler authenticationFailureHandler() {
        return new OAuth2AuthenticationFailureHandler();
    }

    @Bean
    OAuth2AccessDeniedHandler oAuth2AccessDeniedHandler() {
        return new OAuth2AccessDeniedHandler();
    }

    @Bean
    ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter() {
        ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter = new CustomClientCredentialsTokenEndpointFilter();
        try {
            clientCredentialsTokenEndpointFilter.setAuthenticationManager(authenticationManager);
            clientCredentialsTokenEndpointFilter.setAuthenticationEntryPoint(oAuth2AuthenticationEntryPoint());
            clientCredentialsTokenEndpointFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler());
            clientCredentialsTokenEndpointFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
            return clientCredentialsTokenEndpointFilter;
        }
        catch (Exception e) {
            throw new IllegalStateException(e);
        }
    }

    static final class CustomClientCredentialsTokenEndpointFilter extends ClientCredentialsTokenEndpointFilter {

        @Override
        public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
            final Authentication authentication = super.attemptAuthentication(request, response);

            return authentication;
        }
    }

    static final class OAuth2AuthenticationFailureHandler implements AuthenticationFailureHandler {

        @Override
        public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
            String s = request.toString();
        }
    }

    static final class OAuth2AuthenticationSuccessHandler implements AuthenticationSuccessHandler {

        @Override
        public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
            String s = request.toString();
        }
    }
}

---

您的第二个

curl

看起来不正确；无论如何，

BasicAuthenticationFilter

将处理“基本”身份验证。但过滤器仅在存在授权标头时执行处理。您可以提供您的安全配置吗？这是第二个curl请求的示例：curl-H“Accept:application/json”my client with secret:secret@quiet-atoll-70789.herokuapp.com/oauth/token-d grant\u type=client\u凭证。我已经通过这个请求和我的请求得到了令牌。这是我的安全配置：我在上面添加了代码，也许这可以帮助你。你的第二个

curl

看起来不正确；无论如何，

BasicAuthenticationFilter

将处理“基本”身份验证。但过滤器仅在存在授权标头时执行处理。您可以提供您的安全配置吗？这是第二个curl请求的示例：curl-H“Accept:application/json”my client with secret:secret@quiet-atoll-70789.herokuapp.com/oauth/token-d grant\u type=client\u凭证。我已经通过这个请求和我的请求得到了令牌。这是我的安全配置：我在上面添加了代码，也许这可以帮助你。