Java spring-oauth2登录成功处理程序
有没有办法使用spring-oauth2添加登录成功处理程序 我尝试使用基本身份验证过滤器,但它只过滤客户端凭据,而不是用户凭据 还是需要创建自定义用户身份验证管理器Java spring-oauth2登录成功处理程序,java,spring,handler,Java,Spring,Handler,有没有办法使用spring-oauth2添加登录成功处理程序 我尝试使用基本身份验证过滤器,但它只过滤客户端凭据,而不是用户凭据 还是需要创建自定义用户身份验证管理器 TIA我们构建了一个定制的身份验证管理器,并将其连接到OAuth2AuthenticationProcessingFilter中,以实现这一点。管理器的authenticate方法能够从身份验证主体中解压缩OAuth2Authentication和OAuth2AuthenticationDetails <bean id="o
TIA我们构建了一个定制的身份验证管理器,并将其连接到OAuth2AuthenticationProcessingFilter中,以实现这一点。管理器的authenticate方法能够从身份验证主体中解压缩OAuth2Authentication和OAuth2AuthenticationDetails
<bean id="oAuth2AuthenticationManager" class="org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager">
<property name="resourceId" value="XXX-api"/>
<property name="tokenServices" ref="tokenServices"/>
</bean>
<bean id="resourceServerFilter"
class="org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter">
<property name="authenticationManager" ref="oAuth2AuthenticationManager"/>
<property name="tokenExtractor">
<bean class="com.xxx.oauth.BearerTokenExtractor"/>
</property>
</bean>
此解决方案适用于密码流,我不确定是否适用于其他密码流。 您可以在oauth服务器配置中的http标记中的“before=BASIC_AUTH_filter”位置添加自定义过滤器, 您可以通过解析“oauth/token”的响应来实现,所以创建ByteArrayResponseWrapper来获得响应, 这里我使用的是“org.apache.commons commons io”中的TeeOutputStream类 我已经创建了令牌提取器来分离提取访问令牌的代码
public class OAuth2AccessTokenExtractor implements
OAuth2AccessTokenExtractor {
private ObjectMapper mapper = new ObjectMapper();
public String getAccessTokenValue(byte[] response) {
try {
return mapper.readValue(response, OAuth2AccessToken.class)
.getValue();
} catch (JsonParseException e) {
e.printStackTrace();
} catch (JsonMappingException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
return null;
}
}
创建过滤器后,按如下方式覆盖doFilter
private DefaultTokenServices tokenServices;
private OAuth2AccessTokenExtractor tokenExtractor;
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
// create wrapper to read response body
ByteArrayResponseWrapper responseWraper = new ByteArrayResponseWrapper(
response);
// led them go
chain.doFilter(request, responseWraper);
// get ClientAuthentication
Authentication clientAuthentication = SecurityContextHolder
.getContext().getAuthentication();
// is authenticated or not to proceed
if (clientAuthentication != null
&& clientAuthentication.isAuthenticated()) {
// callBack client authenticated successfully
onSuccessfulClientAuthentication(request, response,
clientAuthentication);
// check response status is success of failure
if (responseWraper.getStatus() == 200) {
// extract accessToken from response
String token = tokenExtractor
.getAccessTokenValue(responseWraper.getByteArray());
if (token != null && !token.isEmpty()) {
// load authentication from token
OAuth2Authentication oAuth2Authentication = this.tokenServices
.loadAuthentication(token);
OAuth2AccessToken actualAccessToken = this.tokenServices
.getAccessToken(oAuth2Authentication);
// callBack user authenticated successfully
onSuccessfulUserAuthentication(request, response,
clientAuthentication, oAuth2Authentication,
actualAccessToken);
} else {
log.error("access token is empty from extractor");
}
} else {
// callBack user authenticated failure
onFailureUserAuthentication(request, response,
clientAuthentication, request.getParameter("username"));
}
} else {
// callBack client authenticated failure
onFailClientAuthentication(request, response,
request.getParameter(OAuth2Utils.CLIENT_ID));
}
}
protected void onSuccessfulClientAuthentication(ServletRequest request,
ServletResponse response, Authentication authentication) {
}
protected void onFailClientAuthentication(ServletRequest request,
ServletResponse response, String clientId) {
}
protected void onSuccessfulUserAuthentication(ServletRequest request,
ServletResponse response, Authentication clientAuthentication,
OAuth2Authentication userOAuth2Authentication,
OAuth2AccessToken token) {
}
protected void onFailureUserAuthentication(ServletRequest request,
ServletResponse response, Authentication clientAuthentication,
String username) {
}
创建过滤器实例时,注入令牌服务。
现在将根据您的身份验证调用onSuccessfulClientAuthentication、onFailClientAuthentication、onSuccessfulUserAuthentication和onFailureUserAuthentication
有关更多信息,请参阅上的此代码
编辑:
当您有默认的令牌响应时,上面的代码段可以正常工作,它只是使用ServletResponseWrapper和Extraction。
但它看起来仍然很脆弱,因此您可以通过org.springframework.security.oauth2.provider.token.TokenEnhancer
类了解用户身份验证成功与否
有关详细信息,请按此操作。谢谢。我无法理解为什么SpringOAuth2的作者用简单的成功/失败处理程序打破了久经验证的设计,这些处理程序在过去工作得非常好。完全同意。对于这样一个基本的功能来说,似乎非常复杂和“黑客”-y。我所说的hacky是指了解实现细节,而不是只使用接口
private DefaultTokenServices tokenServices;
private OAuth2AccessTokenExtractor tokenExtractor;
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
// create wrapper to read response body
ByteArrayResponseWrapper responseWraper = new ByteArrayResponseWrapper(
response);
// led them go
chain.doFilter(request, responseWraper);
// get ClientAuthentication
Authentication clientAuthentication = SecurityContextHolder
.getContext().getAuthentication();
// is authenticated or not to proceed
if (clientAuthentication != null
&& clientAuthentication.isAuthenticated()) {
// callBack client authenticated successfully
onSuccessfulClientAuthentication(request, response,
clientAuthentication);
// check response status is success of failure
if (responseWraper.getStatus() == 200) {
// extract accessToken from response
String token = tokenExtractor
.getAccessTokenValue(responseWraper.getByteArray());
if (token != null && !token.isEmpty()) {
// load authentication from token
OAuth2Authentication oAuth2Authentication = this.tokenServices
.loadAuthentication(token);
OAuth2AccessToken actualAccessToken = this.tokenServices
.getAccessToken(oAuth2Authentication);
// callBack user authenticated successfully
onSuccessfulUserAuthentication(request, response,
clientAuthentication, oAuth2Authentication,
actualAccessToken);
} else {
log.error("access token is empty from extractor");
}
} else {
// callBack user authenticated failure
onFailureUserAuthentication(request, response,
clientAuthentication, request.getParameter("username"));
}
} else {
// callBack client authenticated failure
onFailClientAuthentication(request, response,
request.getParameter(OAuth2Utils.CLIENT_ID));
}
}
protected void onSuccessfulClientAuthentication(ServletRequest request,
ServletResponse response, Authentication authentication) {
}
protected void onFailClientAuthentication(ServletRequest request,
ServletResponse response, String clientId) {
}
protected void onSuccessfulUserAuthentication(ServletRequest request,
ServletResponse response, Authentication clientAuthentication,
OAuth2Authentication userOAuth2Authentication,
OAuth2AccessToken token) {
}
protected void onFailureUserAuthentication(ServletRequest request,
ServletResponse response, Authentication clientAuthentication,
String username) {
}