Java google Oauth的Spring安全性
我一直在开发一个web应用程序,其中我使用了GoogleOAuth和SpringMVC。我已经实现了GoogleOAuth,如果用户通过GoogleOAuth的身份验证,那么用户将被定向到所需的URL。为了实现这个功能,我使用了google GogleAuthHelper类。这是我的密码Java google Oauth的Spring安全性,java,spring,spring-mvc,oauth,Java,Spring,Spring Mvc,Oauth,我一直在开发一个web应用程序,其中我使用了GoogleOAuth和SpringMVC。我已经实现了GoogleOAuth,如果用户通过GoogleOAuth的身份验证,那么用户将被定向到所需的URL。为了实现这个功能,我使用了google GogleAuthHelper类。这是我的密码 package com.mob.googleoauth; import java.io.IOException; import java.security.SecureRandom; import jav
package com.mob.googleoauth;
import java.io.IOException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.servlet.http.HttpSession;
import org.json.JSONException;
import org.json.JSONObject;
import com.google.api.client.auth.oauth2.AuthorizationCodeRequestUrl;
import com.google.api.client.auth.oauth2.Credential;
import com.google.api.client.auth.oauth2.TokenResponseException;
import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeFlow;
import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeRequestUrl;
import com.google.api.client.googleapis.auth.oauth2.GoogleTokenResponse;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.HttpRequestFactory;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson.JacksonFactory;
public final class GoogleAuthHelper {
private static final String CLIENT_ID = "";
private static final String CLIENT_SECRET = " ";
/**
* Callback URI that google will redirect to after successful authentication
*/
private static final String CALLBACK_URI = "http://localhost:8080/orgchart/oauthRedirect";
// private static final String HD = " ";
// start google authentication constants
private static final Iterable<String> SCOPE = Arrays
.asList("https://www.googleapis.com/auth/userinfo.profile;https://www.googleapis.com/auth/userinfo.email"
.split(";"));
private static final String USER_INFO_URL = "https://www.googleapis.com/oauth2/v1/userinfo";
private static final JsonFactory JSON_FACTORY = new JacksonFactory();
private static final HttpTransport HTTP_TRANSPORT = new NetHttpTransport();
// end google authentication constants
private String stateToken;
private final GoogleAuthorizationCodeFlow flow;
/**
* Constructor initializes the Google Authorization Code Flow with CLIENT
* ID, SECRET, and SCOPE
*/
public GoogleAuthHelper() {
System.out.println("google auth helper called");
flow = new GoogleAuthorizationCodeFlow.Builder(HTTP_TRANSPORT,
JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, SCOPE).build();
flow.newAuthorizationUrl().setApprovalPrompt("force").setAccessType("offline");
// AuthorizationCodeRequestUrl authorizationUrl = flow
// .newAuthorizationUrl().setRedirectUri(CALLBACK_URI)
// .setApprovalPrompt("force").setAccessType("offline");
generateStateToken();
}
/**
* Builds a login URL based on client ID, secret, callback URI, and scope
*/
public String buildLoginUrl() {
System.out.println("building uri called");
final GoogleAuthorizationCodeRequestUrl url = flow
.newAuthorizationUrl();
return url.setRedirectUri(CALLBACK_URI).setState(stateToken).build();
}
/**
* Generates a secure state token
*/
private void generateStateToken() {
System.out.println("generated token called");
SecureRandom sr1 = new SecureRandom();
// System.out.println(sr1);
stateToken = "google;" + sr1.nextInt();
}
/**
* Accessor for state token
*/
public String getStateToken() {
System.out.println("gettoken called");
return stateToken;
}
/**
* Expects an Authentication Code, and makes an authenticated request for
* the user's profile information
*
* @return JSON formatted user profile information
* @param authCode
* authentication code provided by google
* @throws JSONException
*/
@SuppressWarnings("unchecked")
public List getUserInfoJson(final String authCode,HttpSession session) throws IOException,
JSONException {
List ls = new ArrayList();
try{
System.out.println("getuserinfojson called");
final GoogleTokenResponse response = flow.newTokenRequest(authCode)
.setRedirectUri(CALLBACK_URI).execute();
session.setAttribute("userToken", response.getAccessToken());
final Credential credential = flow.createAndStoreCredential(response,
null);
final HttpRequestFactory requestFactory = HTTP_TRANSPORT
.createRequestFactory(credential);
// Make an authenticated request
final GenericUrl url = new GenericUrl(USER_INFO_URL);
final HttpRequest request = requestFactory.buildGetRequest(url);
request.getHeaders().setContentType("application/json");
final String jsonIdentity = request.execute().parseAsString();
// System.out.println(jsonIdentity);
JSONObject object = new JSONObject(jsonIdentity);
String email = object.getString("email");
String name = object.getString("name");
String picture = object.getString("picture");
ls.add(email);
ls.add(name);
ls.add(picture);
}
catch(NullPointerException e)
{
throw e;
}
catch (TokenResponseException e) {
throw e;
}
return ls;
}
}
package com.mob.googleoauth;
导入java.io.IOException;
导入java.security.SecureRandom;
导入java.util.ArrayList;
导入java.util.array;
导入java.util.List;
导入javax.servlet.http.HttpSession;
导入org.json.JSONException;
导入org.json.JSONObject;
导入com.google.api.client.auth.oauth2.AuthorizationCodeRequestUrl;
导入com.google.api.client.auth.oauth2.Credential;
导入com.google.api.client.auth.oauth2.TokenResponseException;
导入com.google.api.client.googleapis.auth.oauth2.googleaauthorizationcodeflow;
导入com.google.api.client.GoogleAppis.auth.oauth2.GoogleAuthorizationCodeRequestUrl;
导入com.google.api.client.googleapis.auth.oauth2.GoogleTokenResponse;
导入com.google.api.client.http.GenericUrl;
导入com.google.api.client.http.HttpRequest;
导入com.google.api.client.http.HttpRequestFactory;
导入com.google.api.client.http.HttpTransport;
导入com.google.api.client.http.javanet.NetHttpTransport;
导入com.google.api.client.json.JsonFactory;
导入com.google.api.client.json.jackson.JacksonFactory;
公共最终类帮助程序{
私有静态最终字符串CLIENT_ID=“”;
私有静态最终字符串CLIENT_SECRET=“”;
/**
*成功验证后google将重定向到的回调URI
*/
私有静态最终字符串回调_URI=”http://localhost:8080/orgchart/oauthRedirect";
//私有静态最终字符串HD=“”;
//启动google身份验证常量
私有静态最终Iterable作用域=数组
.asList(“https://www.googleapis.com/auth/userinfo.profile;https://www.googleapis.com/auth/userinfo.email"
.拆分(“;”);
私有静态最终字符串USER\u INFO\u URL=”https://www.googleapis.com/oauth2/v1/userinfo";
私有静态最终JsonFactory JSON_FACTORY=new JacksonFactory();
私有静态最终HttpTransport HTTP_TRANSPORT=new NetHttpTransport();
//结束google身份验证常量
私有字符串状态令牌;
私有最终GoogleAuthorizationCodeFlow;
/**
*构造函数使用客户端初始化Google授权代码流
*ID、秘密和范围
*/
公共GoogleAuthHelper(){
System.out.println(“googleauth助手调用”);
flow=新的GoogleAuthorizationCodeFlow.Builder(HTTP\U传输,
JSON_工厂、客户机_ID、客户机_机密、作用域).build();
flow.newAuthorizationUrl().setApprovalPrompt(“强制”).setAccessType(“脱机”);
//AuthorizationCodeRequestUrl authorizationUrl=流
//.newAuthorizationUrl().setRedirectUri(回调URI)
//.setApprovalPrompt(“强制”).setAccessType(“脱机”);
generateStateToken();
}
/**
*基于客户端ID、密码、回调URI和作用域构建登录URL
*/
公共字符串buildLoginUrl(){
System.out.println(“调用的构建uri”);
最终GoogleAuthorizationCodeRequestUrl=flow
.newAuthorizationUrl();
返回url.setRedirectUri(CALLBACK_URI).setState(stateToken.build();
}
/**
*生成安全状态令牌
*/
私有void generateStateToken(){
System.out.println(“调用生成的令牌”);
SecureRandom sr1=新的SecureRandom();
//系统输出打印LN(sr1);
stateToken=“google;”+sr1.nextInt();
}
/**
*状态令牌的访问器
*/
公共字符串getStateToken(){
System.out.println(“调用gettoken”);
返回状态令牌;
}
/**
*需要身份验证代码,并对进行身份验证的
*用户的配置文件信息
*
*@return JSON格式的用户配置文件信息
*@param authCode
*谷歌提供的认证码
*@JSONException
*/
@抑制警告(“未选中”)
公共列表getUserInfoJson(最终字符串authCode,HttpSession会话)引发IOException,
JSONException{
List ls=新的ArrayList();
试一试{
println(“调用getuserinfojson”);
最终GoogleTokenResponse响应=flow.newTokenRequest(authCode)
.setRedirectUri(回调_URI).execute();
setAttribute(“userToken”,response.getAccessToken());
最终凭证=flow.createAndStoreCredential(响应,
无效);
最终HttpRequestFactory requestFactory=HTTP\u传输
.createRequestFactory(凭证);
//提出经过验证的请求
最终GenericUrl url=新的GenericUrl(用户信息url);
最终HttpRequest请求=requestFactory.buildGetRequest(url);
request.getHeaders().setContentType(“应用程序/json”);
最后一个字符串jsonIdentity=request.execute().parseAsString();
//System.out.println(jsonIdentity);
JSONObject对象=新的JSONObject(jsonIdentity);
String email=object.getString(“email”);
字符串名称=object.getString(“名称”);
String picture=object.getString(“picture”);
ls.add(电子邮件);
ls.添加(名称);
ls.添加(图片);
}
捕获(NullPointerException e)
{
投掷e;
}
捕获(令牌响应异常e){
投掷e;
}
返回ls;
}
}
上面的方法在验证用户身份并重定向到给定URL的情况下可以正常工作一次,但之后应用程序就不安全了。这就是我的应用程序中的URL不安全。为此,我想将spring安全性与GoogleOAuth一起包括在内