Java OAuth 2.0使用Spring安全性+;WSO2身份服务器
我正在开发一个web应用程序,以公开由OAuth2.0保护的许多RESTful服务。以下是规划的架构: 1-OAuth授权提供程序:WSO2身份服务器(IS) 2-OAuth资源服务器:使用以下技术的Java web应用程序:Java OAuth 2.0使用Spring安全性+;WSO2身份服务器,java,spring-security,oauth-2.0,jersey,wso2is,Java,Spring Security,Oauth 2.0,Jersey,Wso2is,我正在开发一个web应用程序,以公开由OAuth2.0保护的许多RESTful服务。以下是规划的架构: 1-OAuth授权提供程序:WSO2身份服务器(IS) 2-OAuth资源服务器:使用以下技术的Java web应用程序: Jersey(实现和公开web服务) Spring安全性(实现OAuth资源服务器部分) 我已经看到了几个示例(、等…)介绍了如何使用WSO2 IS作为授权服务器+WSO2 ESB作为资源服务器来保护RESTful服务。这不是我需要的 不幸的是,授权服务器和资源服务器
- Jersey(实现和公开web服务)
- Spring安全性(实现OAuth资源服务器部分)
- 如何将spring security配置为充当资源服务器,以验证外部OAuth提供程序(例如WSO2 IS)发布的访问令牌
- 资源服务器应该如何识别给定访问令牌的作用域
- 如何从WSO2中识别给定访问令牌的资源所有者
谢谢在做了一些研究之后,我找到了方法。解决方案分为两个主要部分:WSO2 is配置和资源服务器配置 基本情况如下: 1-客户端(例如移动应用程序)通过向资源服务器(在我的例子中是Java web应用程序)发送请求来消耗安全资源(例如web服务) 2-资源服务器验证请求中的“授权”头并提取访问令牌 3-资源服务器通过将访问令牌发送到授权服务器(WSO2 IS)来验证访问令牌 4-授权服务器使用验证响应进行响应
public class TokenValidationResponse {
private String jwtToken;
private boolean valid;
private Set<String> scope;
private String authorizedUserIdentifier;
public String getJwtToken() {
return jwtToken;
}
public void setJwtToken(String jwtToken) {
this.jwtToken = jwtToken;
}
public boolean isValid() {
return valid;
}
public void setValid(boolean valid) {
this.valid = valid;
}
public Set<String> getScope() {
return scope;
}
public void setScope(Set<String> scope) {
this.scope = scope;
}
public String getAuthorizedUserIdentifier() {
return authorizedUserIdentifier;
}
public void setAuthorizedUserIdentifier(String authorizedUserIdentifier) {
this.authorizedUserIdentifier = authorizedUserIdentifier;
}
}
5-资源服务器验证响应并决定是否授予或拒绝对请求资源的访问
在我的演示中,我使用了WSO2 IS 5.0.0和Spring security 3.1.0
1-WSO2正在配置中 WSO2 IS将充当授权服务器。因此,应该将其配置为支持OAuth 2.0。为此,应添加一个新的服务提供商,并按如下方式进行配置: (a) 登录WSO2是管理控制台 (b) 添加新的服务提供商,并为其提供名称和说明 (c) 在入站身份验证配置下,单击配置 (d) 如下面的屏幕截图所示配置OAuth 2.0提供程序,然后单击添加。我们需要映射到资源所有者密码凭据的密码授予类型。它最适合我的情况(保护web服务) (e) 在OAuth/OpenID连接配置下,您将发现生成了OAuth客户端密钥和OAuth客户端密钥。它们与用户名、密码和作用域一起用于生成访问令牌
2-资源服务器配置 如前所述,演示Java web应用程序将同时充当资源服务器和客户端。要充当资源服务器,Spring security需要知道如何验证访问令牌。因此,应该提供令牌服务实现 (a) 将spring配置为充当资源服务器。以下是一个示例配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2.xsd">
<bean id="tokenServices" class="com.example.security.oauth2.wso2.TokenServiceWSO2" />
<bean id="authenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" />
<security:authentication-manager alias="authenticationManager" />
<oauth2:resource-server id="resourcesServerFilter" token-services-ref="tokenServices" />
<security:http pattern="/services/**" create-session="stateless" entry-point-ref="authenticationEntryPoint" >
<security:anonymous enabled="false" />
<security:custom-filter ref="resourcesServerFilter" before="PRE_AUTH_FILTER" />
<security:intercept-url pattern="/services/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
</security:http>
</beans>
TokenValidatorWSO2类实现调用WSO2 IS的web服务的逻辑OAuth2TokenValidationService
@Component
public class TokenValidatorWSO2 implements OAuth2TokenValidator{
private static final Logger logger = Logger.getLogger(TokenValidatorWSO2.class);
@Value("${server_url}")
private String serverUrl;
@Value("${validation_service_name}")
private String validationServiceName;
@Value("${comsumer_key}")
private String consumerKey;
@Value("${admin_username}")
private String adminUsername;
@Value("${admin_password}")
private String adminPassword;
private OAuth2TokenValidationServiceStub stub;
private static final int TIMEOUT_IN_MILLIS = 15 * 60 * 1000;
public TokenValidationResponse validateAccessToken(String accessToken) throws ApplicationException {
logger.debug("validateAccessToken(String) - start");
if(stub == null) {
initializeValidationService();
}
OAuth2TokenValidationRequestDTO oauthRequest;
TokenValidationResponse validationResponse;
OAuth2TokenValidationRequestDTO_OAuth2AccessToken oAuth2AccessToken;
try {
oauthRequest = new OAuth2TokenValidationRequestDTO();
oAuth2AccessToken = new OAuth2TokenValidationRequestDTO_OAuth2AccessToken();
oAuth2AccessToken.setIdentifier(accessToken);
oAuth2AccessToken.setTokenType("bearer");
oauthRequest.setAccessToken(oAuth2AccessToken);
OAuth2TokenValidationResponseDTO response = stub.validate(oauthRequest);
if(!response.getValid()) {
throw new ApplicationException("Invalid access token");
}
validationResponse = new TokenValidationResponse();
validationResponse.setAuthorizedUserIdentifier(response.getAuthorizedUser());
validationResponse.setJwtToken(response.getAuthorizationContextToken().getTokenString());
validationResponse.setScope(new LinkedHashSet<String>(Arrays.asList(response.getScope())));
validationResponse.setValid(response.getValid());
} catch(Exception ex) {
logger.error("validateAccessToken() - Error when validating WSO2 token, Exception: {}", ex);
}
logger.debug("validateAccessToken(String) - end");
return validationResponse;
}
private void initializeValidationService() throws ApplicationException {
try {
String serviceURL = serverUrl + validationServiceName;
stub = new OAuth2TokenValidationServiceStub(null, serviceURL);
CarbonUtils.setBasicAccessSecurityHeaders(adminUsername, adminPassword, true, stub._getServiceClient());
ServiceClient client = stub._getServiceClient();
Options options = client.getOptions();
options.setTimeOutInMilliSeconds(TIMEOUT_IN_MILLIS);
options.setProperty(HTTPConstants.SO_TIMEOUT, TIMEOUT_IN_MILLIS);
options.setProperty(HTTPConstants.CONNECTION_TIMEOUT, TIMEOUT_IN_MILLIS);
options.setCallTransportCleanup(true);
options.setManageSession(true);
} catch(AxisFault ex) {
// Handle exception
}
}
}
@组件
公共类TokenValidator WSO2实现OAuth2TokenValidator{
私有静态最终记录器Logger=Logger.getLogger(TokenValidatorWSO2.class);
@值(“${server\u url}”)
私有字符串serverUrl;
@值(${validation\u service\u name})
私有字符串验证服务名称;
@值(${comsumer\u key}”)
私人消费市场;
@值(${admin\u username}”)
私有字符串adminUsername;
@值(${admin\u password}”)
私有字符串密码;
私有OAuth2TokenValidationServiceStub存根;
专用静态最终整数超时(单位:毫秒)=15*60*1000;
public TokenValidationResponse validateAccessToken(字符串accessToken)引发ApplicationException{
debug(“validateAccessToken(String)-start”);
if(存根==null){
initializeValidationService();
}
OAuth2TokenValidationRequest到oauthRequest;
TokenValidationResponse-validationResponse;
OAuth2TokenValidationRequestDTO_OAuth2AccessToken OAuth2AccessToken;
试一试{
oauthRequest=新的OAuth2TokenValidationRequestDTO();
oAuth2AccessToken=新的OAuth2TokenValidationRequestDTO_oAuth2AccessToken();
oAuth2AccessToken.setIdentifier(accessToken);
oAuth2AccessToken.setTokenType(“承载者”);
setAccessToken(oAuth2AccessToken);
OAuth2TokenValidationResponsedToResponse=stub.validate(oauthRequest);
如果(!response.getValid()){
抛出新的ApplicationException(“无效访问令牌”);
}
validationResponse=新令牌validationResponse();
validationResponse.setAuthorizedUserIdentifier(response.getAuthorizedUser());
setJwtToken(response.getAuthorizationContextToken().getTokenString());
validationResponse.setScope(新的LinkedHashSet(Arrays.asList(response.getScope()));
validationResponse.setValid(response.getValid());
}捕获(例外情况除外){
error(“validateAccessToken()-验证WSO2令牌时出错,异常:{}”,ex);
}
debug(“validateAccessToken(String)-end”);
雷图
public class TokenValidationResponse {
private String jwtToken;
private boolean valid;
private Set<String> scope;
private String authorizedUserIdentifier;
public String getJwtToken() {
return jwtToken;
}
public void setJwtToken(String jwtToken) {
this.jwtToken = jwtToken;
}
public boolean isValid() {
return valid;
}
public void setValid(boolean valid) {
this.valid = valid;
}
public Set<String> getScope() {
return scope;
}
public void setScope(Set<String> scope) {
this.scope = scope;
}
public String getAuthorizedUserIdentifier() {
return authorizedUserIdentifier;
}
public void setAuthorizedUserIdentifier(String authorizedUserIdentifier) {
this.authorizedUserIdentifier = authorizedUserIdentifier;
}
}