Java Spring Oauth2隐式流
正在使用Spring实现Oauth2。我想实现隐式工作流: 我的配置文件:Java Spring Oauth2隐式流,java,spring,spring-mvc,oauth,spring-security,Java,Spring,Spring Mvc,Oauth,Spring Security,正在使用Spring实现Oauth2。我想实现隐式工作流: 我的配置文件: @Configuration @EnableAutoConfiguration @RestController public class App { @Autowired private DataSource dataSource; public static void main(String[] args) { SpringApplication.run(App.class,
@Configuration
@EnableAutoConfiguration
@RestController
public class App {
@Autowired
private DataSource dataSource;
public static void main(String[] args) {
SpringApplication.run(App.class, args);
}
@RequestMapping("/")
public String home() {
return "Hello World";
}
@Configuration
@EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
@Override
public void configure(ResourceServerSecurityConfigurer resources)
throws Exception {
resources.tokenStore(tokenStore);
}
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.authorizeRequests().antMatchers("/oauth/token").authenticated()
.and()
.authorizeRequests().anyRequest().permitAll()
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.csrf().disable();
}
}
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager auth;
private BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
@Bean
public JdbcTokenStore tokenStore() {
return new JdbcTokenStore(DBConnector.dataSource);
}
@Bean
protected AuthorizationCodeServices authorizationCodeServices() {
return new JdbcAuthorizationCodeServices(DBConnector.dataSource);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security)
throws Exception {
security.passwordEncoder(passwordEncoder);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints.authorizationCodeServices(authorizationCodeServices())
.authenticationManager(auth).tokenStore(tokenStore())
.approvalStoreDisabled();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
clients.jdbc(DBConnector.dataSource)
.passwordEncoder(passwordEncoder)
.withClient("my-trusted-client")
.secret("test")
.authorizedGrantTypes("password", "authorization_code",
"refresh_token", "implicit")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write", "trust")
.resourceIds("oauth2-resource")
.accessTokenValiditySeconds(0);
// @formatter:on
}
}
@Autowired
public void init(AuthenticationManagerBuilder auth) throws Exception {
// @formatter:off
auth.jdbcAuthentication().dataSource(DBConnector.dataSource).withUser("dave")
.password("secret").roles("USER");
// @formatter:on
}
}
到目前为止,这是有效的。数据库中也会生成一个用户
问题如下。当我尝试执行以下请求时:
我总是会得到一个弹出窗口(身份验证),要求我输入用户名和密码。但无论我进入那里,我都不会经过。那么这是怎么回事
我希望,当我调用此url时,我可以取回我的访问令牌。在隐式流的情况下,所有令牌都将通过授权url而不是令牌url生成。因此,您应该使用隐式响应类型点击../oauth/authorize端点。i、 e
../oauth/authorize?response_type=implicit&client_id=trusted_client&redirect_uri=<redirect-uri-of-client-application>.
为什么要禁用跨站点请求伪造?必须设置隐式授权流
response\u type
值token
请参见如何在没有基本身份验证的情况下获取token?(即使我配置了.permitAll()),Spring总是抱怨:访问被拒绝(用户是匿名的),并且不生成令牌response\u type=implicit
不存在。而是response\u type=token
。
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.authorizeRequests().antMatchers("/oauth/authorize").authenticated()
.and()
.authorizeRequests().anyRequest().permitAll()
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.csrf().disable();
}