Fatal编程技术网
  • oauth/
  • 有没有关于Oauth for Spring Security的非命名空间配置的示例?

有没有关于Oauth for Spring Security的非命名空间配置的示例?

oauth spring-security

有没有关于Oauth for Spring Security的非命名空间配置的示例?,oauth,spring-security,Oauth,Spring Security,由于各种原因,我们不能使用Spring的命名空间配置。是否有一个OAuth 2.0配置的示例不使用名称空间配置机制?大多数情况下,我都在试图找出哪些过滤器需要包含在过滤器链中。以下是在基于名称空间的OAuth 2.0提供程序配置中为我启动的过滤器。您可以通过在SpringSecurity上设置名称空间并打开调试日志来获取它们 firing Filter: 'BasicUserApprovalFilter' firing Filter: 'SecurityContextPersistenceFil

由于各种原因,我们不能使用Spring的命名空间配置。是否有一个OAuth 2.0配置的示例不使用名称空间配置机制?大多数情况下,我都在试图找出哪些过滤器需要包含在过滤器链中。

以下是在基于名称空间的OAuth 2.0提供程序配置中为我启动的过滤器。您可以通过在SpringSecurity上设置名称空间并打开调试日志来获取它们

firing Filter: 'BasicUserApprovalFilter'
firing Filter: 'SecurityContextPersistenceFilter'
firing Filter: 'LogoutFilter'
firing Filter: 'UsernamePasswordAuthenticationFilter'
firing Filter: 'BasicAuthenticationFilter'
firing Filter: 'RequestCacheAwareFilter'
firing Filter: 'SecurityContextHolderAwareRequestFilter'
firing Filter: 'AnonymousAuthenticationFilter'
firing Filter: 'SessionManagementFilter'
firing Filter: 'ExceptionTranslationFilter'
firing Filter: 'OAuth2ExceptionHandlerFilter'
firing Filter: 'VerificationCodeFilter'
firing Filter: 'OAuth2AuthorizationFilter'
firing Filter: 'OAuth2ProtectedResourceFilter'
firing Filter: 'FilterSecurityInterceptor'
下面是我为使基本OAuth 2.0流程正常工作而设置的内容(基本上与Tonr/Sparkr演示中的相同)。我们的安全设置很复杂,所以我将只复制下面的相关片段

首先,过滤器链顺序:

BasicUserApprovalFilter, SecurityContextPersistenceFilter, LogoutFilter, UsernamePasswordAuthenticationFilter, BasicAuthenticationFilter, RequestCacheAwareFilter, SecurityContextHolderAwareRequestFilter, AnonymousAuthenticationFilter, SessionManagementFilter, ExceptionTranslationFilter, OAuth2ExceptionHandlerFilter, VerificationCodeFilter, OAuth2AuthorizationFilter, OAuth2ProtectedResourceFilter, FilterSecurityInterceptor
请注意,
匿名身份验证过滤器
是绝对必需的,即使您没有在其他任何地方使用它

现在,支持bean:

<bean id="oauth2ExceptionTranslationFilter" class="org.springframework.security.oauth2.provider.OAuth2ExceptionHandlerFilter"/>

<bean id="oauth2VerificationCodeFilter" class="org.springframework.security.oauth2.provider.verification.VerificationCodeFilter">
    <property name="clientDetailsService" ref="clientDetailsService"/>
    <property name="verificationServices" ref="verificationCodeServices"/>
    <property name="userApprovalHandler" ref="oauth2UserApprovalFilter"/>

    <property name="unapprovedAuthenticationHandler">
        <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
            <!-- This is where you define your confirmation page -->
            <property name="defaultFailureUrl" value="/oauth/confirm.action"/>
        </bean>
    </property>
</bean>

<bean id="oauth2AuthorizationFilter" class="org.springframework.security.oauth2.provider.OAuth2AuthorizationFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="authenticationSuccessHandler">
        <bean class="org.springframework.security.oauth2.provider.OAuth2AuthorizationSuccessHandler">
            <property name="tokenServices" ref="tokenServices"/>
        </bean>
    </property>
</bean>

<bean id="oauth2ProtectedResourceFilter" class="org.springframework.security.oauth2.provider.OAuth2ProtectedResourceFilter">
    <property name="tokenServices" ref="tokenServices"/>
</bean>

<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices">
    <property name="supportRefreshToken" value="true"/>
</bean>

<bean id="clientDetailsService" class="org.springframework.security.oauth2.provider.InMemoryClientDetailsService">
    <property name="clientDetailsStore">
        <map>
            <entry key="tonr">
                <bean class="org.springframework.security.oauth2.provider.BaseClientDetails">
                    <property name="clientId" value="tonr"/>
                    <property name="authorizedGrantTypes">
                        <list>
                            <value>authorization_code</value>
                            <value>refresh_token</value>
                        </list>
                    </property>
                </bean>
            </entry>
        </map>
    </property>
</bean>

<bean id="verificationCodeServices" class="org.springframework.security.oauth2.provider.verification.InMemoryVerificationCodeServices"/>

<bean id="oauth2VerificationAuthenticationProvider" class="org.springframework.security.oauth2.provider.verification.VerificationCodeAuthenticationProvider">
    <property name="verificationServices" ref="verificationCodeServices"/>
</bean>

<bean id="oauth2AccessGrantAuthenticationProvider" class="org.springframework.security.oauth2.provider.AccessGrantAuthenticationProvider">
    <property name="clientDetailsService" ref="clientDetailsService"/>
</bean>

<bean id="oauth2RefreshAuthenticationProvider" class="org.springframework.security.oauth2.provider.refresh.RefreshAuthenticationProvider"/>



授权代码
刷新令牌
请注意,服务(客户端、令牌、验证代码)只是内存中提供的版本。您需要创建自己的持久版本

最后,您需要将提供者绑定到身份验证管理器中:

<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
        <property name="providers">
            <list>
                <ref local="daoAuthenticationProvider"/>
                <ref local="oauth2AccessGrantAuthenticationProvider"/>
                <ref local="oauth2VerificationAuthenticationProvider"/>
                <ref local="oauth2RefreshAuthenticationProvider"/>
                <bean class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
                    <property name="key" value="mykey"/>
                </bean>
            </list>
        </property>
    </bean>
谢谢,这很有帮助。仍然缺少各种支持bean(身份验证提供者等),但这使得填补空白变得更容易。