有没有关于Oauth for Spring Security的非命名空间配置的示例?
由于各种原因,我们不能使用Spring的命名空间配置。是否有一个OAuth 2.0配置的示例不使用名称空间配置机制?大多数情况下,我都在试图找出哪些过滤器需要包含在过滤器链中。以下是在基于名称空间的OAuth 2.0提供程序配置中为我启动的过滤器。您可以通过在SpringSecurity上设置名称空间并打开调试日志来获取它们有没有关于Oauth for Spring Security的非命名空间配置的示例?,oauth,spring-security,Oauth,Spring Security,由于各种原因,我们不能使用Spring的命名空间配置。是否有一个OAuth 2.0配置的示例不使用名称空间配置机制?大多数情况下,我都在试图找出哪些过滤器需要包含在过滤器链中。以下是在基于名称空间的OAuth 2.0提供程序配置中为我启动的过滤器。您可以通过在SpringSecurity上设置名称空间并打开调试日志来获取它们 firing Filter: 'BasicUserApprovalFilter' firing Filter: 'SecurityContextPersistenceFil
firing Filter: 'BasicUserApprovalFilter'
firing Filter: 'SecurityContextPersistenceFilter'
firing Filter: 'LogoutFilter'
firing Filter: 'UsernamePasswordAuthenticationFilter'
firing Filter: 'BasicAuthenticationFilter'
firing Filter: 'RequestCacheAwareFilter'
firing Filter: 'SecurityContextHolderAwareRequestFilter'
firing Filter: 'AnonymousAuthenticationFilter'
firing Filter: 'SessionManagementFilter'
firing Filter: 'ExceptionTranslationFilter'
firing Filter: 'OAuth2ExceptionHandlerFilter'
firing Filter: 'VerificationCodeFilter'
firing Filter: 'OAuth2AuthorizationFilter'
firing Filter: 'OAuth2ProtectedResourceFilter'
firing Filter: 'FilterSecurityInterceptor'
下面是我为使基本OAuth 2.0流程正常工作而设置的内容(基本上与Tonr/Sparkr演示中的相同)。我们的安全设置很复杂,所以我将只复制下面的相关片段 首先,过滤器链顺序:
BasicUserApprovalFilter, SecurityContextPersistenceFilter, LogoutFilter, UsernamePasswordAuthenticationFilter, BasicAuthenticationFilter, RequestCacheAwareFilter, SecurityContextHolderAwareRequestFilter, AnonymousAuthenticationFilter, SessionManagementFilter, ExceptionTranslationFilter, OAuth2ExceptionHandlerFilter, VerificationCodeFilter, OAuth2AuthorizationFilter, OAuth2ProtectedResourceFilter, FilterSecurityInterceptor
请注意,匿名身份验证过滤器
是绝对必需的,即使您没有在其他任何地方使用它
现在,支持bean:
<bean id="oauth2ExceptionTranslationFilter" class="org.springframework.security.oauth2.provider.OAuth2ExceptionHandlerFilter"/>
<bean id="oauth2VerificationCodeFilter" class="org.springframework.security.oauth2.provider.verification.VerificationCodeFilter">
<property name="clientDetailsService" ref="clientDetailsService"/>
<property name="verificationServices" ref="verificationCodeServices"/>
<property name="userApprovalHandler" ref="oauth2UserApprovalFilter"/>
<property name="unapprovedAuthenticationHandler">
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<!-- This is where you define your confirmation page -->
<property name="defaultFailureUrl" value="/oauth/confirm.action"/>
</bean>
</property>
</bean>
<bean id="oauth2AuthorizationFilter" class="org.springframework.security.oauth2.provider.OAuth2AuthorizationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler">
<bean class="org.springframework.security.oauth2.provider.OAuth2AuthorizationSuccessHandler">
<property name="tokenServices" ref="tokenServices"/>
</bean>
</property>
</bean>
<bean id="oauth2ProtectedResourceFilter" class="org.springframework.security.oauth2.provider.OAuth2ProtectedResourceFilter">
<property name="tokenServices" ref="tokenServices"/>
</bean>
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices">
<property name="supportRefreshToken" value="true"/>
</bean>
<bean id="clientDetailsService" class="org.springframework.security.oauth2.provider.InMemoryClientDetailsService">
<property name="clientDetailsStore">
<map>
<entry key="tonr">
<bean class="org.springframework.security.oauth2.provider.BaseClientDetails">
<property name="clientId" value="tonr"/>
<property name="authorizedGrantTypes">
<list>
<value>authorization_code</value>
<value>refresh_token</value>
</list>
</property>
</bean>
</entry>
</map>
</property>
</bean>
<bean id="verificationCodeServices" class="org.springframework.security.oauth2.provider.verification.InMemoryVerificationCodeServices"/>
<bean id="oauth2VerificationAuthenticationProvider" class="org.springframework.security.oauth2.provider.verification.VerificationCodeAuthenticationProvider">
<property name="verificationServices" ref="verificationCodeServices"/>
</bean>
<bean id="oauth2AccessGrantAuthenticationProvider" class="org.springframework.security.oauth2.provider.AccessGrantAuthenticationProvider">
<property name="clientDetailsService" ref="clientDetailsService"/>
</bean>
<bean id="oauth2RefreshAuthenticationProvider" class="org.springframework.security.oauth2.provider.refresh.RefreshAuthenticationProvider"/>
授权代码
刷新令牌
请注意,服务(客户端、令牌、验证代码)只是内存中提供的版本。您需要创建自己的持久版本
最后,您需要将提供者绑定到身份验证管理器中:
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider"/>
<ref local="oauth2AccessGrantAuthenticationProvider"/>
<ref local="oauth2VerificationAuthenticationProvider"/>
<ref local="oauth2RefreshAuthenticationProvider"/>
<bean class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
<property name="key" value="mykey"/>
</bean>
</list>
</property>
</bean>
谢谢,这很有帮助。仍然缺少各种支持bean(身份验证提供者等),但这使得填补空白变得更容易。