Spring security 具有隐式和密码流的Spring OAuth2
我正在尝试使用隐式、密码和授权流使用SpringOAuth2设置一个项目 当我使用相同的令牌端点进行隐式验证和其他两种验证时,出现了我的问题,密码和授权需要基本身份验证进行客户端验证,而隐式验证不验证客户端机密,我希望使用更严格的登录/密码身份验证进行用户授权 因此,根据配置,一个或两个流可以工作。 拥有两个端点似乎是最简单的解决方案,但我找不到如何实现这一点Spring security 具有隐式和密码流的Spring OAuth2,spring-security,oauth-2.0,Spring Security,Oauth 2.0,我正在尝试使用隐式、密码和授权流使用SpringOAuth2设置一个项目 当我使用相同的令牌端点进行隐式验证和其他两种验证时,出现了我的问题,密码和授权需要基本身份验证进行客户端验证,而隐式验证不验证客户端机密,我希望使用更严格的登录/密码身份验证进行用户授权 因此,根据配置,一个或两个流可以工作。 拥有两个端点似乎是最简单的解决方案,但我找不到如何实现这一点 <?xml version="1.0" encoding="UTF-8" ?> <beans xmlns="http:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<!--
<sec:http pattern="/external/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security" entry-point-ref="authenticationEntryPoint">
<sec:intercept-url pattern="/external/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<sec:anonymous enabled="false" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>
-->
<sec:http pattern="/external/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<sec:intercept-url pattern="/external/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<sec:anonymous enabled="false" />
<sec:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>
<bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="blablabla" />
<property name="typeName" value="Basic" />
</bean>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails" />
</bean>
<bean id="tokenStore" class="com.proton.oauthprovider.service.ProtOnTokenStore" />
<bean id="clientDetails" class="com.proton.oauthprovider.service.ProtOnClientDetailsService" />
<bean id="oauthCodeDetails" class="com.proton.oauthprovider.service.ProtOnAuthorizationCodeServices" />
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="clientDetailsService" ref="clientDetails" />
</bean>
<bean id="userApprovalHandler" class="com.proton.oauthprovider.service.OAuthUserApprovalHandler">
<property name="autoApproveClients">
<set>
<!-- <value>rest-client</value> -->
</set>
</property>
<property name="tokenServices" ref="tokenServices" />
</bean>
<oauth:authorization-server client-details-service-ref="clientDetails"
token-services-ref="tokenServices"
user-approval-handler-ref="userApprovalHandler" authorization-endpoint-url="/external/oauth/authorize"
user-approval-page="forward:/external/oauth/confirm_access"
error-page="forward:/external/oauth/error"
token-endpoint-url="/external/oauth/token" >
<oauth:authorization-code authorization-code-services-ref="oauthCodeDetails"/>
<oauth:implicit/>
<oauth:refresh-token />
<oauth:password authentication-manager-ref="authenticationManager"/>
</oauth:authorization-server>
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
<!-- Override the default mappings for approval and error pages -->
<bean id="accessConfirmationController" class="com.proton.oauthprovider.controller.AccessConfirmationController">
<property name="clientDetailsService" ref="clientDetails" />
</bean>
</beans>
authenticationEntryPoint是登录表单入口点,Sparkr和tonr的自定义类基本相同,只是使用DB后端存储客户端和令牌数据。好的,我搞错了,隐式流不使用令牌端点,它使用授权端点。
因此,前面的配置是正常的,我只需要将隐式流指向/oauth/authorize/,它就可以正常工作。我不知道如何让它以这种方式工作。对于SpringOAuth2密码流,您应该从/oauth/token获取访问令牌。我也犯了同样的404错误,我的案子符合你的描述。我的问题是,我没有在web.xml中正确设置DispatcherServlet。