问题描述
Spring 安全 4.2.3 我有默认端点 /oauth/token,我需要创建具有相同请求参数和响应的新端点。所以,这是我的 WebSecurityConfigurerAdapter
@Configuration
@EnableResourceServer
@AllArgsConstructor
public class ResourceServerConfig extends WebSecurityConfigurerAdapter {
private final AuthenticationManager authenticationManager;
@Override
public void configure(HttpSecurity http) throws Exception {
JWTAuthenticationFilter filter = new JWTAuthenticationFilter(authenticationManager);
http.sessionManagement().sessionCreationPolicy(STATELESS)
.and()
.cors()
.and()
.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.authorizeRequests()
.antMatchers("/bbbbbb/**").authenticated()
.antMatchers("/**").permitAll()
.antMatchers("/aaaaaa/**").permitAll()
.and()
.addFilterafter(filter,BasicAuthenticationFilter.class)
.logout().logoutSuccessUrl("/").permitAll();
}
AuthorizationServerConfigurerAdapter
@Configuration
@EnableAuthorizationServer
@AllArgsConstructor
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
private final TokenProperties tokenProperties;
private final AuthenticationManager authenticationManager;
private final TokenStore tokenStore;
private final AccesstokenConverter accesstokenConverter;
private final UserDetailsService userDetailsService;
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.allowFormAuthenticationForClients();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore)
.accesstokenConverter(accesstokenConverter)
.authenticationManager(authenticationManager)
.userDetailsService(userDetailsService);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("rest-client")
.secret("rest-client")
.authorizedGrantTypes("password","refresh_token")
.authorities("ROLE_CLIENT")
.scopes("read","write")
.accesstokenValiditySeconds(tokenProperties.getTokenLifeTime())
.refreshTokenValiditySeconds(
tokenProperties.getRefreshTokenLifeTime() == 0 ?
tokenProperties.getTokenLifeTime() * 3600 :
tokenProperties.getRefreshTokenLifeTime()
);
}
一些配置
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig {
@Bean
@SuppressWarnings("deprecation")
AuthenticationProvider authenticationProvider(UserDetailsService userDetailsService,PasswordEncoder passwordEncoder,SaltSource saltSource) {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setSaltSource(saltSource);
provider.setUserDetailsService(userDetailsService);
provider.setPasswordEncoder(passwordEncoder);
return provider;
}
}
我使用新端点 “user/verify” 实现了 ClientCredentialsTokenEndpointFilter 以保持安全逻辑。
public class JWTAuthenticationFilter extends ClientCredentialsTokenEndpointFilter {
private final AuthenticationManager authenticationManager;
public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {
super("/user/verify");
this.authenticationManager = authenticationManager;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request,HttpServletResponse response) throws AuthenticationException,IOException,servletexception {
return super.attemptAuthentication(request,response);
}
@Override
protected AuthenticationManager getAuthenticationManager() {
return this.authenticationManager;
}
}
但是我在调试 spring 的流程时发现了。 /oauth/token 调用 InMemoryClientDetailsService#loadClientByClientId 和之后调用 UserDetailsService#loadUserByUsername 的实现,但我的自定义 /user/verify 忽略 InMemoryClientDetailsService 并调用 UserDetailsService#loadUserByUsername,结果我在我的 PasswordEncoder 中遇到了一些异常。我该怎么做才能节省流量?
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)