客户端和资源服务器的Spring OAuth2 XML配置 [英] Spring OAuth2 XML configuration for Client and Resource Server

问题描述

任何人都可以通过XML的一个非常基本的配置来帮助我，以使我的spring应用程序充当OAuth2/OIDC资源的服务者和职责.

Can any one help me with a very basic configuration in XML to act my spring application as OAuth2/OIDC Resource serer and as well as cilent.

我有什么?

具有Spring Secuirity LDAP身份验证的Spring Web MVC应用程序.

A Spring Web MVC application with Spring Secuirity LDAP authentication.

我想实现什么?

1. 如果用户尝试访问我的应用程序中的任何资源(例如index.html)，则应要求他提供其凭据(可以弹出或可以重定向到登录页面).
2. 应用程序应与第三方授权服务器连接，并获取OAuth2访问令牌和刷新令牌.
3. 一旦收到访问令牌，应用程序应创建会话并提供第一步要求的所需资源.
4. 当用户单击注销或会话到期时，流程从第一步开始.

到目前为止我尝试过什么?

我已经用Spring Boot和OIDC尝试过了.但是，我正在寻找一些很好的参考，以使用 XML配置实现上述目标.请注意，我不能使用Spring Boot或任何Java配置.

I have tried this with Spring boot and OIDC. But I am looking for some good reference to achieve the above with XML configuration. Please note that I can not use Spring Boot or any java configuration.

关于如何开始所有这些的任何想法或建议?

Any ideas or suggestions on how to start all this?

谢谢.

推荐答案

首先，我必须说，您可以在 Spring的oAuth示例部分.

First, I must say that you can find good examples in Spring's oAuth Samples section.

无论如何，我在玩游戏时创建了一个 oAuth-sample-project(GitHub)前一阵子，这里是有趣的部分.考虑到您必须从文档中学习一些知识，并深入研究代码...但是我认为这对于起点是有好处的.

Anyhow, I have created an oAuth-sample-project (GitHub) when I played with it a while back, so here are the interesting parts. Take into account that you have to learn a bit from the docs, and drill in the code... but I think it is good for a starting point.

客户端XML:

<sec:http authentication-manager-ref="authenticationManager">
    <sec:intercept-url pattern="/secure/**" access="ROLE_USER" />
    <sec:anonymous/>

    <!-- sec:form-login/-->

    <sec:form-login 
        login-page="/login/login.htm" 
        authentication-failure-url="/login/login.htm?login_error=1" />


    <sec:custom-filter ref="oauth2ClientFilter" after="EXCEPTION_TRANSLATION_FILTER" />
</sec:http>


<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider user-service-ref="userDetailsService"/>
</sec:authentication-manager>

<sec:user-service id="userDetailsService">
    <sec:user name="admin"  password="admin"  authorities="ROLE_USER,ROLE_ADMIN" />
</sec:user-service>



<!--apply the oauth client context-->
<oauth:client   id="oauth2ClientFilter" />


<oauth:resource id="butkecResource"
                type="authorization_code"
                client-id="${oauth2.client.id}"
                client-secret="${oauth2.client.secret}"
                access-token-uri="${oauth2.client.accessTokenUri}"
                user-authorization-uri="${oauth2.client.userAuthorizationUri}"
                scope="read"/>

<!--define an oauth2 resource for facebook. according to the facebook docs, the 'client-id' is the App ID, and the 'client-secret' 
    is the App Secret -->
<oauth:resource id="facebook" 
    type="authorization_code" 
    client-id="233668646673605" 
    client-secret="33b17e044ee6a4fa383f46ec6e28ea1d"
    authentication-scheme="query" 
    access-token-uri="https://graph.facebook.com/oauth/access_token" 
    user-authorization-uri="https://www.facebook.com/dialog/oauth"
    token-name="oauth_token" 
    client-authentication-scheme="form" />

完整代码段为此处.

资源服务器XML:

<security:http pattern="/index.html" security="none"/>
<security:http pattern="/browse" security="none"/>
<!-- security:http pattern="/welcome" security="none"/-->
<security:http pattern="/js/**" security="none"/>

<security:http  entry-point-ref="oauthAuthenticationEntryPoint"     
                access-decision-manager-ref="accessDecisionManager">
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
    <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    <security:access-denied-handler ref="oauthAccessDeniedHandler" />
    <security:anonymous />
</security:http>
...
...
<oauth:resource-server id="resourceServerFilter" 
                    token-services-ref="tokenServices" />


<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices" >
    <property name="tokenStore" ref="tokenStore" />
</bean>


<bean id="tokenStore" class="com.ohadr.oauth.resource_server.token.MyTokenStore" />


<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="butkec" />
</bean>

可以在文件. xml"rel =" nofollow noreferrer>此处.

我认为这里不是解释每一个字节的好地方，但是再次-在 春季文档 ，您可以找到很好的解释(我设法从那里学到了所有内容...)

I think here is not a good place to explain every bit and byte, but again - in Spring docs you can find great explanations (I managed to learn all from there...)

这篇关于客户端和资源服务器的Spring OAuth2 XML配置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！