如何使用Spring OAuth2 JWT令牌? [英] How to use Spring OAuth2 JWT Token?
问题描述
我们要使用Spring OAuth2 JWT令牌支持.我们的体系结构如下:Spring仅提供REST接口,而前端是使用AngularJS构建的,该AngularJS可以查询Spring-REST-Interface.出于授权目的,我们的前端团队希望使用JWT.因此,我了解了Spring OAuth2 JWT的支持,但仍然不太了解如何与前端讨论JWT令牌.在阅读了一些教程之后,我实现了这一点:
We want use the Spring OAuth2 JWT Token support. Our architecture is as follows: Spring just provides a REST-interface and the frontend is built with AngularJS which queries the Spring-REST-Interface. For authorization purpose our frontend-team wants to use JWT. So I have taken a look on the Spring OAuth2 JWT support and still do not really know how to talk with the frontend about JWT-Tokens. After reading a little tutorial I have implemented this:
@Autowired
@Qualifier("defaultAuthorizationServerTokenServices")
private DefaultTokenServices tokenServices;
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
//TODO comments
}
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
//@Autowired
private AuthenticationManager authManager;
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
return new JwtAccessTokenConverter();
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')")
.checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authManager).accessTokenConverter(accessTokenConverter());
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("my-trusted_client")
.authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write", "trust")
.accessTokenValiditySeconds(60)
.and()
.withClient("my-client-with-registered-redirect")
.authorizedGrantTypes("authorization_code")
.authorities("ROLE_CLIENT")
.scopes("read", "trust")
.redirectUris("http://anywhere?key=value")
.and()
.withClient("my-client-with-secret")
.authorizedGrantTypes("client_credentials", "password")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write")
.secret("secret");
}
}
我不确定工作流程如何.我猜想:前端访问/oauth/authorization端点以授权其令牌,然后,每当请求资源JWT-Token是否被授权访问资源时,Spring后端都要检查一次?正确的?那么,当请求REST端点时,如何告诉Spring检查令牌?我已经尝试过
I'm not sure how the workflow is. What I guess: The frontend access the /oauth/authorization endpoint to authorize its token and then the Spring backend has to check every time a resource is requested the JWT-Token if it's authorized to access the resource? Right? So how can I tell Spring to check the token when a REST-endpoint is requested? I have tried it with
@RequestMapping("/projects")
@PreAuthorize("oauthClientHasRole('ROLE_CLIENT')")
public String getProjects() {
return "";
}
但这似乎行不通.
推荐答案
您可以看看新的spring-cloud-samples的 sso 示例.对我来说,这是了解如何完成的最佳示例.
You can take a look at the new spring-cloud-samples's sso sample. To me this was the best sample to play with to understand how it is done.
Also once you get your head around it, you can read this tutoiral, which is bit more technical & more about how to do it with RSA assymetric keypairs.
这篇关于如何使用Spring OAuth2 JWT令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
