Spring Security OAuth2纯资源服务器 [英] Spring Security OAuth2 pure resource server

问题描述

我们已经设置了OAuth2授权服务器，因此我需要创建一个相应的资源服务器(单独的服务器).我们计划使用Spring Security OAuth2项目.他们用于设置资源服务器的文档:

We already have an OAuth2 authorization server set up, so I need to create a corresponding resource server (separate server). We plan to use the Spring Security OAuth2 project. Their documentation for setting up a resource server:

https://github.com/spring-projects/spring-security-oauth/wiki/oAuth2#resource-server-configuration

token-services-ref应该指向令牌处理bean.但是，似乎令牌处理是由服务器本身完成的，即使它是资源服务器也是如此.似乎没有任何远程令牌服务类或与远程服务器有关的任何配置.这与CloudFoundary UAA( https://github.com/cloudfoundry/uaa/blob/master/samples/api/src/main/webapp/WEB-INF/spring-servlet.xml )，它具有:

token-services-ref should point to the token-handling bean. However it seems like the token handling is done by the server itself even though it is the resource server. There doesn't seem to be any remote token services class or any configuration relating to a remote server. This is in contrast with the CloudFoundary UAA (https://github.com/cloudfoundry/uaa/blob/master/samples/api/src/main/webapp/WEB-INF/spring-servlet.xml) which has:

<bean id="tokenServices"
  class="org.cloudfoundry.identity.uaa.oauth.RemoteTokenServices">
  <property name="checkTokenEndpointUrl" value="${checkTokenEndpointUrl}" />

是否可以将Spring Security OAuth2用于与单独的OAuth2授权服务器通信的资源服务器?如何设置通讯端点?

Is there any way to use Spring Security OAuth2 for a resource server that communicates with a separate OAuth2 Authorization server? How can I set the communication endpoint?

推荐答案

只要授权服务器和资源服务器访问共享的tokenStore(例如，将JdbcTokenStore与通用的dataSource一起使用)，这是可能的).您只能将DefaultTokenServices与共享的tokenStore一起使用.下面是一个示例Spring配置，您应该可以对其进行调整以满足您的需求:

This is possible as long as the authorization server and resource server(s) access a shared tokenStore (e.g. using JdbcTokenStore with a common dataSource). You can just use DefaultTokenServices with a reference to your shared tokenStore. Below is an example Spring config which you should be able to tweak to fit your needs:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:security="http://www.springframework.org/schema/security"
   xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
   xsi:schemaLocation="
    http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.1.xsd
    http://www.springframework.org/schema/security/oauth2
    http://www.springframework.org/schema/security/spring-security-oauth2.xsd">

<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.JdbcTokenStore">
    <constructor-arg name="dataSource" ref="dataSource" />
</bean>

<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
    <property name="tokenStore" ref="tokenStore" />
</bean>

<bean id="authenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="myRealm" />
</bean>

<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
            <bean class="org.springframework.security.access.vote.RoleVoter" />
            <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
        </list>
    </constructor-arg>
</bean>

<!-- This is not actually used, but it's required by Spring Security -->
<security:authentication-manager alias="authenticationManager" />

<oauth2:expression-handler id="oauthExpressionHandler" />

<oauth2:web-expression-handler id="oauthWebExpressionHandler" />

<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
    <security:expression-handler ref="oauthExpressionHandler" />
</security:global-method-security>

<oauth2:resource-server id="myResource" resource-id="myResourceId" token-services-ref="tokenServices" />

<security:http pattern="/myPattern/**" create-session="never"
    entry-point-ref="authenticationEntryPoint" access-decision-manager-ref="accessDecisionManager">
    <security:anonymous enabled="false" />
    <security:intercept-url pattern="/**" access="SCOPE_READ" method="GET" />
    <security:intercept-url pattern="/**" access="SCOPE_READ" method="HEAD" />
    <security:intercept-url pattern="/**" access="SCOPE_READ" method="OPTIONS" />
    <security:intercept-url pattern="/**" access="SCOPE_WRITE" method="PUT" />
    <security:intercept-url pattern="/**" access="SCOPE_WRITE" method="POST" />
    <security:intercept-url pattern="/**" access="SCOPE_WRITE" method="DELETE" />
    <security:custom-filter ref="myResource" before="PRE_AUTH_FILTER" />
    <security:access-denied-handler ref="oauthAccessDeniedHandler" />
    <security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>
</beans>

这篇关于Spring Security OAuth2纯资源服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！