Spring Security OAuth2:清除 TokenStore [英] Spring Security OAuth2: Purge TokenStore
问题描述
有什么办法可以配置 Spring Security OAuth2 使其自动清除 TokenStore?
Is there any way to configure Spring Security OAuth2 so it automatically purge TokenStore?
我想不时删除过期的令牌.我见过 InMemoryTokenStore 代码,它不时执行刷新.
I want to remove the expired tokens from time to time. I've seen the InMemoryTokenStore code and it performs a flush every now and again.
但是 JdbcTokenStore 不执行任何清除,那么谁负责从存储中删除过期的令牌?
But JdbcTokenStore does not perform any purge, so Who is in charge of removing the expried tokens from the storage?
我已经实现了一个使用 MongoDB 作为存储的 TokenStore,但我遇到了同样的问题.没有人从存储中删除过期的令牌.
I've implemented a TokenStore that uses MongoDB as storage, but I have the same problem. Nobody is removing the expired tokens from the storage.
推荐答案
不幸的是,JdbcTokenStore 不会自动清除过期的令牌.清除旧令牌由您决定.这是我如何添加这种机制的想法.
Unfortunately, JdbcTokenStore does not purge expired tokens automatically. It's up to you to purge old tokens.
Here's an idea how I would add such a mechanism.
Expiration date 是 OAuth2AccessToken ,它作为数据库中的序列化 java 对象持久化.为了检测 OAuth2AccessToken 是否符合删除条件,您需要从数据库中读取它并对其进行反序列化.这可能会导致性能下降,您需要清除大量 OAuth2AccessToken.
Expiration date is part of OAuth2AccessToken which gets persisted as a serialized java object in the database.
In order to detect whether an OAuth2AccessToken is eligible for deletion you would need to read it from the database an deserialize it.
This may lead to performance penalties where you need to purge a high amount of OAuth2AccessTokens.
我的建议是扩展oauth_access_token 表由 TIMESTAMP(H2 方言)类型的 expiration 列组成保存到期日期.
My suggestion is to expand oauth_access_token table by a column expiration of type TIMESTAMP (H2 dialect) for saving expiration date.
create table oauth_access_token (
token_id VARCHAR(256),
token LONGVARBINARY,
authentication_id VARCHAR(256),
user_name VARCHAR(256),
client_id VARCHAR(256),
authentication LONGVARBINARY,
refresh_token VARCHAR(256),
expiration TIMESTAMP
);
扩展 JdbcTokenStore 并覆盖 storeAccessToken 方法.不要忘记更改 insertAccessTokenSql 以在插入语句中遵守新列 expiration.
Extend JdbcTokenStore and override storeAccessToken method. Don't forget to alter insertAccessTokenSql in order to honor new column expiration in the insert statement.
public void storeAccessToken(OAuth2AccessToken token, OAuth2Authentication authentication) {
String refreshToken = null;
if (token.getRefreshToken() != null) {
refreshToken = token.getRefreshToken().getValue();
}
if (readAccessToken(token.getValue())!=null) {
removeAccessToken(token.getValue());
}
jdbcTemplate.update(insertAccessTokenSql, new Object[] { extractTokenKey(token.getValue()),
new SqlLobValue(serializeAccessToken(token)), authenticationKeyGenerator.extractKey(authentication),
authentication.isClientOnly() ? null : authentication.getName(),
authentication.getOAuth2Request().getClientId(),
new SqlLobValue(serializeAuthentication(authentication)), extractTokenKey(refreshToken), token.getExpiration() }, new int[] {
Types.VARCHAR, Types.BLOB, Types.VARCHAR, Types.VARCHAR, Types.VARCHAR, Types.BLOB, Types.VARCHAR, Types.TIMESTAMP });
}
启用 Spring 的 任务执行和调度 并添加一个清除旧令牌的预定方法.
Enable Spring's Task Execution and Scheduling and add a scheduled method which purges old tokens.
@Scheduled(fixedRate = 10000)
public void purgeOldTokens() {
java.util.Date now = new Date();
jdbcTemplate.update("delete from oauth_access_token where expiration <?", now);
}
注意.这段代码只是展示了我的想法.我不能保证没有错误.您的代码可能并且应该与我的示例代码有所不同.
Caution. This code just demonstrates my idea. I can't guarantee that there are no errors. Your code may and should vary from my example code.
这篇关于Spring Security OAuth2:清除 TokenStore的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
