Spring Boot 2.0.0 + OAuth2 [英] Spring Boot 2.0.0 + OAuth2
问题描述
Spring Boot 2 + Sping Security OAuth2 是否仍然支持 @AuthorizationServer 注解?通过阅读发行说明,有些内容尚未移植:
Does Spring Boot 2 + Sping Security OAuth2 still support the @AuthorizationServer annotation? From reading the release notes some things haven't been ported over:
这是我的build.grade的相关部分:
身份验证服务器
// security
compile "org.springframework.boot:spring-boot-starter-security:${springBootVersion}"
// oauth
// https://mvnrepository.com/artifact/org.springframework.security.oauth/spring-security-oauth2
compile "org.springframework.security.oauth:spring-security-oauth2:2.2.1.RELEASE"
客户端服务器
// support for Oauth2 user token services not yet migrated into Spring Boot 2.0
compile "org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.0.1.BUILD-SNAPSHOT"
现在,当我尝试将客户端 ID 和客户端机密作为 Basic Authentication 传递到 /oauth/token.传入用户名和密码会给出不同的代码路径.所以看起来 OAuth 过滤器并没有完全对齐.
And right now my Authorization Server Oauth2 endpoints just return a 401 when i try to pass a client-id and client-secret in as Basic Authentication to /oauth/token. Passing in a username and password gives a different code path. So it looks like the OAuth filters aren't quite lined up.
我也发现了这一点:Spring Boot 2 OAuth2 入门更改.
是否有配置更新,或者我是否需要一组不同的 gradle 依赖项来将授权服务器恢复到以前的状态?
Has there been a configuration update or do I need a different set of gradle dependencies to restore the Authorization Server to it's previous state?
谢谢!
更新
我想结束这个问题的循环.除了加密客户端机密.从 Spring OAuth 2.3.2 开始,RedisTokenStore 问题也已解决:Spring OAuth 2.3.2
I wanted to close the loop on this question. In addition to encrypting the client-secrets. The RedisTokenStore issue has also been resolved as of Spring OAuth 2.3.2: Spring OAuth 2.3.2
推荐答案
Spring Security 5 使用现代化的密码存储,参见 OAuth2 自动配置:
Spring Security 5 uses a modernized password storage, see OAuth2 Autoconfig:
如果您使用自己的授权服务器配置通过ClientDetailsServiceConfigurer 的实例配置有效客户端列表,如下所示,请注意您在此处配置的密码受现代化密码存储的约束附带 Spring Security 5.
If you use your own authorization server configuration to configure the list of valid clients through an instance of
ClientDetailsServiceConfigureras shown below, take note that the passwords you configure here are subject to the modernized password storage that came with Spring Security 5.
要解决您的问题,请参阅Spring 安全参考:
To solve your problem, see Spring Security Reference:
问题排查
当存储的密码之一没有 id 时,会发生以下错误,如密码存储格式"一节中所述.
The following error occurs when one of the passwords that are stored has no id as described in the section called "Password Storage Format".
java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id "null"
at org.springframework.security.crypto.password.DelegatingPasswordEncoder$UnmappedIdPasswordEncoder.matches(DelegatingPasswordEncoder.java:233)
at org.springframework.security.crypto.password.DelegatingPasswordEncoder.matches(DelegatingPasswordEncoder.java:196)
解决错误的最简单方法是切换到显式提供密码编码所用的 PasswordEncoder.解决它的最简单方法是弄清楚您的密码当前是如何存储的,并明确提供正确的 PasswordEncoder.如果您从 Spring Security 4.2.x 迁移,您可以通过公开 NoOpPasswordEncoder bean 来恢复到以前的行为.例如,如果您使用 Java 配置,则可以创建如下所示的配置:
The easiest way to resolve the error is to switch to explicitly provide the PasswordEncoder that you passwords are encoded with. The easiest way to resolve it is to figure out how your passwords are currently being stored and explicitly provide the correct PasswordEncoder. If you are migrating from Spring Security 4.2.x you can revert to the previous behavior by exposing a NoOpPasswordEncoder bean. For example, if you are using Java Configuration, you can create a configuration that looks like:
恢复为 NoOpPasswordEncoder 被认为是不安全的.您应该改为使用 DelegatingPasswordEncoder 来支持安全密码编码.
Reverting to NoOpPasswordEncoder is not considered to be secure. You should instead migrate to using DelegatingPasswordEncoder to support secure password encoding.
@Bean
public static NoOpPasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
如果你使用 XML 配置,你可以公开一个 PasswordEncoder id passwordEncoder:
if you are using XML configuration, you can expose a PasswordEncoder with the id passwordEncoder:
<b:bean id="passwordEncoder"
class="org.springframework.security.crypto.NoOpPasswordEncoder" factory-method="getInstance"/>
或者,您可以使用正确的 id 为所有密码添加前缀,然后继续使用 DelegatingPasswordEncoder.例如,如果您使用 BCrypt,您可以从以下内容迁移您的密码:
Alternatively, you can prefix all of your passwords with the correct id and continue to use DelegatingPasswordEncoder. For example, if you are using BCrypt, you would migrate your password from something like:
$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
到
{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
这篇关于Spring Boot 2.0.0 + OAuth2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
