Spring security oauth 2 简单示例 [英] Spring security oauth 2 simple example

问题描述

我尝试根据官方教程实现我自己的示例 Sparklr2/Tonr2.一切看起来都不错，但是当我从 Tonr2 实现中的 web.xml 中删除时，spring 安全过滤器出现异常:

I try to implement my own example based on official tutorial Sparklr2/Tonr2. Everything looks good but when I remove from web.xml in my Tonr2 implementation, spring security filter I have exception:

没有为当前请求建立重定向 URI

No redirect URI has been established for the current request

我不明白应该使用哪个 URL.这是我的代码，用于客户端实现:

I can't understand what URL should I use. Here is my code, for client implementation:

<!--apply the oauth client context -->
<oauth:client id="oauth2ClientFilter" />

<!--define an oauth 2 resource for sparklr -->
<oauth:resource id="provider" type="authorization_code" client-id="client" client-secret="secret" 
    access-token-uri="http://localhost:8080/provider/oauth/token" user-authorization-uri="http://localhost:8080/provider/oauth/authorize" scope="read,write" />

<beans:bean id="clientController" class="com.aouth.client.ClientController">
    <beans:property name="trustedClientRestTemplate">
        <oauth:rest-template resource="provider" />
    </beans:property>
</beans:bean>

对于提供者:

<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
    <anonymous enabled="false" />
    <http-basic />
</http>

<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
    <authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>

<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <constructor-arg ref="clientDetails" />
</bean>

<!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling 
    separately. This isn't mandatory, but it makes it easier to control the behaviour. -->
<http pattern="/secured" create-session="never" access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security">
    <anonymous enabled="false" />
    <intercept-url pattern="/secured" access="ROLE_USER,SCOPE_READ" />
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    <http-basic />
</http>

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
            <bean class="org.springframework.security.access.vote.RoleVoter" />
            <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
        </list>
    </constructor-arg>
</bean>

<oauth:resource-server id="resourceServerFilter" resource-id="resource" token-services-ref="tokenServices" />

<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
    <property name="tokenStore" ref="tokenStore" />
    <property name="supportRefreshToken" value="true" />
    <property name="clientDetailsService" ref="clientDetails"/>
</bean>

<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />

<http auto-config="true" xmlns="http://www.springframework.org/schema/security">
    <intercept-url pattern="/test" access="ROLE_USER" />
    <intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY" />
</http>

<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
    <authentication-provider>
        <user-service>
            <user name="pr" password="pr" authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>
</authentication-manager>

<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices" >
    <oauth:authorization-code />
    <oauth:implicit />
    <oauth:refresh-token />
    <oauth:client-credentials />
    <oauth:password />
</oauth:authorization-server>

<oauth:client-details-service id="clientDetails">
    <oauth:client client-id="client" resource-ids="resource" authorized-grant-types="authorization_code, implicit"
        authorities="ROLE_CLIENT" scope="read,write" secret="secret" />
</oauth:client-details-service>

我只希望我的客户在没有 Spring Security 的情况下工作.当我需要受保护的资源时，我只想在提供者端登录.

I just want my client to work without spring security. And when I need my protected resource I want to login only on provider side.

推荐答案

你粘贴在这里的第二个 XML 是 oauth-provider 和 protected-resource，在您的情况下，它运行在同一个 web 应用程序中.(当然，如果您愿意，您可以将它们分开).

You 2nd XML that you pasted here is the spring's XML for the oauth-provider and the protected-resource, which in your case run in the same webapp. (you can separate them, of course, if you wish).

客户端(第一个粘贴的 XML)是另一回事.如果我理解正确，您希望您的客户端在没有 Spring 帮助的情况下运行(成为常规的 webapp，而不是 spring-security-oauth-client webapp).

The client (the 1st pasted-XML) is a different story. If I understand you correctly, you want your client to run without Spring's help (to be a regular webapp, and not spring-security-oauth-client webapp).

您必须了解 oAuth 的工作原理:客户端尝试访问受保护的资源；如果它没有访问令牌，它将被重定向到 oAuth-provider(显示登录页面并提供令牌).按照标准，访问令牌的请求必须包含"redirect-uri"参数，因此在成功登录后，oAuth-provider 知道将客户端重定向到哪里.oAuth 客户端会为您完成，如果您从 web.xml 中删除oauth 客户端"，您现在必须自己实现.

You have to understand how oAuth works: the client tries to get to a protected resource; if it does not have the access-token, it is being redirected to the oAuth-provider (that shows the login page and supplies the token). By the standard, the request for the access-token MUST contain a "redirect-uri" param, so after a successful login, the oAuth-provider knows where to redirect the client to. The oAuth client does it for you, and if you delete the "oauth client" from your web.xml, you now have to implement this by yourself.

感谢您的回答.但我还是不明白春天是怎么来的安全性影响我的 oAuth 客户端.我可以用于客户端吗spring-oauth (spring-mvc) 没有 spring-security?

Thanks for your answer. But I still don't understand how spring security influences my oAuth client. And can I use for client side spring-oauth (spring-mvc) without spring-security?

当您在 XML 中编写此行时:

When you write this line in your XML:

< oauth:client id="oauth2ClientFilter" />

表示你使用的是spring-security-oauth，这是一个专用于oauth的包，建立在spring-security之上.如果您深入研究，它会在处理与客户端相关的 oAuth 内容的链中放置一个特殊的过滤器 (OAuth2ClientContextFilter).其中之一是发送包含所有参数的请求(redirect-uri"就是其中之一).

it means that you use spring-security-oauth, which is a package dedicated for oauth, built on spring-security. If you dig in, it puts a special filter (OAuth2ClientContextFilter) in the chain that handles the oAuth stuff, that are relevant for the client. One of them is sending the request with all the params ("redirect-uri" is one of them).

如果您决定不使用 spring-security-oauth，那么-您必须自己实现此逻辑...

If you decide NOT to use spring-security-oauth, well - you will have to implement this logic by yourself...

希望有帮助！

这篇关于Spring security oauth 2 简单示例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！