spring security StateKeyGenerator 自定义实例 [英] spring security StateKeyGenerator custom instance

问题描述

我希望通过 spring 安全性更好地控制 OAuth2 中使用的状态"参数.

I would like to have better control of the "state" param used in OAuth2 with spring security.

DefaultStateKeyGenerator 只返回一个随机的 6 个字符的字符串.

DefaultStateKeyGenerator just returns a random 6 character string.

AuthorizationCodeAccessTokenProvider 有一个 setStateKeyGenerator 但我不知道如何获得一个实例来调用 setter.

AuthorizationCodeAccessTokenProvider has a setStateKeyGenerator but I'm not sure how to get an instance to call the setter.

我觉得很奇怪 StateKeyGenerator 采用 OAuth2ProtectedResourceDetails，但默认实现只是忽略它，没有关于如何配置自己的细节

I find it strange that StateKeyGenerator takes an OAuth2ProtectedResourceDetails, but the default implementation just ignores it and there's no details on how to configure your own

~/repos/jtor > mvn dependency:tree | grep security
[INFO] +- org.springframework.security.oauth:spring-security-oauth2:jar:2.0.14.RELEASE:compile
[INFO] |  +- org.springframework.security:spring-security-core:jar:4.2.3.RELEASE:compile
[INFO] |  +- org.springframework.security:spring-security-config:jar:4.2.3.RELEASE:compile
[INFO] |  +- org.springframework.security:spring-security-web:jar:4.2.3.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-jwt:jar:1.0.8.RELEASE:compile
[INFO] \- org.springframework.security:spring-security-test:jar:4.2.3.RELEASE:test

推荐答案

根据您的使用情况，您可以实现自己的 StateKeyGenerator 然后配置 bean 以使用它.如果 resource 与您的用例相关，您可以自由使用它，但可以忽略它！

Depending on your usage, you can implement your own StateKeyGenerator then configure beans to use it. You're free to use the resource if it's relevant to your use case but it's ok to ignore it!

这是一个可能的配置:

@Bean
public StateKeyGenerator stateKeyGenerator() {
    return new CustomStateKeyGenerator();
}

@Bean
public AccessTokenProvider accessTokenProvider() {
    AuthorizationCodeAccessTokenProvider accessTokenProvider = new AuthorizationCodeAccessTokenProvider();
    accessTokenProvider.setStateKeyGenerator(stateKeyGenerator());
    return accessTokenProvider;
}

@Bean
@Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES)
public OAuth2RestTemplate restTemplate() {
    OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(myResource(), new DefaultOAuth2ClientContext(accessTokenRequest));
    restTemplate.setAccessTokenProvider(accessTokenProvider());
    return restTemplate;
}

这篇关于spring security StateKeyGenerator 自定义实例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！