spring security StateKeyGenerator 自定义实例 [英] spring security StateKeyGenerator custom instance
问题描述
我希望通过 spring 安全性更好地控制 OAuth2 中使用的状态"参数.
I would like to have better control of the "state" param used in OAuth2 with spring security.
DefaultStateKeyGenerator 只返回一个随机的 6 个字符的字符串.
DefaultStateKeyGenerator just returns a random 6 character string.
AuthorizationCodeAccessTokenProvider
有一个 setStateKeyGenerator
但我不知道如何获得一个实例来调用 setter.
AuthorizationCodeAccessTokenProvider
has a setStateKeyGenerator
but I'm not sure how to get an instance to call the setter.
我觉得很奇怪 StateKeyGenerator
采用 OAuth2ProtectedResourceDetails
,但默认实现只是忽略它,没有关于如何配置自己的细节
I find it strange that StateKeyGenerator
takes an OAuth2ProtectedResourceDetails
, but the default implementation just ignores it and there's no details on how to configure your own
~/repos/jtor > mvn dependency:tree | grep security
[INFO] +- org.springframework.security.oauth:spring-security-oauth2:jar:2.0.14.RELEASE:compile
[INFO] | +- org.springframework.security:spring-security-core:jar:4.2.3.RELEASE:compile
[INFO] | +- org.springframework.security:spring-security-config:jar:4.2.3.RELEASE:compile
[INFO] | +- org.springframework.security:spring-security-web:jar:4.2.3.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-jwt:jar:1.0.8.RELEASE:compile
[INFO] \- org.springframework.security:spring-security-test:jar:4.2.3.RELEASE:test
推荐答案
根据您的使用情况,您可以实现自己的 StateKeyGenerator
然后配置 bean 以使用它.如果 resource
与您的用例相关,您可以自由使用它,但可以忽略它!
Depending on your usage, you can implement your own StateKeyGenerator
then configure beans to use it. You're free to use the resource
if it's relevant to your use case but it's ok to ignore it!
这是一个可能的配置:
@Bean
public StateKeyGenerator stateKeyGenerator() {
return new CustomStateKeyGenerator();
}
@Bean
public AccessTokenProvider accessTokenProvider() {
AuthorizationCodeAccessTokenProvider accessTokenProvider = new AuthorizationCodeAccessTokenProvider();
accessTokenProvider.setStateKeyGenerator(stateKeyGenerator());
return accessTokenProvider;
}
@Bean
@Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES)
public OAuth2RestTemplate restTemplate() {
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(myResource(), new DefaultOAuth2ClientContext(accessTokenRequest));
restTemplate.setAccessTokenProvider(accessTokenProvider());
return restTemplate;
}
这篇关于spring security StateKeyGenerator 自定义实例的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!