Spring Security OAuth2简单配置 [英] Spring Security OAuth2 simple configuration

问题描述

我有一个简单的项目需要简单的以下配置：

I have a simple project that requires the simple following configuration :

• 我有一个密码grant_type，这意味着我可以提交用户名/密码（用户在我的登录表单中输入），并在成功时获得access_token。


• 使用该access_token，我可以请求API并获取用户的信息。

我知道API的URI，我不想要任何大的东西（我在https://github.com/spring-projects/spring-security-oauth/tree/master/samples ）它似乎很大。

I know the URIs of the APIs, I don't want anything huge (I saw the configuration on https://github.com/spring-projects/spring-security-oauth/tree/master/samples) and it seems HUGE.

我可以这样想：

• 做一个简单的HTTP请求，给出* client_id *，* client_secret *，* grant_type =密码*，用户名和密码（用户提供的）。


• 我在JSON响应中收到* ACCESS_TOKEN *（以及其他一些东西）。


• 我使用的是* ACCESS_TOKEN *用于查询URL（使用简单的GET请求），它将提供用户的信息。


• 我在HttpSession中设置信息并将用户视为已登录。

• Do a simple HTTP request, giving *client_id* , *client_secret* , *grant_type=password* , username and password (that the user provided).
• I receive an *ACCESS_TOKEN* (and some other stuff) in a JSON response.
• I use the *ACCESS_TOKEN* to query a URL (using simple GET request), that will give the user's information.
• I set the information in HttpSession and consider the user as logged in.

可以在2个HTTP请求中完成。我只是不想这样做，而是使用更安全的方式而不是Spring Security OAuth2。

It can be done in 2 HTTP requests. I just don't want to do it this way, but using the "safer" way instead with Spring Security OAuth2.

你能想到什么是简单配置我需要做到这一点吗？

Can you think of what "simple" config I need to make to have this done?

推荐答案

不要让sparklr样本让你感到困惑（它比你做的要多得多）似乎需要）。 这个对您来说足够简单了吗？

Don't let the sparklr sample confuse you (it does a lot more than you seem to need). Is this simple enough for you?

@ComponentScan
@EnableAutoConfiguration
public class Application {

public static void main(String[] args) {
    SpringApplication.run(Application.class, args);
}

@Configuration
@Order(Ordered.LOWEST_PRECEDENCE - 100)
protected static class OAuth2Config extends OAuth2AuthorizationServerConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // @formatter:off
        auth.apply(new InMemoryClientDetailsServiceConfigurer())
            .withClient("my-trusted-client")
                .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
                .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
                .scopes("read", "write", "trust")
                .accessTokenValiditySeconds(60)
        .and()
            .withClient("my-client-with-secret")
                .authorizedGrantTypes("client_credentials")
                .authorities("ROLE_CLIENT")
                .scopes("read")
                .secret("secret");
    // @formatter:on
    }

}

}

这是auth服务器。客户端也很容易（例如 Spring OAuth项目中的那个）。附：这是所有Spring OAuth 2.0的东西（尚未发布），但是我们正在努力（而且使用XML配置的1.0功能确实不那么重）。

That's the auth server. The client is also easy (e.g. the one in the Spring OAuth project). P.S. this is all Spring OAuth 2.0 stuff (not yet released), but we're working on it (and the 1.0 features with XML config really aren't that much heavier).

NB这种方式击败了OAuth2的对象（webapp客户端不应该收集用户凭据）。您应该考虑使用 grant_type = authorization_code 。

N.B. This kind of defeats the object of OAuth2 (webapp clients are not supposed to collect user credentials). You should consider using grant_type=authorization_code.

这篇关于Spring Security OAuth2简单配置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！