Spring Security OAuth2简单配置
[英]Spring Security OAuth2 simple configuration
问题描述
I have a simple project that requires the simple following configuration : 
我有一个简单的项目,需要简单的以下配置:
- I have a "password" grant_type, which means I can submit the username/password (that the user enters in my login form), and get an access_token on success. 我有一个“密码”grant_type,这意味着我可以提交用户名/密码(用户在我的登录表单中输入),并在成功时获得access_token。
- With that access_token, I can request an API and get the user's information. 使用access_token,我可以请求API并获取用户的信息。
I know the URIs of the APIs, I don't want anything huge (I saw the configuration on https://github.com/spring-projects/spring-security-oauth/tree/master/samples ) and it seems HUGE. 我知道API的URI,我不想要任何大的东西(我在https://github.com/spring-projects/spring-security-oauth/tree/master/samples上看到了配置)并且看起来很大。
I can think of it this way : 我可以这样想:
- Do a simple HTTP request, giving *client_id* , *client_secret* , *grant_type=password* , username and password (that the user provided). 做一个简单的HTTP请求,给出* client_id *,* client_secret *,* grant_type =密码*, 用户名和密码 (用户提供的)。
- I receive an *ACCESS_TOKEN* (and some other stuff) in a JSON response. 我在JSON响应中收到* ACCESS_TOKEN *(和其他一些东西)。
- I use the *ACCESS_TOKEN* to query a URL (using simple GET request), that will give the user's information. 我使用* ACCESS_TOKEN *来查询URL(使用简单的GET请求),它将提供用户的信息。
- I set the information in HttpSession and consider the user as logged in. 我在HttpSession中设置信息并将用户视为已登录。
It can be done in 2 HTTP requests. 它可以在2个HTTP请求中完成。 I just don't want to do it this way, but using the "safer" way instead with Spring Security OAuth2. 我只是不想这样做,而是使用“更安全”的方式而不是Spring Security OAuth2。
Can you think of what "simple" config I need to make to have this done? 你能想到我需要做什么“简单”配置才能完成这项工作吗?
1 个解决方案
解决方案1
8 已采纳 2014-03-04 19:31:09
Don't let the sparklr sample confuse you (it does a lot more than you seem to need). 不要让火花样品混淆你(它比你似乎需要的更多)。 Is this simple enough for you? 是这对你很简单?
@ComponentScan
@EnableAutoConfiguration
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@Configuration
@Order(Ordered.LOWEST_PRECEDENCE - 100)
protected static class OAuth2Config extends OAuth2AuthorizationServerConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// @formatter:off
auth.apply(new InMemoryClientDetailsServiceConfigurer())
.withClient("my-trusted-client")
.authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write", "trust")
.accessTokenValiditySeconds(60)
.and()
.withClient("my-client-with-secret")
.authorizedGrantTypes("client_credentials")
.authorities("ROLE_CLIENT")
.scopes("read")
.secret("secret");
// @formatter:on
}
}
}
That's the auth server. 那是auth服务器。 The client is also easy (eg the one in the Spring OAuth project ). 客户端也很简单(例如Spring OAuth项目中的客户端)。 PS this is all Spring OAuth 2.0 stuff (not yet released), but we're working on it (and the 1.0 features with XML config really aren't that much heavier). PS这是所有Spring OAuth 2.0的东西(尚未发布),但我们正在研究它(而且使用XML配置的1.0功能确实不那么重)。
NB This kind of defeats the object of OAuth2 (webapp clients are not supposed to collect user credentials). 注意这种方式会破坏OAuth2的对象(webapp客户端不应该收集用户凭据)。 You should consider using grant_type=authorization_code . 您应该考虑使用grant_type=authorization_code 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.