![](/img/trans.png)
[英]Spring OAuth2 Security - Client Credentials - Custom AuthenticationProvider
[英]Spring Security - Oauth2 Pass Request Paramerter to the AuthenticationProvider
我创建了一个自定义身份验证提供程序,我需要将请求中的参数传递给该提供程序。
重点是
/ oauth / token?grant_type = password&username = xxx&password = xxx&client_id = xxx&client_secret = xxx&country = my
从上述请求中,我需要捕获country
参数并将其传递给自定义身份验证提供程序,然后该提供程序将根据用户名,密码和国家/地区对用户进行身份验证。
上面的请求通过了ClientCredentialsTokenEndpointFilter
过滤器,但是我无法将请求中的国家/地区值设置到身份验证对象上。
<http pattern="/oauth/token" create-session="never"
authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="fullyAuthenticated" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<custom-filter ref="clientCredentialsTokenEndpointFilter"
after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
请让我知道是否可以通过扩展任何安全功能来实现此目的。
我正在使用Spring 4.1
和Spring Security 4.0.3RELEASE
谢谢安华
您需要创建一个UsernamePasswordCountryAuthenticationToken
。
public class UsernamePasswordCountryAuthenticationToken extends UsernamePasswordAuthenticationToken {
private String country;
public UsernamePasswordCountryAuthenticationToken(Object principal, Object credentials, String country, Collection<? extends GrantedAuthority> authorities) {
super(principal, credentials, country, authorities);
}
public UsernamePasswordCountryAuthenticationToken(Object principal, Object credentials, String country) {
super(principal, credentials, country);
}
public String getCountry() {
return country;
}
}
并覆盖ResourceOwnerPasswordTokenGranter
public class CustomResourceOwnerPasswordTokenGranter extends AbstractTokenGranter {
private static final String GRANT_TYPE = "password";
private final AuthenticationManager authenticationManager;
public CustomResourceOwnerPasswordTokenGranter(AuthenticationManager authenticationManager,
AuthorizationServerTokenServices tokenServices, ClientDetailsService clientDetailsService) {
super(tokenServices, clientDetailsService, GRANT_TYPE);
this.authenticationManager = authenticationManager;
}
protected OAuth2Authentication getOAuth2Authentication(AuthorizationRequest clientToken) {
Map<String, String> parameters = clientToken.getAuthorizationParameters();
String username = parameters.get("username");
String password = parameters.get("password");
String country = parameters.get("country");
Authentication userAuth = new UsernamePasswordCountryAuthenticationToken(username, password, country);
try {
userAuth = authenticationManager.authenticate(userAuth);
} catch (AccountStatusException ase) {
//covers expired, locked, disabled cases (mentioned in section 5.2, draft 31)
throw new InvalidGrantException(ase.getMessage());
} catch (BadCredentialsException e) {
// If the username/password are wrong the spec says we should send 400/bad grant
throw new InvalidGrantException(e.getMessage());
}
if (userAuth == null || !userAuth.isAuthenticated()) {
throw new InvalidGrantException("Could not authenticate user: " + username);
}
return new OAuth2Authentication(clientToken, userAuth);
}
}
最后在您的Spring Security OAuth配置文件中
<bean id="customResourceOwnerPasswordTokenGranter" class="CustomResourceOwnerPasswordTokenGranter">
<constructor-arg index="0" ref="authenticationManager"/>
<constructor-arg index="1" ref="tokenServices"/>
<constructor-arg index="2" ref="clientDetailsService"/>
</bean>
<oauth:authorization-server ...>
<oauth:custom-grant token-granter-ref="customResourceOwnerPasswordTokenGranter" />
</oauth:authorization-server>
现在,如果您已正确配置AuthenticationManager
使其具有自定义AuthenticationProvider
,则将收到UsernamePasswordCountryAuthenticationToken
实例到AuthenticationProvider.authenticate method(Authentication auth)
,可以在其中将auth
为UsernamePasswordCountryAuthenticationToken
并使用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.