[英]Spring Security OAuth2 revoke token does not work
我的Spring Boot应用程序中有以下配置:
@Configuration
public class SecurityConfig {
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public static class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private MyUserDetailsService userDetailsService;
@Autowired
private BCryptPasswordEncoder passwordEncoder;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
@Configuration
@EnableAuthorizationServer
public static class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private MyUserDetailsService userDetailsService;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Autowired
@Qualifier("myOauth2ClientDetailsService")
private ClientDetailsService clientDetailsService;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(clientDetailsService);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
// set custom exception translator
endpoints.exceptionTranslator(e -> {
if (e instanceof OAuth2Exception) {
OAuth2Exception exception = (OAuth2Exception) e;
return ResponseEntity
.status(exception.getHttpErrorCode())
.body(new MyWLoginException(exception.getMessage()));
} else {
throw e;
}
});
// other settings
TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(), accessTokenConverter()));
endpoints.authenticationManager(authenticationManager).userDetailsService(userDetailsService).tokenStore(tokenStore())
.tokenEnhancer(tokenEnhancerChain);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("123");
return converter;
}
@Bean
public TokenEnhancer tokenEnhancer() {
return new MyTokenEnhancer();
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
defaultTokenServices.setSupportRefreshToken(true);
return defaultTokenServices;
}
}
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(-10)
public static class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.addFilterAfter(new AuditorFilter(), BasicAuthenticationFilter.class)
.headers().frameOptions().disable()
.and().csrf().disable()
.authorizeRequests()
.antMatchers("/img/**").permitAll()
.anyRequest().authenticated();
}
@Override
public void configure(ResourceServerSecurityConfigurer config) {
config.tokenServices(tokenServices());
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
DefaultAccessTokenConverter defaultAccessTokenConverter = new DefaultAccessTokenConverter();
defaultAccessTokenConverter.setUserTokenConverter(userAuthenticationConverter());
converter.setAccessTokenConverter(defaultAccessTokenConverter);
converter.setSigningKey("123");
return converter;
}
@Bean
public UserAuthenticationConverter userAuthenticationConverter() {
return new MyUserAuthenticationConverter();
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
return defaultTokenServices;
}
}
}
另外,我有一个特殊的端点来撤消令牌,该令牌通过以下方法处理请求:
@Autowired
private TokenStore tokenStore;
@Autowired
private AuthorizationServerTokenServices authorizationServerTokenServices;
@Autowired
private ResourceServerTokenServices resourceServerTokenServices;
...
final String tokenValue = ((OAuth2AuthenticationDetails) SecurityContextHolder.getContext().getAuthentication().getDetails()).getTokenValue();
final OAuth2AccessToken token = tokenStore.readAccessToken(tokenValue);
tokenStore.removeAccessToken(token);
boolean authRemoved = ((DefaultTokenServices) authorizationServerTokenServices).revokeToken(tokenValue); // <- true
boolean resourceRemoved = ((DefaultTokenServices) resourceServerTokenServices).revokeToken(tokenValue); // <- true
SecurityContextHolder.getContext().setAuthentication(null);
没有任何错误。 我看到令牌服务返回true
(已删除)。 但是,当我使用旧的访问令牌调用任何终结点时,它就像该令牌仍然存在一样工作。 但是我从身份验证服务器和资源服务器上都删除了令牌。 如何解决这个问题?
令牌吊销无法使用JWT进行,因为它所嵌入的令牌已过期。 授权服务器发出后将不会捕获有关令牌的任何信息。 因此,也许您应该尝试在授权服务器中使用JdbcTokenStore将令牌保存在数据库中,然后根据需要将其吊销(或者也可以将其保存在内存中)。 如果您的应用程序分开,则可以使用RemoteTokenServices来验证令牌。
这是一个教程,向您展示如何完成此操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.