堆栈内存溢出
  繁体   English   中英

Spring oauth2 基本认证

[英]Spring oauth2 basic authentication

 原文  2018-03-26 17:50:18       spring/ spring-mvc/ authentication/ spring-security/ oauth-2.0

问题描述

我正在尝试使用 OAuth2 实现开发具有 spring 安全性的 rest api。 但是如何删除基本身份验证。 我只想将用户名和密码发送到 body 并在邮递员上获取令牌。

@Configuration
public class OAuthServerConfigration {

private static final String SERVER_RESOURCE_ID = "oauth2-server";

private static InMemoryTokenStore tokenStore = new InMemoryTokenStore();


@Configuration
@EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.resourceId(SERVER_RESOURCE_ID).stateless(false);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
         http.anonymous().disable().requestMatchers().antMatchers("/api/**").and().authorizeRequests().antMatchers("/api/**").access("#oauth2.hasScope('read')");
    }
}

@Configuration
@EnableAuthorizationServer
protected static class AuthConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;


    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(authenticationManager).tokenStore(tokenStore).approvalStoreDisabled();
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
            .withClient("client")
            .secret("$2a$10$5OkeCLKNs/BkdO0qcYRri.MdIcKhFvElAllhPgLfRQqG7wkEiPmq2")
                .authorizedGrantTypes("password","authorization_code","refresh_token")
                .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
              .scopes("read", "write", "trust")
                .resourceIds(SERVER_RESOURCE_ID)
                  //.accessTokenValiditySeconds(ONE_DAY)
                  .accessTokenValiditySeconds(300)
                  .refreshTokenValiditySeconds(50);

    }


    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {

        oauthServer
                // we're allowing access to the token only for clients with 'ROLE_TRUSTED_CLIENT' authority
                .tokenKeyAccess("hasAuthority('ROLE_TRUSTED_CLIENT')")
                .checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')");

    }

 }

}

@Configuration
@Order(2)
public static class ApiLoginConfig extends 
WebSecurityConfigurerAdapter{   
    @Autowired
    DataSource dataSource;

    @Autowired
    ClientDetailsService clientDetailsService;


    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/oauth/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.httpBasic().disable().csrf().disable().antMatcher("/oauth/token").authorizeRequests().anyRequest().permitAll();


    }
    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Bean
    @Autowired
    public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore){
        TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
        handler.setTokenStore(tokenStore);
        handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
        handler.setClientDetailsService(clientDetailsService);
        return handler;
    }

    @Bean
    @Autowired
    public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception {
        TokenApprovalStore store = new TokenApprovalStore();
        store.setTokenStore(tokenStore);
        return store;
    }
}

想要删除基本身份验证并在邮递员的正文标签中发送用户名密码以获取令牌

我遇到了一些问题 { "error": "unauthorized", "error_description": "没有客户端身份验证。尝试添加适当的身份验证过滤器。" }

1 个解决方案

解决方案1
 5 已采纳  2018-03-26 18:46:51

在方法中的@EnableAuthorizationServer配置类中:-

@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer)

尝试添加以下内容:-

oauthServer.allowFormAuthenticationForClients()

完成后,您将不得不调用 oauth get token url,如下所示:-

URL 将与 http(s)://{HOST_NAME}/oauth/token 相同

HTTP 方法类型现在将是POST

标题:-

Content-Type=application/x-www-form-urlencoded

参数将是 postman 正文中 x-www-form-urlencoded 中的键值对

对于 client_credentials grant_type:-

grant_type=client_credentials
client_id=client_id_value
client_secret=client_secret_value
scope=scopes

对于密码 grant_type:-

grant_type=password
client_id=client_id_value
client_secret=client_secret_value
scope=scopes
username=username
password=password

范围将在此处以逗号分隔

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 结合 OAuth2 与 http 基本认证 spring 安全 Spring 使用令牌进行 OAuth2 身份验证 在Webflux Spring中使用OAuth2进行身份验证 OAuth2客户端身份验证Spring 基本身份验证过滤器和身份验证入口点实际上并未使用spring oauth2令牌请求 通过Spring Security oauth2执行认证 Spring oauth2和摘要身份验证将一起工作 Spring引导oauth2管理httpbasic认证 Spring Security OAuth2-存储的身份验证对象 身份验证在spring boot 1.5.2和Oauth2中不起作用
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM