Spring OAuth中UsernameNotFoundException和BadCredentialsException的處理程序

Question

我正在嘗試為密碼授予oauth流（Spring-Outh）的UsernameNotFoundException和BadCredentialsException設置處理程序。 處理程序的用途是，只要拋出這些異常中的任何一個，就在DB中增加一個計數器。

我不確定此處理程序需要在什么時候設置。

 <http pattern="/oauth/token" create-session="stateless"   authentication-manager-ref="authenticationManager" xmlns="http://www.springframework.org/schema/security">
    <intercept-url pattern="/oauth/token" access="ROLE_USER"  />
    <anonymous enabled="false" />
    <http-basic entry-point-ref="clientAuthenticationEntryPoint"  />

    <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />

    <access-denied-handler ref="oauthAccessDeniedHandler" />
</http>


<!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling 
    separately. This isn't mandatory, but it makes it easier to control the behaviour. -->
<http pattern="/public/**" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint"
    access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security">
    <anonymous enabled="false" />
    <intercept-url pattern="/public/registration" access="ROLE_USER,SCOPE_READ"  />
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    <access-denied-handler ref="oauthAccessDeniedHandler" />
</http>

<http use-expressions="true" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint">
    <intercept-url pattern="/public/registration/activation/**" access="permitAll" />
</http>

<authentication-manager alias="authenticationManager"  xmlns="http://www.springframework.org/schema/security">
    <sec:authentication-provider user-service-ref="clientDetailsUserService" />
    <sec:authentication-provider ref="daoProvider">
    </sec:authentication-provider>
</authentication-manager>


<beans:bean id="customUserDetailService" class="com.cointraders.api.services.UserDetailsServiceImpl" />


<beans:bean id="daoProvider" class="com.cointraders.api.daoauthproviders.CustomDaoAuthenticationProvider">
    <beans:property name="userDetailsService" ref="customUserDetailService"/>
    <beans:property name="passwordEncoder" ref="passwordEncoder" />
</beans:bean>

<beans:bean id="clientDetails" class="org.springframework.security.oauth2.provider.JdbcClientDetailsService">
    <beans:constructor-arg ref="dataSource" />
</beans:bean>

<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
    <beans:constructor-arg>
        <beans:list>
            <beans:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
            <beans:bean class="org.springframework.security.access.vote.RoleVoter" />
            <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
        </beans:list>
    </beans:constructor-arg>
</beans:bean>   

<oauth:authorization-server  client-details-service-ref="clientDetails" token-services-ref="tokenServices">
    <oauth:refresh-token />
    <oauth:client-credentials/>
    <oauth:custom-grant token-granter-ref="randomTokenGrant" />
</oauth:authorization-server>

Answer 1

AuthenticationManager是一個非常簡單的界面。 我認為沒有人需要幫助來實現這一目標。 授權服務器配置DSL具有明確的位置，您可以在其中插入AuthenticationManager （例如Java中的AuthorizationServerEndpointsConfigurer ，例如此處： https : //github.com/spring-projects/spring-security-oauth/blob/master/tests/annotation/ jdbc / src / main / java / demo / Application.java ）。