![](/img/trans.png)
[英]Spring OAuth2 - Authorization Server - Differentiate users on clients
[英]Spring Authorization Server tries to Authenticate OAuth2 Clients against LDAP
我正在創建授權服務器,但是遇到一個問題,授權服務器嘗試使用密碼Grant_type針對LDAP對我的客戶端進行身份驗證。
但是,我想要的是使用ClientDetailsService對客戶端進行身份驗證,然后在請求中指定的用戶針對LDAP進行身份驗證。 我不確定為什么會這樣。 任何幫助將不勝感激。
我不完全確定問題的原因是什么,除了@Order(Order.HIGHEST_PRECEDENCE)使此過濾器嘗試對所有請求拳頭進行身份驗證,因此未針對正確的配置類驗證對令牌終結點的請求。
當我使用有效的oauth2-client憑據訪問OAuth /令牌端點時,會收到未經授權的響應。 但是,當我將客戶端憑據更改為ldap憑據時,會收到無效的客戶端憑據響應。
@Configuration
@EnableWebSecurity
@Order(Ordered.HIGHEST_PRECEDENCE)
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
@Value("${example.ldap.url}")
private String ldapUrl;
@Value("${example.ldap.base}")
private String ldapBase;
@Value("${example.ldap.username}")
private String ldapUsername;
@Value("${example.ldap.password}")
private String ldapPassword;
@Value("${example.ldap.userDnPattern}")
private String[] userDnPattern;
/**
* This exposes the web-security AuthenticationManager for use in the
* OauthConfig. This allows us to do LDAP Authentication against the user being
* supplied by the client.
*/
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
@Override
public UserDetailsService userDetailsServiceBean() throws Exception {
return super.userDetailsServiceBean();
}
@Bean
public OAuth2ClientResourceAssembler oAuth2ClientResourceAssembler() {
return new OAuth2ClientResourceAssembler();
}
@Bean
BaseLdapPathContextSource contextSource() {
LdapContextSource ldapContextSource = new LdapContextSource();
ldapContextSource.setUrl(ldapUrl);
ldapContextSource.setBase(ldapBase);
ldapContextSource.setUserDn(ldapUsername);
ldapContextSource.setPassword(ldapPassword);
return ldapContextSource;
}
/**
* Allow spring to inject dependencies
*
* @return
*/
@Bean
public DaoAuthoritiesPopulator daoAuthoritiesPopulator() {
return new DaoAuthoritiesPopulator();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication().userDetailsContextMapper(new LdapEntryMapper())
.ldapAuthoritiesPopulator(daoAuthoritiesPopulator()).userSearchFilter("(samAccountName={0})")
.contextSource(contextSource());
}
/**
* Allow only users with ADMIN rights to access the client and user endpoint
*/
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/client/**").hasRole("ADMIN").and().httpBasic();
http.authorizeRequests().antMatchers("/user/**").hasRole("ADMIN").and().httpBasic();
http.authorizeRequests().and().csrf().disable();
}
}
@Configuration
public class OauthConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
private OAuth2ClientDetailsService oAuth2ClientDetailsService;
/**
* Ldap Authentication for password grant types
*/
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsService userDetailsService;
/**
*
*/
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(oAuth2ClientDetailsService);
}
/**
* Inserting an autenticationManager allows for password grant types.
*/
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager).userDetailsService(userDetailsService);
}
}
@Configuration
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated();
}
}
我想到了。 我必須更改websecurityconfigurer類以使用正則表達式匹配器僅匹配我要對其應用ldap身份驗證的請求。 因此,所有其他請求均落入其他配置類
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers().regexMatchers("/client.+", "/user.+");
http.authorizeRequests().antMatchers("/client/**").hasRole("ADMIN").and().httpBasic();
http.authorizeRequests().antMatchers("/user/**").hasRole("ADMIN").and().httpBasic();
http.authorizeRequests().and().csrf().disable();
}
開發人員指南對此進行了說明: 開發人員指南中標題為“配置端點URL”的部分
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.