Spring OAuth2 解释授权服务器配置
Spring OAuth2 explain Authorization server configuration
我正在尝试实施 OAuth 安全性并遇到一个问题,对我来说配置不够清晰 class。
在实施 AuthorizationServerConfigurer 时,我有三个配置器:
ClientDetailsServiceConfigurer 用于提供获取客户详细信息的方式和来源。例如,它可以是从数据库提供注册客户端的服务。
当谈到 AuthorizationServerSecurityConfigurer 和 AuthorizationServerEndpointsConfigurer 时,我不确定它们的作用或应该如何配置。在 documentation 它只说:
AuthorizationServerEndpointsConfigurer: defines the authorization and
token endpoints and the token services.
也许有人能用简单的话解释一下这两个配置器的作用,或者它们的用途。
AuthorizationServerConfigurer 的 javadoc 比链接文档提供更多信息。 AuthorizationServerSecurityConfigurer,顾名思义,配置授权服务器本身的安全性。例如,您可以覆盖 /oauth/token 等 OAuth 端点安全性,提供拒绝访问处理程序或限制 SSL 访问。以下是文档中关于它的内容:
Configure the security of the Authorization Server, which means in
practical terms the /oauth/token endpoint. The /oauth/authorize
endpoint also needs to be secure, but that is a normal user-facing
endpoint and should be secured the same way as the rest of your UI, so
is not covered here. The default settings cover the most common
requirements, following recommendations from the OAuth2 spec, so you
don't need to do anything here to get a basic server up and running.
至于AuthorizationServerEndpointsConfigurer:
Configure the non-security features of the Authorization Server
endpoints, like token store, token customizations, user approvals and
grant types. You shouldn't need to do anything by default, unless you
need password grants, in which case you need to provide an
AuthenticationManager.
这是我的一个项目的示例:
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.authenticationManager(authenticationManager)
.tokenStore(jwtTokenStore())
.tokenEnhancer(tokenEnhancer());
}
这里我提供了一个 JwtTokenStore 作为我的 TokenStore 和一个 AuthenticationManager 因为我使用的是 密码授权 。
我正在使用 spring-security-oauth,有一个有用的文档可能对您有帮助:
projects.spring.io/spring-security-oauth/docs/oauth2.html
我正在尝试实施 OAuth 安全性并遇到一个问题,对我来说配置不够清晰 class。
在实施 AuthorizationServerConfigurer 时,我有三个配置器:
ClientDetailsServiceConfigurer用于提供获取客户详细信息的方式和来源。例如,它可以是从数据库提供注册客户端的服务。
当谈到 AuthorizationServerSecurityConfigurer 和 AuthorizationServerEndpointsConfigurer 时,我不确定它们的作用或应该如何配置。在 documentation 它只说:
AuthorizationServerEndpointsConfigurer: defines the authorization and token endpoints and the token services.
也许有人能用简单的话解释一下这两个配置器的作用,或者它们的用途。
AuthorizationServerConfigurer 的 javadoc 比链接文档提供更多信息。 AuthorizationServerSecurityConfigurer,顾名思义,配置授权服务器本身的安全性。例如,您可以覆盖 /oauth/token 等 OAuth 端点安全性,提供拒绝访问处理程序或限制 SSL 访问。以下是文档中关于它的内容:
Configure the security of the Authorization Server, which means in practical terms the
/oauth/tokenendpoint. The/oauth/authorizeendpoint also needs to be secure, but that is a normal user-facing endpoint and should be secured the same way as the rest of your UI, so is not covered here. The default settings cover the most common requirements, following recommendations from the OAuth2 spec, so you don't need to do anything here to get a basic server up and running.
至于AuthorizationServerEndpointsConfigurer:
Configure the non-security features of the Authorization Server endpoints, like token store, token customizations, user approvals and grant types. You shouldn't need to do anything by default, unless you need password grants, in which case you need to provide an
AuthenticationManager.
这是我的一个项目的示例:
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.authenticationManager(authenticationManager)
.tokenStore(jwtTokenStore())
.tokenEnhancer(tokenEnhancer());
}
这里我提供了一个 JwtTokenStore 作为我的 TokenStore 和一个 AuthenticationManager 因为我使用的是 密码授权 。
我正在使用 spring-security-oauth,有一个有用的文档可能对您有帮助:
projects.spring.io/spring-security-oauth/docs/oauth2.html