Spring 安全 OAuth2 授权服务器

Spring Security OAuth2 AuthorizationServer

我正在玩 spring-security-oauth2。我尝试构建一些带有身份验证后端的微服务。

我设置了一个简单的 spring 引导项目,其中包含以下依赖项

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>1.2.2.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.security.oauth</groupId>
            <artifactId>spring-security-oauth2</artifactId>
            <version>2.0.6.RELEASE</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

和一种配置Class

@Configuration
public class SecurityConfiguration {

    @Autowired
    @Qualifier("clientDetailsServiceBean")
    private ClientDetailsService clientDetailsService;

    @Autowired
    @Qualifier("userDetailsServiceBean")
    private UserDetailsService userDetailsService;

    @Configuration
    @EnableWebSecurity
    @EnableGlobalMethodSecurity(jsr250Enabled = true, securedEnabled = true, prePostEnabled = true)
    public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Override
        @Bean(name = "authenticationManagerBean")
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();
        }

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.userDetailsService(userDetailsService);
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests().anyRequest().permitAll().and().userDetailsService(userDetailsService).formLogin().and().httpBasic();
        }
    }

    @Configuration
    @EnableAuthorizationServer
    public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

        @Autowired
        @Qualifier("authenticationManagerBean")
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            endpoints.authenticationManager(authenticationManager).tokenStore(tokenStore());
        }

        @Bean
        public ApprovalStore approvalStore() throws Exception {
            TokenApprovalStore store = new TokenApprovalStore();
            store.setTokenStore(tokenStore());
            return store;
        }

        @Bean
        public TokenStore tokenStore() {
            return new InMemoryTokenStore();
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients.withClientDetails(clientDetailsService);
        }

        @Override
        public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
            security.checkTokenAccess("permitAll()");
            security.allowFormAuthenticationForClients();
        }

    }

我对 Client- 和 UserDetailsS​​ervice 的实现非常简单,而且总是returns一个对象

@Service("clientDetailsServiceBean")
public class ClientDetailsServiceBean implements ClientDetailsService {

    private static final Logger LOGGER = LoggerFactory.getLogger(ClientDetailsServiceBean.class);

    @Override
    public ClientDetails loadClientByClientId(String clientId) throws ClientRegistrationException {
        LOGGER.info("Load client {}", clientId); 
        BaseClientDetails details = new BaseClientDetails();
        details.setClientId(clientId);
        details.setAuthorizedGrantTypes(Arrays.asList("password", "refresh_token", "client_credentials"));
        details.setScope(Arrays.asList("trust"));
        details.setAutoApproveScopes(Arrays.asList("trust"));
        details.setAuthorities(Arrays.asList(new SimpleGrantedAuthority("client_role2")));
        details.setResourceIds(Arrays.asList("clients"));
        details.setClientSecret("secret");

        return details;
    }

}
@Service("userDetailsServiceBean")
public class UserDetailsServiceBean implements UserDetailsService {
    private static final Logger LOGGER = LoggerFactory.getLogger(UserDetailsServiceBean.class);

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        LOGGER.info("Load user {}", username);
        return new User(username, "password", Arrays.asList(new SimpleGrantedAuthority("ROLE_USER")) );
    }
}

但是,当我尝试通过

接收 accessToken 时
curl http://localhost:8081/oauth/token -d grant_type=client_credentials -d client_id=web_client -d client_secret=secret

我收到一个错误 "Full authentication is required to access this resource" 并且当我尝试

curl http://localhost:8081/oauth/token -d grant_type=client_credentials -d client_id=web_client -d client_secret=secret --user web_client:secret

我收到一个错误 "Bad credentials"。从我的角度来看,两者都应该有效,但似乎缺少我的配置。

OAuth 还有一些我不清楚的地方: 我尝试使用 spring-security 和自定义登录表单构建一个 spring-mvc 应用程序。是否可以通过 spring 安全性处理令牌请求和刷新周期而无需重定向到身份验证应用程序?

如果是事件驱动的应用程序,是否可以确保令牌有效?如果失败,用户单击按钮并写入一个事件,但处理将在数小时后进行。我如何使用用户凭据处理事件?

你的内心 @Configuration 类 需要是静态的。令我惊讶的是,该应用程序竟然启动了,可能您的整个 SecurityConfiguration 实际上都没有被使用。

It's possible to handle token request and refresh cycles by spring security without redirect to the authentication app?

当然。您是否阅读过规范中的密码和 refresh_token 授权?但是在网络中 UI 强烈建议您使用授权码授权(通过重定向),以便用户只在受信任的地方输入他的凭据。

the user clicks on button and an event is written but the processing of this will be hours later. How can i process the event with the user credentials?

刷新令牌可能是最好的方法。该事件显然需要安全,因为它必须包含刷新令牌。