spring security oauth2 disable jsessionid based session

spring security oauth2 disable jsessionid based session

我没有发表评论的名誉,否则这个 post 描述的是完全相同的问题。

我已经在 spring 4 应用程序中成功实施了 spring security oauth2 2.0.5。一切正常,我可以生成令牌并且 api 请求已正确验证。但问题是,一旦 api 在基于浏览器的应用程序中使用访问令牌进行身份验证,后续调用就不需要访问令牌,因为 - 似乎 spring 安全依赖于 sessionid 来识别和验证用户。 - 即使在访问令牌过期后,调用似乎仍有效。

所以看起来 spring 仅在第一次调用时依赖访问令牌,然后它依赖 cookie/jsessionid。我尝试通过以下方式禁用该行为(从 sparclr2 学习)-

Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.anonymous().disable();
        //oauth2 recommends that oauth token url should be only available to authorized clients
        http.requestMatchers().antMatchers("/oauth/token").and().authorizeRequests().anyRequest().fullyAuthenticated();
        http.httpBasic().authenticationEntryPoint(oAuth2AuthenticationEntryPoint()).and()
                .addFilterBefore(clientCredentialsTokenEndpointFilter(), BasicAuthenticationFilter.class)
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().exceptionHandling()
                .accessDeniedHandler(oAuth2AccessDeniedHandler);

    }

但这无济于事。在日志中我可以看到 -

Trying to match using Ant [pattern='/oauth/token'] Checking match of request : '/v1.0/printconfig/'; against '/oauth/token' Trying to match using Ant [pattern='/oauth/token_key'] Checking match of request : '/v1.0/printconfig/'; against '/oauth/token_key' Trying to match using Ant [pattern='/oauth/check_token'] Checking match of request : '/v1.0/printconfig/'; against '/oauth/check_token' No matches found Trying to match using Ant [pattern='/v1.0/'] Checking match of request : '/v1.0/printconfig/'; against '/v1.0/' matched /v1.0/printconfig/ at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' /v1.0/printconfig/ at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@bd392350: Authentication: org.springframework.security.oauth2.provider.OAuth2Authentication@bd392350: Principal: org.springframework.security.core.userdetails.User@6d: Username: m; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenValue=; Granted Authorities: ROLE_USER' /v1.0/printconfig/ at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter' Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6044b89b /v1.0/printconfig/ at position 4 of 10 in additional filter chain; firing Filter: 'LogoutFilter' Checking match of request : '/v1.0/printconfig/'; against '/logout' /v1.0/printconfig/ at position 5 of 10 in additional filter chain; firing Filter: > 'OAuth2AuthenticationProcessingFilter' Token not found in headers. Trying request parameters. Token not found in request parameters. Not an OAuth2 request. No token in request, will continue chain. /v1.0/printconfig/ at position 6 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' /v1.0/printconfig/ at position 7 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' /v1.0/printconfig/ at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter' /v1.0/printconfig/ at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' /v1.0/printconfig/ at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' Checking match of request : '/v1.0/printconfig/'; against '/v1.0/**' Secure object: FilterInvocation: URL: /v1.0/printconfig/; Attributes: [#oauth2.throwOnError(hasRole('ROLE_USER'))] Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication@bd392350: Principal: org.springframework.security.core.userdetails.User@6d: Username: m; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenValue=; Granted Authorities: ROLE_USER Voter: org.springframework.security.web.access.expression.WebExpressionVoter@5f574bdc, returned: 1 Authorization successful RunAsManager did not change Authentication object /v1.0/printconfig/ reached end of additional filter chain; proceeding with original chain Chain processed normally SecurityContextHolder now cleared, as request processing completed

如您所见,oauth 令牌 headers 不存在,但仍然有一个不同的过滤器识别 session。我很想禁用 sessionId 本身,但只禁用 spring 对用户本身的身份验证就可以了。我希望访问令牌成为传入请求的唯一标识符。

在我看来 /v1.0/printconfig/OAuth2AuthenticationProcessingFilter 背后的 OAuth2 保护资源,而您的客户端发送的是 cookie 而不是令牌?如果这是正确的,那么 2.0.5 中的默认行为就是您所看到的(接受 cookie,并让您在自己的配置中控制访问规则)。默认值在 2.0.6 中更改(除非明确配置资源服务器,否则 cookie 将不起作用:https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/ResourceServerSecurityConfigurer.java#L94)。