我在我的应用程序中使用Spring Security Oauth2进行身份验证,这是无状态的。下面是spring配置文件的代码片段
我也在所有jsps中使用了<%@ page session="false" %>。
<http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request -->
<!-- parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter"
after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<http auto-config="true" create-session="stateless">
<intercept-url pattern="/oauth/**" access="ROLE_USER" />
<intercept-url pattern="/welcome*" access="ROLE_USER" />
<intercept-url pattern="/test" access="ROLE_USER" />
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed"
authentication-success-handler-ref="customAuthenticationSuccessHandler" />
<logout logout-success-url="/logout" />
<custom-filter ref="preAuthFilter" after="PRE_AUTH_FILTER" />
<custom-filter ref="oauth2ClientFilter" after="EXCEPTION_TRANSLATION_FILTER" />
</http>`
此外,我创建了自己的授权端点(/ authorizeTest),因为Ouath2(/ oauth / authorize)提供的授权端点将AuthorizationRequest作为会话属性。以下是CustomAuthorizationEndPoint的代码片段
<beans:bean id="customAuthorizationEndpoint"
class="com.mkyong.common.controller.CustomAuthorizationEndpoint">
<beans:property name="tokenGranter" ref="authorizationCodeTokenGranter" />
<beans:property name="clientDetailsService" ref="clientDetails" />
<beans:property name="oAuth2RequestFactory" ref="customOAuth2RequestFactory" />
<beans:property name="authorizationCodeServices"
ref="inMemoryAuthorizationCodeServices" />
<beans:property name="dataSource" ref="dataSource" />
</beans:bean>
<beans:bean id="authorizationCodeTokenGranter"
class="org.springframework.security.oauth2.provider.code.AuthorizationCodeTokenGranter">
<beans:constructor-arg index="0" ref="tokenServices" />
<beans:constructor-arg index="1"
ref="authorizationCodeServices" />
<beans:constructor-arg index="2" ref="clientDetails" />
<beans:constructor-arg index="3"
ref="customOAuth2RequestFactory" />
</beans:bean>
<beans:bean id="customOAuth2RequestFactory"
class="com.mkyong.common.controller.CustomOAuth2RequestFactory">
<beans:constructor-arg ref="clientDetails" />
<beans:property name="dataSource" ref="dataSource" />
<beans:property name="customAuthorizationRequest" ref="customAuthorizationRequest" />
</beans:bean>
<beans:bean id="customAuthorizationRequest"
class="com.mkyong.common.controller.CustomAuthorizationRequest">
</beans:bean>
<beans:bean id="authorizationCodeServices"
class="org.springframework.security.oauth2.provider.code.JdbcAuthorizationCodeServices">
<beans:constructor-arg ref="dataSource" />
</beans:bean>
但我仍然在积极地生活。
答案 0 :(得分:2)
使用create-session="stateless"意味着您告诉Spring Security不要为用户创建会话或存储身份验证信息。如果他们觉得需要(oauth是一个单独的项目),它不会阻止其他库创建会话。
我真的不明白为什么你将应用程序标记为无状态,因为你正在使用像登录这样的东西。如果您不允许创建会话,那么授权代码流会如何工作?如何重定向授权请求以及服务器在重定向到该请求时如何知道用户是否经过身份验证?验证将丢失,因为没有会话将其绑定到。