我需要你对无状态Spring Security的帮助。我编写了授权用户的服务,我的 security.xml :
<http use-expressions="true" create-session="stateless" entry-point-ref="restAuthenticationEntryPoint">
<intercept-url pattern="/auth/**" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<custom-filter ref="myFilter" position="FORM_LOGIN_FILTER"/>
</http>
<beans:bean id="myFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService" />
</authentication-manager>
它没有声明,这就是为什么在我的身份验证之后,当我想通过另一个URL获取任何内容时,它需要我401未经授权。我听说过令牌,但我不知道如何做到这一点。
答案 0 :(得分:0)
鲆,
这就是我在类似场景中所做的:
二手OAuth - http://oauth.net/
有多个库实现OAuth规范
http://tools.ietf.org/html/rfc6749
Spring有一个易于配置的实现。 Spring提供了两个示例应用程序(服务器和客户端)。教程可在以下网址获得:
https://github.com/SpringSource/spring-security-oauth/wiki/tutorial
示例工作配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:ss="http://www.springframework.org/schema/security" xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:jdbc="http://www.springframework.org/schema/jdbc" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/jdbc
http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd
">
<ss:http pattern="/test/customer/**" create-session="stateless"
access-decision-manager-ref="accessDecisionManager"
entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<ss:anonymous enabled="false" />
<ss:intercept-url pattern="/test/customer/welcome*"
access="ROLE_USER" />
<ss:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<ss:access-denied-handler ref="oauth2AccessDeniedHandler" />
</ss:http>
<ss:http pattern="/oauth/token" create-session="stateless"
entry-point-ref="oauthAuthenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<ss:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<ss:anonymous enabled="false" />
<ss:custom-filter ref="clientCredentialsTokenEndpointFilter"
before="BASIC_AUTH_FILTER" />
<ss:access-denied-handler ref="oauth2AccessDeniedHandler" />
</ss:http>
<ss:authentication-manager alias="authenticationManager">
<ss:authentication-provider ref="myAuthenticationProvider" />
</ss:authentication-manager>
<oauth:resource-server id="resourceServerFilter" token-services-ref="tokenServices" />
<bean id="myAuthenticationProvider" class="com.sachin.test.ws.user.MyUserAuthenticationProvider" />
<bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="myCustomerAppRealm" />
</bean>
<bean id="clientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetailsService" />
</bean>
<oauth:authorization-server
client-details-service-ref="clientDetailsService" token-services-ref="tokenServices">
<oauth:authorization-code />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password />
</oauth:authorization-server>
<oauth:client-details-service id="clientDetailsService">
<oauth:client client-id="admin"
authorized-grant-types="password,authorization_code,refresh_token,implicit,client_credentials"
authorities="ROLE_USER, ROLE_TRUSTED_CLIENT" scope="read,write,trust"
access-token-validity="60" />
</oauth:client-details-service>
<bean id="oauth2AccessDeniedHandler"
class="org.springframework.security.web.access.AccessDeniedHandlerImpl" />
<bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
xmlns="http://www.springframework.org/schema/beans">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />
<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
</bean>
</beans>
将此添加到web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
您需要阅读OAuth和Spring安全的规范才能了解我的所作所为。您可以扩展此代码以使用您的数据库在多个服务器之间进行身份验证和令牌共享。
希望这有帮助。