带有隐式和密码流的Spring OAuth2

时间:2013-04-16 15:44:05

标签: spring-security oauth-2.0

我正在尝试使用隐式,密码和授权流程来设置Spring OAuth 2的项目。

当我使用相同的令牌端点进行隐式和其他两个时出现的问题,密码和授权需要客户端验证的基本身份验证,而隐式不验证客户端密码,我想使用更多用于用户授权的特定登录/密码验证。

因此,根据配置,一个或两个流程可以正常工作。 拥有2个端点似乎是最简单的解决方案,但我找不到如何实现这一点。

<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:oauth="http://www.springframework.org/schema/security/oauth2" 
    xmlns:sec="http://www.springframework.org/schema/security"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
        http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<!--
    <sec:http pattern="/external/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
        xmlns="http://www.springframework.org/schema/security" entry-point-ref="authenticationEntryPoint">
        <sec:intercept-url pattern="/external/oauth/token" access="IS_AUTHENTICATED_FULLY" />
        <sec:anonymous enabled="false" />
        <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
    </sec:http>
-->
    <sec:http pattern="/external/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
        xmlns="http://www.springframework.org/schema/security">
        <sec:intercept-url pattern="/external/oauth/token" access="IS_AUTHENTICATED_FULLY" />
        <sec:anonymous enabled="false" />
        <sec:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
        <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
    </sec:http>

    <bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
        <property name="realmName" value="blablabla" />
        <property name="typeName" value="Basic" />
    </bean>
    <bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

    <authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
        <authentication-provider user-service-ref="clientDetailsUserService" />
    </authentication-manager>

    <bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
        <constructor-arg ref="clientDetails" />
    </bean>

    <bean id="tokenStore" class="com.proton.oauthprovider.service.ProtOnTokenStore" />

    <bean id="clientDetails" class="com.proton.oauthprovider.service.ProtOnClientDetailsService" />

    <bean id="oauthCodeDetails" class="com.proton.oauthprovider.service.ProtOnAuthorizationCodeServices" />

    <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
        <property name="tokenStore" ref="tokenStore" />
        <property name="supportRefreshToken" value="true" />
        <property name="clientDetailsService" ref="clientDetails" />
    </bean>

    <bean id="userApprovalHandler" class="com.proton.oauthprovider.service.OAuthUserApprovalHandler">
        <property name="autoApproveClients">
            <set>
                <!--  <value>rest-client</value> -->
            </set>
        </property>
        <property name="tokenServices" ref="tokenServices" />
    </bean>

    <oauth:authorization-server client-details-service-ref="clientDetails"  
        token-services-ref="tokenServices"
        user-approval-handler-ref="userApprovalHandler" authorization-endpoint-url="/external/oauth/authorize" 
        user-approval-page="forward:/external/oauth/confirm_access" 
        error-page="forward:/external/oauth/error" 
        token-endpoint-url="/external/oauth/token" >
        <oauth:authorization-code authorization-code-services-ref="oauthCodeDetails"/>
        <oauth:implicit/>
        <oauth:refresh-token />
        <oauth:password authentication-manager-ref="authenticationManager"/>
    </oauth:authorization-server>

    <oauth:web-expression-handler id="oauthWebExpressionHandler" />

    <!-- Override the default mappings for approval and error pages -->
    <bean id="accessConfirmationController" class="com.proton.oauthprovider.controller.AccessConfirmationController">
        <property name="clientDetailsService" ref="clientDetails" />
    </bean>

</beans>

authenticationEntryPoint是登录表单入口点,自定义类与sparklr和tonr大致相同,只是使用DB后端来存储客户端和令牌数据。

1 个答案:

答案 0 :(得分:0)

好吧我搞错了,隐式流程不使用令牌端点,它使用授权一个。 所以之前的配置是可以的,我只需要将隐式流指向/ oauth / authorize /,它就可以正常工作。