我们需要在我们的应用程序中包含OAuth2。为此,我们选择了春季安全作为一种方法。我检查了Spraklr2& Tonr2示例项目来自spring security projects页面。它工作正常。
我们的新要求是,作为outh2提供商,我们必须保存每个请求日志(来自资源所有者的请求)。我们必须保存客户端ID,资源所有者用户名,请求的URL(资源服务器上的资源),授权等..
我用Google搜索了一段时间,但没有发现任何线索。
有人可以帮助我实现这个想法..
提前致谢
答案 0 :(得分:0)
如果您要将所有请求记录到/ oauth / authorize和/ oauth / token,则可以通过实现自己的端点来实现,这些端点将分别委托对AuthorizationEndpoint和TokenEndpoint的调用。
你必须在XML文件中配置它,当然......
答案 1 :(得分:0)
如果你没有找到答案,下面是我用来拦截请求的方法..
<http path-type="regex"
create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
use-expressions="true"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="myFilterSecurityInterceptor" />
<intercept-url pattern="/soap/*" access="isAnonymous()" method="GET" />
<intercept-url pattern="/advisor/[0-9a-zA-Z_]/all/clients/[0-9]/[0-9]" access="isFullyAuthenticated()"/>
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<expression-handler ref="oauthWebExpressionHandler" />
</http>
<bean id="myFilterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="affirmativeBasedAccessDecisionManager"/>
<property name="securityMetadataSource" ref="myCustomBean"/>
</bean>
<bean id="affirmativeBasedAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<constructor-arg>
<list>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter"/>
<bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</list>
</constructor-arg>
</bean>
<bean id="myCustomBean" class="MyCustomClass">
<constructor-arg>
<util:map />
</constructor-arg>
</bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query=
"select username,password, enabled from oauth_users where username=?"
authorities-by-username-query=
"select username, role from oauth_user_roles where username =? " />
</authentication-provider>
</authentication-manager>
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="realm" />
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
<bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
</list>
</constructor-arg>
</bean>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
public class MyCustomClass扩展DefaultFilterInvocationSecurityMetadataSource {
public APILibSecurityMetadataSource(
LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap) {
super(requestMap);
}
@Override
public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
System.out.println(" My code in MyCustomClass Interceptor");
}
}
答案 2 :(得分:0)
当使用Spring Oauth对用户进行身份验证时,它会向AuthenticationEventPublisher
发布一个事件。您可以创建一个实现AuthenticationEventPublisher
的组件,如下所示:
@Component
public class AuditEvent implements AuthenticationEventPublisher{
@Override
public void publishAuthenticationSuccess(Authentication authentication) {
if(authentication instanceof UsernamePasswordAuthenticationToken) {
log(authentication.getName(), "Authentication successful");
}
}
@Override
public void publishAuthenticationFailure(AuthenticationException exception, Authentication authentication) {
log(authentication.getName(),"Authentication Failure:");
}
}
并检查身份验证是否为UsernamePasswordAuthenticationToken
类型。这将为您提供登录事件,您可以根据需要进行记录。