我是Spring Oauth和Spring Security的新手。我试图在我的项目中使用client_credentials流程。现在我设法使用我自己的CustomDetailsService来从我系统中已经存在的数据库中获取client_id和密码(secret)。唯一的问题是我无法更改AuthorizationServer使用的DaoAuthenticationProvider中的密码编码器 - 它默认设置为PlaintextPasswordEncoder。我无法按照它的方式进行配置,例如SHAPasswordEncoder。它总是使用明文编码器。我可能不太了解流程,因为我是春天的新手。
这是我的一些代码(没有DaoAuthenticationProvider的工作配置):
SecurityConfig.java
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private static final String RESOURCE_ID = "restservice";
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/register/**");
}
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(daoAuthenticationProvider());
}
@Bean
public DaoAuthenticationProvider daoAuthenticationProvider() {
DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
daoAuthenticationProvider.setUserDetailsService(userDetailsService());
daoAuthenticationProvider.setPasswordEncoder(passwordEncoder());
return daoAuthenticationProvider;
}
@Bean
public PasswordEncoder passwordEncoder() {
return new ShaPasswordEncoder();
}
@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
private MyCustomClientDetailsService myCustomClientDetailsService;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints.tokenStore(tokenStore());
}
@Bean
public ResourceServerTokenServices defaultTokenServices() {
final DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setSupportRefreshToken(true);
defaultTokenServices.setTokenStore(tokenStore());
return defaultTokenServices;
}
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(myCustomClientDetailsService);
}
@Bean
public MyCustomClientDetailsService detailsService() {
return new MyCustomClientDetailsService();
}
}
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
...
}
}
自定义ClientDetailsService类:
public class MyCustomClientDetailsService implements ClientDetailsService {
@Autowired
private UserService userService;
@Override
public ClientDetails loadClientByClientId(String clientId) throws ClientRegistrationException {
User fan = userService.getFan(clientId);
if (fan == null) {
throw new NoSuchClientException("No client with requested id: " + clientId);
}
BaseClientDetails details = new BaseClientDetails(clientId, restservice, "write", "client_credentials", "USER");
details.setClientSecret(fan.getEncodedPassword());
return details;
}
}
从我的UserService获取的encodedPassword始终是一个错误的Credential,因为DaoAuthenticationProvider默认设置了PlaintextPasswordEncoder。
我在那里错过了什么? 是否可以在DaoAuthenticationProvider中设置用于检查凭据的密码编码器?或者我是否必须编写自己的AuthenticationProvider,它会按照我想要的方式进行检查?
答案 0 :(得分:22)
我发现问题的解决方案是覆盖configure
AuthorizationServerConfigurerAdapter
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.passwordEncoder(passwordEncoder);
}
答案 1 :(得分:-1)
如果您只想使用其他传递编码器配置spring身份验证,请使用此配置。
<bean id="encoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"/>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="authenticationService">
<password-encoder ref ="encoder" />
<!-- <user-service>
<user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN"/>
</user-service> -->
</authentication-provider>
</authentication-manager>
注意: - 在创建用户期间,您需要使用相同的密码编码器类加密userpassword。