使用@EnableAuthorizationServer时,如何在HTTP BasicAuthenticationFilter之后添加过滤器

时间:2015-04-19 21:41:15

标签: java spring-security spring-security-oauth2

我正在尝试查看以下文档:https://github.com/spring-projects/spring-security-oauth/blob/f25592e682303b0cf89e1d7555174bac18e174df/docs/oauth2.md#mapping-user-roles-to-scopes

在文档中,它说为了将用户角色映射到范围,并在checkUserScopes=true中设置DefaultOAuth2RequestFactory,我们需要在HTTP TokenEndpointAuthenticationFilter之后添加BasicAuthenticationFilter过滤器{1}}。我想知道如何做到这一点。

这是我的AuthorizationServer的样子:

@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends
        AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private OAuth2RequestFactory requestFactory;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
        endpoints.authenticationManager(authenticationManager);
        endpoints.requestFactory(requestFactory);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients)
            throws Exception {
        clients.withClientDetails(clientDetailsService());
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer)
            throws Exception {
        oauthServer.checkTokenAccess("isAuthenticated()");
    }

    @Bean
    public ClientDetailsService clientDetailsService() {

        Map<String, ClientDetails> clientDetailsStore = new HashMap<String, ClientDetails>();

        Collection<String> scope = new HashSet<String>();
        scope.add("user");
        scope.add("admin");

        Collection<String> authorizedGrantTypes = new HashSet<String>();
        authorizedGrantTypes.add("password");
        authorizedGrantTypes.add("refresh_token");


        BaseClientDetails clientDetails = new BaseClientDetails();
        clientDetails.setClientId("client");
        clientDetails.setClientSecret("secret");
        clientDetails.setScope(scope);
        clientDetails.setAuthorizedGrantTypes(authorizedGrantTypes);

        clientDetailsStore.put("client", clientDetails);

        InMemoryClientDetailsService clientDetailsService = new InMemoryClientDetailsService();
        clientDetailsService.setClientDetailsStore(clientDetailsStore);

        return clientDetailsService;
    }

    @Bean
    public OAuth2RequestFactory requestFactory() {
        DefaultOAuth2RequestFactory requestFactory = 
                new DefaultOAuth2RequestFactory(clientDetailsService());

        requestFactory.setCheckUserScopes(true);

        return requestFactory;
    }
}

另外,提供一个关于我们如何测试授权类型密码的示例CURL会很棒。

感谢任何帮助!

2 个答案:

答案 0 :(得分:5)

您应该能够扩展@EnableAuthorizationServer并将其包含在Spring配置中,而不是使用AuthorizationServerSecurityConfiguration。 E.g。

@Configuration
public class OAuth2Config extends AuthorizationServerSecurityConfiguration {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
       super.configure(http);
       http.addFilterAfter(myFilter(), BasicAuthenticationFilter.class);
    }
}

答案 1 :(得分:0)

您还可以通过AuthorizationServerSecurityConfigurer添加其他过滤器,尽管它们位于基本身份验证之前,而不是之后。

@Override
public void configure(AuthorizationServerSecurityConfigurer security) {
    security.addTokenEndpointAuthenticationFilter(myFilter());
    security.checkTokenAccess("isAuthenticated()");
}
  

为TokenEndpoint添加新的自定义身份验证筛选器。过滤器将设置为默认BasicAuthenticationFilter的上游。

相关问题
最新问题