目前我正在尝试将Spring-Security-Oauth2,Zuul,OpenAM作为OAuth2授权服务器和WCF REST API集成为资源服务器。最终的安装程序应如下所示:
Security http://fs1.directupload.net/images/150709/xo6wsm76.png
我阅读了本教程,该教程解释了如何使用spring和AngularJS(sso with spring and angularJS)设置SSO环境,但在我的情况下,我想使用OpenAM和密码授权流来验证useres。 所以在Spring Boot应用程序中,我当前的配置如下所示:
@SpringBootApplication
@EnableZuulProxy
@EnableOAuth2Client
public class ApolloUIProxyApplication {
public static void main(String[] args) {
SpringApplication.run(ApolloUIProxyApplication.class, args);
}
@Configuration
protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.logout().and().antMatcher("/**").authorizeRequests()
.antMatchers("/index.html", "/home.html", "/", "/login").permitAll()
.anyRequest().authenticated().and().csrf()
.csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
.addFilterAfter(authenticationProcessingFilter(), CsrfFilter.class);
}
@Bean
public ZuulFilter tokenRelayFilter(){
JwtTokenRelayFilter filter = new JwtTokenRelayFilter();
filter.setRestTemplate(restTemplate());
return new JwtTokenRelayFilter();
}
@Bean
public ZuulFilter customTokenFilter(){
return new CustomZuulFilter();
}
@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter(){
return new JwtAccessTokenConverter();
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null
&& !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
private OAuth2ClientAuthenticationProcessingFilter authenticationProcessingFilter(){
OAuth2ClientAuthenticationProcessingFilter processingFilter = new OAuth2ClientAuthenticationProcessingFilter("/login");
processingFilter.setRestTemplate(restTemplate());
processingFilter.setTokenServices(resourceServerTokenServices());
return processingFilter;
}
@Bean
public ResourceServerTokenServices resourceServerTokenServices(){
OpenAMRemoteTokenService remoteTokenServices = new OpenAMRemoteTokenService();
remoteTokenServices.setRestTemplate(restTemplate());
remoteTokenServices.setAccessTokenConverter(accessTokenConverter());
remoteTokenServices.setClientId("...");
remoteTokenServices.setClientSecret("...");
remoteTokenServices.setCheckTokenEndpointUrl("http://...");
return remoteTokenServices;
}
@Bean
public OAuth2RestTemplate restTemplate(){
OAuth2RestTemplate template = new OAuth2RestTemplate(resourceDetails(), clientContext());
return template;
}
@Bean
public AccessTokenProvider accessTokenProvider(){
ResourceOwnerPasswordAccessTokenProvider provider = new ResourceOwnerPasswordAccessTokenProvider();
return provider;
}
@Bean
public OAuth2ClientContext clientContext(){
return new OpenAMClientContext();
}
@Bean
public OAuth2ProtectedResourceDetails resourceDetails(){
ResourceOwnerPasswordResourceDetails details = new ResourceOwnerPasswordResourceDetails();
details.setGrantType("password");
details.setAccessTokenUri("http://...");
details.setScope(Arrays.asList("openid");
details.setClientId("...");
details.setClientSecret("...");
return details;
}
@Bean
public AccessTokenConverter accessTokenConverter(){
DefaultAccessTokenConverter tokenConverter = new DefaultAccessTokenConverter();
tokenConverter.setUserTokenConverter(userAuthenticationConverter());
return tokenConverter;
}
@Bean
public UserAuthenticationConverter userAuthenticationConverter(){
return new OpenAMUserAuthenticationConverter();
}
}
}
我编写了一个自定义RemoteTokenService,因为Spring无法访问OpenAM的tokeninfo端点,这需要GET请求而不是Post。此Connection现在正常工作,因此我从OpenAM获得有效的访问令牌,并且还可以在tokeninfo.endpoint中查询token / user-Infos。 Authentication对象被创建并存储在Spring的安全上下文中。我还可以访问ZuulFilter中的Authentication Object。
我现在的问题是,我必须调整" OAuth2ClientContext"从servletRequest获取用户凭据并将其放在" AccessTokenRequest"上。否则我将不得不在ResourceDetails中对它们进行硬编码,这在我的情况下是不合适的。
结果是,ClientContext(以及我猜的AccessTokenRequest)在系统的所有用户之间共享。我想要的是一个会话范围的客户端上下文,这样我就可以登录多个用户,并且可以在每个请求中为每个用户访问正确的SecurityContext。
所以我的问题是,
1)如何使ClientContext和AccessTokenRequest会话成为范围?
2)我是否需要使用Spring Session模块?
3)我是否需要设置sessionStrategy
谢谢!