Spring security oAuth2 - 带有表单身份验证的隐式令牌

时间:2015-09-15 12:44:25

标签: java spring-security forms-authentication spring-security-oauth2

我对弹簧安全性一般都是新手,我一直在尝试弹簧安全oAuth2。如果我在配置中启用了httpBasic并使用基本身份验证标头,我可以使用以下方法隐式从授权端点获取令牌:

http://localhost:8081/oauth/authorize?client_id=portal&client_secret=portalSecret&response_type=token&redirect_uri=saveCode

我正在尝试使用表单身份验证而不是基本身份验证。但是当我将凭证作为表单数据发送时,我总是被重定向到登录表单。

这是我的配置:

WebSecurityConfigurerAdapter:

    @EnableWebSecurity
    public class PortalWebSecurityConfigurer extends WebSecurityConfigurerAdapter {

        @Autowired
        UserDetailsService userDetailsService;

        @Autowired
        PasswordEncoder fastPasswordEncoder;

        @Autowired
        AuthenticationEntryPoint authenticationEntryPoint;

        @Autowired
        public void configureGlobal(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
            authenticationManagerBuilder.userDetailsService(userDetailsService).passwordEncoder(fastPasswordEncoder);
        }

        @Override
        @Bean
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();
        }

        @Bean
        AuthenticationEntryPoint authenticationEntryPoint() {
            return new OAuth2AuthenticationEntryPoint();
        }

        @Override
        protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception {

            http
//When this is enabled, basic authentication works 
                       //.httpBasic().authenticationEntryPoint(authenticationEntryPoint).and()

                    .formLogin().permitAll().and()
                    .sessionManagement()
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().csrf().disable().authorizeRequests()
                    .antMatchers("/oauth/saveCode").permitAll()
                    .antMatchers("/login").permitAll()
                    .antMatchers("/oauth/token").fullyAuthenticated().antMatchers("/secure/**").authenticated()
                    .and().exceptionHandling()
                    .accessDeniedHandler(new OAuth2AccessDeniedHandler());
        }
    }

oAuth2配置:

@Configuration
public class OAuth2ServerConfig {

    private static final String RESOURCE_ID = "resource";
    private static final int TOKEN_LIVE_SECONDS = 120;
    private static final String PORTAL_CLIENT_NAME = "portal";
    private static final String PORTAL_CLIENT_SECRET = "portalSecret";

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

        @Autowired
        @Qualifier("tokenServices")
        private ResourceServerTokenServices tokenServices;

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) {
            resources.resourceId(RESOURCE_ID);
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                    .antMatchers("/oauth/saveCode").permitAll()
                    .antMatchers("/login").permitAll()
                    .anyRequest().authenticated().antMatchers("/secure/**").fullyAuthenticated().and().sessionManagement()
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        }

        @Configuration
        @EnableAuthorizationServer
        protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

            @Autowired
            @Qualifier("tokenServices")
            private AuthorizationServerTokenServices tokenServices;

            @Autowired
            private TokenStore tokenStore;

            @Autowired
            private ClientDetailsService clientDetailsService;

            @Autowired
            private UserDetailsService userDetailsService;

            @Override
            public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
                clients.inMemory().withClient(PORTAL_CLIENT_NAME).secret(PORTAL_CLIENT_SECRET).scopes("read", "write", "trust")
                        .authorizedGrantTypes("implicit", "authorization_code", "refresh-token").authorities('Admin_Role')
                        .resourceIds(RESOURCE_ID).accessTokenValiditySeconds(TOKEN_LIVE_SECONDS).autoApprove(true);
            }

            @Override
            public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
                security.allowFormAuthenticationForClients();
            }
        }
    }
}

我只需要能够获取令牌而不通过登录表单本身(就像调用服务时一样)。我正在努力实现的目标是什么?提前谢谢。

0 个答案:

没有答案
相关问题
最新问题