Spring + Oauth2:如何刷新访问令牌

时间:2016-09-29 20:10:05

标签: rest spring-boot oauth-2.0 access-token spring-security-ldap

我正在使用Spring Boot构建休息Web服务。使用Spring Security和OAuth2实现身份验证。用户通过LDAP服务器进行身份验证。这是我的websecurityconfig

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


    @Autowired
    private RestAuthenticationSuccessHandler authenticationSuccessHandler;
    @Autowired
    private RestAuthenticationEntryPoint restAuthenticationEntryPoint;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http

            .httpBasic()
            .and()
            .csrf().disable()
            .sessionManagement().sessionCreationPolicy(
                    SessionCreationPolicy.STATELESS)
            .and()
            .exceptionHandling()
            .authenticationEntryPoint(restAuthenticationEntryPoint)
            .and()
            .authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/login").permitAll()
                .antMatchers("/logout").permitAll()
                .antMatchers("/ristore/**").authenticated()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .successHandler(authenticationSuccessHandler)
                .failureHandler(new SimpleUrlAuthenticationFailureHandler());
    }

    @Override  
    @Bean  
    public AuthenticationManager authenticationManagerBean() throws Exception {  
        return super.authenticationManagerBean();  
    }

    @Bean
    public RestAuthenticationSuccessHandler mySuccessHandler(){
        return new RestAuthenticationSuccessHandler();
    }
    @Bean
    public SimpleUrlAuthenticationFailureHandler myFailureHandler(){
        return new SimpleUrlAuthenticationFailureHandler();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        DefaultSpringSecurityContextSource contextSource = getSource();
        auth
        .ldapAuthentication()
            .userDnPatterns("cn={0},ou=institution,ou=people")
            .groupSearchBase("ou=groups")
            .contextSource(contextSource);
    }
 }

其他配置在authserverconfig中完成,包括clientdetailservice。

public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
     @Autowired
     @Qualifier("authenticationManagerBean")
     private AuthenticationManager authenticationManager;


     @Override
     public void configure(AuthorizationServerSecurityConfigurer oauthServer) 
       throws Exception {
         oauthServer.allowFormAuthenticationForClients();
     }

     @Override
     public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
          endpoints.tokenStore(new InMemoryTokenStore())
          .authenticationManager(authenticationManager);
     }
     @Override
     public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
          clients
            .inMemory()
            .withClient("ristoreclient")
            .scopes("read")
            .authorizedGrantTypes("password", "refresh_token", "client_credentials")
            .secret("ristoresecret")
            .accessTokenValiditySeconds(60);    
      }
 }

适用于初次登录。但是当我尝试使用刷新令牌获取带有刷新令牌的新访问令牌时,我收到错误“需要UserDetailsS​​ervice”。在线搜索答案后,我发现此帖有类似问题:spring-security-oauth2 2.0.7 refresh token UserDetailsService Configuration。基本上,解决方案是创建自定义LdapUserDetailsService。事情是它是在xml配置而不是java中设置的。此外,尚不清楚这门课程的注入方式和位置。在另一个case中,userdetailservice实例将添加到auth服务器端点配置中。本文不提供此类的实现。

在我看来,拥有userdetailservice的想法是在发出新的访问令牌之前查看该用户是否仍处于活动状态。矛盾的是,获取oauth2的refresh_token的请求仅包含以下不包含用户名/密码的信息。

client_id=clientid
client_secret=clientsecret
refresh_token=1/6BMfW9j53gdGImsiyUH5kU5RsR4zwI9lUVX-tqf8JXQ&
grant_type=refresh_token

OAuth2 for a Spring REST 使用Zuul代理作为前端和web api之间的中间层来处理刷新令牌,这使得配置更加复杂。我应该如何在Spring Boot中为oauth2实现userdetails服务?我应该在哪里注入它?

0 个答案:

没有答案