我可以在请求正文中而不是标头中发送OAuth 2.0凭据吗?

时间:2016-10-20 05:31:16

标签: java spring spring-security oauth spring-data

目前我正在使用启用了spring security的{​​{1}},一切就绪并且运行正常!

http://localhost:8080/SpringSecurityOAuth2Example/oauth/token?grant_type=password&username=kalynpradhan@gmail.com&password=abc

我在请求标头中发送客户端凭据,如上所示 即OAuth 2.0username=kalynpradhan@gmail.com

我可以在请求正文中而不是请求标头中发送OAuth 2.0配置吗?

是否有任何配置可以让我在春天接受请求体中的令牌?

下面是我使用OAuth 2.0的弹簧安全配置文件

password=abc

WebSecurityConfigurerAdapter config

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

    private static String REALM = "MY_OAUTH_REALM";

    /*
     * The token store is the store where all the tokens are stored, It can be
     * InMemory, JDBC, etc.
     */
    @Autowired
    private TokenStore tokenStore;

    @Autowired
    private UserApprovalHandler userApprovalHandler;

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    /**
     * SpringData JPA dataSource injected.
     */
    @Autowired
    private DataSource dataSource;

    /**
     * Autowiring the {@link CustomUserDetailsService} for configuring the
     * {@link UserDetailsService} which provides the required user details to
     * the security context.
     * 
     * This extra implementation of the userDetailsService is necessary because
     * after OAuth 2.0 version - 2.0.10.RELEASE the UserDetails service is not
     * automatically extracted from the context.
     * 
     * Here is a link to the documentation in the gitHub community. <a href=
     * "https://github.com/royclarkson/spring-rest-service-oauth/issues/19">
     * Documentation</a>
     */
    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        //@formatter:off
        clients.jdbc(dataSource);/*.withClient("my-trusted-client")
                .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
                .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT").scopes("read", "write", "trust").secret("secret")
                .accessTokenValiditySeconds(120).// Access token is only valid for 2 minutes.
                refreshTokenValiditySeconds(600);// Refresh token is only valid for 10 minutes.
        //@Formatter:on
*/  }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler)
                .authenticationManager(authenticationManager).userDetailsService(userDetailsService);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.realm(REALM + "/client");
    }
}

资源服务器配置

@Configuration
@EnableWebSecurity
public class OAuth2SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private ClientDetailsService clientDetailsService;

    @Autowired
    private DataSource dataSource;

    @Autowired
    private AuthenticationProvider authenticationProvider;

    /**
     * Defines custom authentication provider.
     */
    @Override
    protected void configure(AuthenticationManagerBuilder authManagerBuilder) throws Exception {
        authManagerBuilder.authenticationProvider(authenticationProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().anonymous().disable().authorizeRequests().antMatchers("/oauth/token").permitAll();
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/students/**");
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public TokenStore tokenStore() {
        return new JdbcTokenStore(dataSource);
    }

    @Bean
    @Autowired
    public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore) {
        TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
        handler.setTokenStore(tokenStore);
        handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
        handler.setClientDetailsService(clientDetailsService);
        return handler;
    }

    /**
     * This Approval store is used to direct the OAuth server to use the
     * tokenStore that is exposed as a spring bean and uses the database to
     * store all the tokens.
     * 
     * @param tokenStore
     * @return The Approval store which uses the tokenStore injected into the
     *         spring context as a bean.
     * @throws Exception
     */
    @Bean
    @Autowired
    public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception {
        TokenApprovalStore store = new TokenApprovalStore();
        store.setTokenStore(tokenStore);
        return store;
    }
}

1 个答案:

答案 0 :(得分:1)

您已从AuthorizationServerConfigurerAdapter覆盖配置方法:

@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
    oauthServer.realm(REALM + "/client");
}

尝试使用它:

@Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.allowFormAuthenticationForClients().realm(REALM + "/client");
    }