Question

我目前正在尝试使用spring security oauth2实现spring应用程序来保护我的资源以及从外部设备接收数据（例如IOS或Android应用程序）通过以下spring配置设置，我可以实现保护资源的目标，所以基本上任何人都希望查看json数据，他们必须经历

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
       xmlns:sec="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans

       http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security-3.2.xsd
       http://www.springframework.org/schema/security/oauth2
       http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
       http://www.springframework.org/schema/context
       http://www.springframework.org/schema/context/spring-context-3.1.xsd">

<!-- Definition of the Authentication Service -->
<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
      xmlns="http://www.springframework.org/schema/security">
    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
    <anonymous enabled="false"/>
    <http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
    <!-- include this only if you need to authenticate clients via request parameters -->
    <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
    <access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>

<!-- Protected resources -->
<http pattern="/searchResultAPI/**" 
      create-session="never"
      entry-point-ref="oauthAuthenticationEntryPoint"
      access-decision-manager-ref="accessDecisionManager"
      xmlns="http://www.springframework.org/schema/security">
    <anonymous enabled="false"/>
    <intercept-url pattern="/searchResultAPI/**" access="ROLE_USER"/>
    <intercept-url pattern="/receiveUserDataAPI/**" access="ROLE_USER"/>
    <custom-filter ref="resourceServerFilter"
                   before="PRE_AUTH_FILTER"/>
    <access-denied-handler
            ref="oauthAccessDeniedHandler"/>
</http>

<bean id="oauthAuthenticationEntryPoint"
      class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="dstest"/>
</bean>

<bean id="clientAuthenticationEntryPoint"
      class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="dstest/client"/>
    <property name="typeName" value="Basic"/>
</bean>

<bean id="oauthAccessDeniedHandler"
      class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>

<bean id="clientCredentialsTokenEndpointFilter"
      class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
    <property name="authenticationManager" ref="clientAuthenticationManager"/>
</bean>

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
      xmlns="http://www.springframework.org/schema/beans">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/>
            <bean class="org.springframework.security.access.vote.RoleVoter"/>
            <bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
        </list>
    </constructor-arg>
</bean>

<!-- Authentication in config file -->
<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
    <authentication-provider user-service-ref="clientDetailsUserService"/>
</authentication-manager>

<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
    <authentication-provider>
        <user-service id="userDetailsService">
            <user name="admin" password="password" authorities="ROLE_USER"/>
        </user-service>
    </authentication-provider>
</authentication-manager>

<bean id="clientDetailsUserService"
      class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <constructor-arg ref="clientDetails"/>
</bean>

<!-- Token Store  -->
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore"/>

<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
    <property name="tokenStore" ref="tokenStore"/>
    <property name="supportRefreshToken" value="true"/>
    <property name="clientDetailsService" ref="clientDetails"/>
    <!-- VIV -->
    <property name="accessTokenValiditySeconds" value="10"/>
</bean>

<bean id="userApprovalHandler"
      class="org.springframework.security.oauth2.provider.approval.TokenServicesUserApprovalHandler">
    <property name="tokenServices" ref="tokenServices"/>
</bean>

<!-- Token management -->
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices"
                            user-approval-handler-ref="userApprovalHandler">
    <oauth:authorization-code/>
    <oauth:implicit/>
    <oauth:refresh-token/>
    <oauth:client-credentials/>
    <oauth:password/>
</oauth:authorization-server>

<oauth:resource-server id="resourceServerFilter"
                       resource-id="dstest"
                       token-services-ref="tokenServices"/>

<!-- Client Definition -->
<oauth:client-details-service id="clientDetails">

    <oauth:client client-id="my-trusted-client"
                  authorized-grant-types="password,authorization_code,refresh_token,implicit,redirect"
                  authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT"
                  redirect-uri="/web"
                  scope="read,write,trust"
                  access-token-validity="30"
                  refresh-token-validity="600"/>

</oauth:client-details-service>


<sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
    <sec:expression-handler ref="oauthExpressionHandler"/>
</sec:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler"/>
<oauth:web-expression-handler id="oauthWebExpressionHandler"/>

</beans>

1.获取刷新令牌

http://www.sample.com/oauth/token?grant_type=password&client_id=my-trusted-client&username=admin&password=password

刷新令牌交换访问令牌

http://www.sample.com/oauth/token?client_id=my-trusted-client&grant_type=refresh_token&refresh_token=5fbdc1fe-6d26-458a-818f-4e49c41a47ff
最后一步使用访问令牌来访问json数据

http://www.sample.com/searchResultAPI/results?search_item_id=0098&access_token=3658213e-5bb0-4c4b-89ca-f0f82513fc22

上述过程检索数据没有问题。

但是，当我尝试将一些数据发布到此url时（假设servlet请求映射是针对此url，并且所有gson orm和模型已完成等等），spring security不会将帖子停止到{{1即使没有最初调用http://www.sample.com/receiveUserDataAPI/receiver来获取访问令牌，也是如此。

oauth/token?grant_type=password&client_id=my-trusted-client&username=admin&password=password

它只是通过这个servlet直接将数据放入数据库。理想情况下，我的计划就像撤退数据流程，授予用户访问令牌1，然后使用令牌发布数据，弹簧安全检查令牌有效，然后接收数据。我想它应该将json数据发布到像{ "customer": { "address": "somewhere", "city": "London", } }这样的url？任何人都可以指出我在哪里设置错误或我错过了设置任何属性？感谢

Answer 1

当您的客户端收到访问令牌时，请将其放入请求标头中：{＆＃39;授权＆＃39;：＆＃39; Bearer {access_token}＆＃39;}用于您服务器上的任何受保护资源。 Spring会自动检查此令牌和所有者权限。

spring security oauth2 post restriction

1 个答案: