获取用户名&密码以使用Spring安全OAUTH2在Grant类型“password”中验证

时间:2018-03-12 22:19:41

标签: spring-boot spring-security-oauth2

我想从请求中提取用户名和密码,以便我可以与数据库进行交叉验证。

我想要实现的目标 从HTTP请求中提取信息用户名= Test& password = Test @ 123  并从DB而不是application.properties中的硬编码值进行测试。

目前我能够实现--user testClient:123456。 请提出一种方法来获取名称和密码。

Http Call :
curl -X POST --user testClient:123456 http://localhost:8090/oauth/token -H "accept: application/json" -H "content-type: application/x-www-form-urlencoded" -d "grant_type=password&username=Test&password=Test@123&scope=read_profile"

application.properties:

**security.user.name=Test
security.user.password=Test@123**
spring.datasource.url=jdbc:mysql://localhost/oauth
spring.datasource.username=root
spring.datasource.password=password
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
spring.jpa.properties.hibernate.hbm2ddl.auto=validate

Auth服务器类

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.approval.ApprovalStore;
import org.springframework.security.oauth2.provider.approval.JdbcApprovalStore;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore;

import javax.sql.DataSource;

@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationServer extends
        AuthorizationServerConfigurerAdapter {

    private static final Logger logger = LoggerFactory.getLogger(OAuth2AuthorizationServer.class);


    @Autowired
    AuthenticationManager authenticationManager;


    @Autowired
    private DataSource dataSource;

    @Bean
    public TokenStore tokenStore() {
          return new JdbcTokenStore(dataSource);
    }

    @Bean
    public ApprovalStore approvalStore() {
       return new JdbcApprovalStore(dataSource);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {
       endpoints
            .approvalStore(approvalStore())
            .tokenStore(tokenStore())
            // important to add if want to add support the password 
            .authenticationManager(authenticationManager);

    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients)
            throws Exception {
        clients.jdbc(dataSource);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
         security.passwordEncoder(passwordEncoder());
    }

    @Bean
    public PasswordEncoder passwordEncoder() {

        return new BCryptPasswordEncoder(4);
    }
}

1 个答案:

答案 0 :(得分:0)

您正在使用Spring的已实施端点/oauth/token来获取令牌。此端点存在于TokenEndpoint类中。

 @RequestMapping(
    value = {"/oauth/token"},
    method = {RequestMethod.POST}
)
public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
    if (!(principal instanceof Authentication)) {
        throw new InsufficientAuthenticationException("There is no client authentication. Try adding an appropriate authentication filter.");
    } else {

此端点采用主要对象和地图。您作为基本身份验证传递的客户端凭据将作为主体,而grant_typeusernamepasswordscope等其他参数将作为请求参数中的映射。

OAuth2RequestFactory获取这些参数和经过身份验证的客户端信息以创建令牌请求。然后,TokenGranter接受此令牌请求以授予令牌。

这些事情发生在幕后,所以你没有明确提取请求的用户信息。