在Spring Boot Oauth2中使用自定义Oauth2AccessDeniedHandler的问题

时间:2018-06-29 10:47:35

标签: spring-boot oauth-2.0 spring-security-oauth2

我想使用Accesslog系统来保护我的其余API再次遭受蛮力攻击。问题是我想通过实现自己的Oauth2AccessDeniedHandler在数据库中注册失败的访问。

当我不向资源服务器端点提供任何令牌头时,该流程将直接转到AbstractOauth2SecurityExceptionHandler,而无需考虑我的Handler实现。

这是我的资源服务器配置:

    @Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources
            .accessDeniedHandler(accessDeniedHandler())
            .authenticationEntryPoint(authenticationEntryPoint());
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.requestMatchers()
                .requestMatchers(
                        new NegatedRequestMatcher(
                                new OrRequestMatcher(
                                        new AntPathRequestMatcher("/login"),
                                        new AntPathRequestMatcher("/logout"),
                                        new AntPathRequestMatcher("/oauth/authorize"),
                                        new AntPathRequestMatcher("/oauth/confirm_access")
                                )
                        )
                )
                .and()
                .authorizeRequests().anyRequest().authenticated();
    }

    @Bean
    public AuthenticationEntryPoint authenticationEntryPoint() {
        final OAuth2AuthenticationEntryPoint entryPoint = new OAuth2AuthenticationEntryPoint();
        return entryPoint;
    }

    @Bean
    public CustomOAuth2AccessDeniedHandler accessDeniedHandler() {
        final CustomOAuth2AccessDeniedHandler handler = new CustomOAuth2AccessDeniedHandler();
        return handler;
    }

}

关于我在做什么错的任何想法?目的是使用我的自定义处理程序来处理访问失败。这是CustomOauth2AccessDeniedHandler:

    @Component
public class CustomOAuth2AccessDeniedHandler extends OAuth2AccessDeniedHandler {

    @Autowired
    AccessLogRepository accessLogRepository;

    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException authException) throws IOException, ServletException{
        accessLogRepository.save(
                AccessLog.builder()
                    .ip(getClientIpAddress(request))
                    .dateCreated(new Date())
                    .type(AccessLog.AccessLogType.WEB)
                    .valid(false).build());
        super.handle(request, response, authException);
    }

    private static String getClientIpAddress(HttpServletRequest request) {
        String xForwardedForHeader = request.getHeader("X-Forwarded-For");
        if (xForwardedForHeader == null) {
            return request.getRemoteAddr();
        } else {
            return new StringTokenizer(xForwardedForHeader, ",").nextToken().trim();
        }
    }

}

我想处理何时成功。

0 个答案:

没有答案
相关问题
最新问题