我正在使用内部OAuth2授权服务器,并且是一个单独的(隐藏的)实体,用于公开令牌服务(获取令牌,验证令牌)。
我正在尝试使用具有Spring OAuth2安全性的此授权服务器来保护我的REST API,请找到我的XML配置和实现类。
我的实现没有检查任何令牌,而是直接访问RestController并返回数据。
spring-security.xml
<security:http pattern="/appl/rest**" use-expressions="true" auto-config="true" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint" access-decision-manager-ref="accessDecisionManager">
<security:anonymous enabled="false" />
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:expression-handler ref="oauthWebExpressionHandler"/>
</security:http>
<!-- another normal entry http for apaplication -->
<security:http use-expressions="true" auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" authentication-manager-ref="authenticationManager">
<!-- intercept URL configurations & pre-auth filer config -->
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" >
<property name="realmName" value="W3IDRealm" />
</bean>
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
<bean id="tokenServices" class="com.rest.oauth.CWATokenServices" >
<property name="checkTokenEndpointUrl" value="endpointurl"/>
<property name="clientId" value="clientid" />
<property name="clientSecret" value="clicnetsecret"/>
</bean>
<oauth:resource-server id="resourceServerFilter" resource-id="W3IDRealm" token-services-ref="tokenServices" />
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler" ref="oauthWebExpressionHandler"/>
</bean>
</list>
</constructor-arg>
</bean>
CWATokenServices,我已经通过实现自己的ResourceServerTokenServices的cloudfactory示例实现了。但是不会调用此loadAuthenticate。
Cloudfactory URL:https://github.com/cloudfoundry/uaa/blob/master/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/RemoteTokenServices.java
@RestController
@RequestMapping("/data")
public class RestDataController {
@RequestMapping(value = "/query/{query}", method = RequestMethod.GET, produces = "application/json")
public ArrayList<PlatformPart> dataJson(@PathVariable String query) {// REST
// Endpoint.
ArrayList<String> resultList = new ArrayList<String>();
// DAO called
return resultList;
}
如果我打电话给http://localhost:port/appname/rest/data/query/input,我得到的是有效的响应,但这不是认证-没有验证令牌。我在CWATokenServices(loadAuthenticate方法)处有一个断点,但没有输入。
让我知道这里缺少什么