我正在创建授权服务器,但是遇到一个问题,授权服务器试图使用密码Grant_type针对LDAP对我的客户端进行身份验证。
但是,我想要的是使用ClientDetailsService对客户端进行身份验证,然后在请求中指定的用户针对LDAP进行身份验证。我不确定为什么会这样。任何帮助将不胜感激。
除了@Order(Order.HIGHEST_PRECEDENCE)导致此过滤器尝试对所有请求拳头进行身份验证外,我无法完全确定问题的原因是什么,因此针对令牌端点的请求未针对正确的配置类。
当我使用有效的oauth2-client凭据访问OAuth /令牌端点时,会收到未经授权的响应。但是,当我将客户端凭据更改为ldap凭据时,会收到无效的客户端凭据响应。
@Configuration
@EnableWebSecurity
@Order(Ordered.HIGHEST_PRECEDENCE)
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
@Value("${example.ldap.url}")
private String ldapUrl;
@Value("${example.ldap.base}")
private String ldapBase;
@Value("${example.ldap.username}")
private String ldapUsername;
@Value("${example.ldap.password}")
private String ldapPassword;
@Value("${example.ldap.userDnPattern}")
private String[] userDnPattern;
/**
* This exposes the web-security AuthenticationManager for use in the
* OauthConfig. This allows us to do LDAP Authentication against the user being
* supplied by the client.
*/
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
@Override
public UserDetailsService userDetailsServiceBean() throws Exception {
return super.userDetailsServiceBean();
}
@Bean
public OAuth2ClientResourceAssembler oAuth2ClientResourceAssembler() {
return new OAuth2ClientResourceAssembler();
}
@Bean
BaseLdapPathContextSource contextSource() {
LdapContextSource ldapContextSource = new LdapContextSource();
ldapContextSource.setUrl(ldapUrl);
ldapContextSource.setBase(ldapBase);
ldapContextSource.setUserDn(ldapUsername);
ldapContextSource.setPassword(ldapPassword);
return ldapContextSource;
}
/**
* Allow spring to inject dependencies
*
* @return
*/
@Bean
public DaoAuthoritiesPopulator daoAuthoritiesPopulator() {
return new DaoAuthoritiesPopulator();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication().userDetailsContextMapper(new LdapEntryMapper())
.ldapAuthoritiesPopulator(daoAuthoritiesPopulator()).userSearchFilter("(samAccountName={0})")
.contextSource(contextSource());
}
/**
* Allow only users with ADMIN rights to access the client and user endpoint
*/
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/client/**").hasRole("ADMIN").and().httpBasic();
http.authorizeRequests().antMatchers("/user/**").hasRole("ADMIN").and().httpBasic();
http.authorizeRequests().and().csrf().disable();
}
}
@Configuration
public class OauthConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
private OAuth2ClientDetailsService oAuth2ClientDetailsService;
/**
* Ldap Authentication for password grant types
*/
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsService userDetailsService;
/**
*
*/
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(oAuth2ClientDetailsService);
}
/**
* Inserting an autenticationManager allows for password grant types.
*/
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager).userDetailsService(userDetailsService);
}
}
@Configuration
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated();
}
}
答案 0 :(得分:0)
我知道了。我必须更改websecurityconfigurer类以使用正则表达式匹配器仅匹配我要对其应用ldap身份验证的请求。因此,所有其他请求均落入其他配置类
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers().regexMatchers("/client.+", "/user.+");
http.authorizeRequests().antMatchers("/client/**").hasRole("ADMIN").and().httpBasic();
http.authorizeRequests().antMatchers("/user/**").hasRole("ADMIN").and().httpBasic();
http.authorizeRequests().and().csrf().disable();
}
开发人员指南对此进行了说明:Developer's Guide在标题为“配置端点URL”的部分中