Question

我使用AuthorizationServerConfigurerAdapter部署了一个授权服务器，并且从UserDetailsService和ClientDetailsService服务的实现中配置了用户和客户端，这些服务收集了数据库中所需的信息。

@Configuration
@EnableAuthorizationServer
public class OAuth2JwtAuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

        @Autowired
        @Qualifier("authenticationManagerBean")
        private AuthenticationManager authenticationManager;

        @Autowired
        private  UserDetailsService userDetailsService;

        @Autowired
        private AppClientDetailsService clientDetailsService;

        @Override
        public void configure(final AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
            oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
        }

        @Override
        public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {          
            clients.withClientDetails(clientDetailsService);
        }

        @Bean
        @Primary
        public DefaultTokenServices tokenServices() {
            final DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
            defaultTokenServices.setTokenStore(tokenStore());
            defaultTokenServices.setSupportRefreshToken(true);
            return defaultTokenServices;
        }

        @Override
        public void configure(final AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
            tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(), accessTokenConverter()));

            endpoints.tokenStore(tokenStore())
            .tokenEnhancer(tokenEnhancerChain)
            .reuseRefreshTokens(false)
            .userDetailsService(userDetailsService)
            .authenticationManager(authenticationManager);
        }

        @Bean
        public TokenStore tokenStore() {
            return new JwtTokenStore(accessTokenConverter());
        }

        @Bean
        public JwtAccessTokenConverter accessTokenConverter() {
            final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
            converter.setSigningKey("123");

            return converter;
        }

        @Bean
        public TokenEnhancer tokenEnhancer() {
            return new CustomTokenEnhancer();
        }

        @Bean
        public BCryptPasswordEncoder passwordEncoder() {
            return new BCryptPasswordEncoder();
        }
}

授权服务器正常运行，但是我希望动态加载accessTokenConverter ()方法中设置的签名密钥，当收到新令牌的请求时，我将访问数据库并修改签名此时输入密钥，并返回带有此新修改签名的JWT令牌，当前仅在启动应用程序时对其进行配置。

Answer 1

您可以定义一个@Autowired JwtAccessTokenConverter属性并在任何时候修改其密钥

@Autowired
public JwtAccessTokenConverter tokenConverter;

public void setSigningKey(String key) {
    tokenConverter.setSigningKey(key);
}

从动态库加载JWT签名密钥

1 个答案: