Spring Security和OAuth2身份验证问题

Question

我的问题是，如果我在applicationContext-security.xml中使用org.springframework.security.authentication.ProviderManager作为我的autheticationManager，那么我将无法通过oauth2进行身份验证。如果我切换回authentication-manager id =“ authenticationManager”版本，则可以正常工作。

我必须将REST服务和oauth2安全设置保存在单独的文件中。 （有时我们根本不需要REST服务。）

spring-security 4.2.9.RELEASE 春季安全oauth2 2.3.4

web.xml代码段：

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/applicationContext.xml  
        /WEB-INF/rest-dispatcher-servlet.xml
        /WEB-INF/rest-dispatcher-servlet-security.xml
        /WEB-INF/applicationContext-security.xml                                                             
    </param-value>
</context-param>

rest-dispatcher-servlet-security

    <beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
       xmlns:secdp="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security.xsd
       http://www.springframework.org/schema/security/oauth2
       http://www.springframework.org/schema/security/spring-security-oauth2.xsd
       http://www.springframework.org/schema/context
       http://www.springframework.org/schema/context/spring-context-4.3.xsd">



    <!-- Definition of the Authentication Service -->

<secdp:http use-expressions="false" pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"  xmlns="http://www.springframework.org/schema/security">    
    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
    <anonymous enabled="false"/>
    <secdp:http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
<!--     include this only if you need to authenticate clients via request parameters -->
    <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
    <access-denied-handler ref="oauthAccessDeniedHandler"/>
    <secdp:csrf disabled="true"/>
</secdp:http>

<!-- Protected resources -->
<secdp:http use-expressions="false" pattern="/ws/api/**"
      create-session="never"
      entry-point-ref="oauthAuthenticationEntryPoint"
      access-decision-manager-ref="accessDecisionManager"
      xmlns="http://www.springframework.org/schema/security">
    <anonymous enabled="false"/>
    <intercept-url pattern="/ws/api/**"
                   access="ROLE_USER"/>
    <custom-filter ref="resourceServerFilter"
                   before="PRE_AUTH_FILTER"/>
    <access-denied-handler
            ref="oauthAccessDeniedHandler"/>
    <secdp:csrf disabled="true"/>
</secdp:http>


<bean id="oauthAuthenticationEntryPoint"
      class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="dstest"/>
</bean>

<bean id="clientAuthenticationEntryPoint"
      class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="dstest/client"/>
    <property name="typeName" value="Basic"/>
</bean>

<bean id="oauthAccessDeniedHandler"
      class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>

<bean id="clientCredentialsTokenEndpointFilter"
      class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
    <property name="authenticationManager" ref="clientAuthenticationManager"/>

</bean>

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
      xmlns="http://www.springframework.org/schema/beans">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/>
            <bean class="org.springframework.security.access.vote.RoleVoter"/>
            <bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
        </list>
    </constructor-arg>
</bean>

<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
    <authentication-provider user-service-ref="clientDetailsUserService"/>            
</authentication-manager>

<bean id="clientDetailsUserService"
      class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <constructor-arg ref="clientDetails"/>
</bean>


<!-- Token Store  -->
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore"/>

<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
    <property name="tokenStore" ref="tokenStore"/>
    <property name="supportRefreshToken" value="true"/>
    <property name="clientDetailsService" ref="clientDetails"/>
</bean>

<bean id="userApprovalHandler"
      class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler">
    <property name="tokenStore" ref="tokenStore"/>    
    <property name="requestFactory" ref="oAuth2RequestFactory"/>    

</bean>

<!-- Token management -->
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices"
                            user-approval-handler-ref="userApprovalHandler" >

    <oauth:authorization-code/>
    <oauth:implicit/>
    <oauth:refresh-token/>
    <oauth:client-credentials/>
    <oauth:password/>


</oauth:authorization-server>

<oauth:resource-server id="resourceServerFilter"
                       resource-id="dstest"                      
                       token-services-ref="tokenServices"/>

<!-- Client Definition -->
<oauth:client-details-service id="clientDetails">
    <oauth:client client-id="xxxxxxxxx"     
                  authorized-grant-types="password,authorization_code,refresh_token,implicit,redirect"
                  authorities="ROLE_USER, ROLE_TRUSTED_USER"
                  redirect-uri="/"                  
                  scope="read,write,trust"                  
                  access-token-validity="2678400"
                  refresh-token-validity="15552000"  />

</oauth:client-details-service>

<bean class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory" id="oAuth2RequestFactory">   
    <constructor-arg ref="clientDetails" />     
</bean>



</beans>

applicationContext-security.xml代码段

<!-- works -->
<authentication-manager id="authenticationManager"  xmlns="http://www.springframework.org/schema/security">
    <authentication-provider  user-service-ref="CustomUserDetailsService">
        <password-encoder ref="passwordEncoder"/>            
    </authentication-provider>
</authentication-manager>

<!-- does not work -->
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <constructor-arg>
        <list>                
            <ref bean="daoAuthenticationProvider"/>
        </list>
    </constructor-arg>
</bean>    

<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService">
        <ref bean="CustomUserDetailsService"/>
    </property>
    <property name="passwordEncoder">
        <ref bean="passwordEncoder"/>
    </property>
    <property name="hideUserNotFoundExceptions">
        <value>false</value>
    </property>
</bean>