我需要撤销令牌端点。 spring框架似乎不存在,因此我添加了自定义对象。添加了两种方法(GET,DELETE),它们具有相同的功能(可以一起使用):
@FrameworkEndpoint
@RequestMapping(
value = {"oauth"},
produces = MediaType.APPLICATION_JSON_VALUE
)
@Validated
public class RevokeTokenEndpoint {
@Autowired
private DefaultTokenServices tokenServices;
@ResponseStatus(HttpStatus.NO_CONTENT)
@GetMapping(value = "revoke")
public void revokeToken(HttpServletRequest request) {
String authorization = request.getHeader("Authorization");
if (authorization != null && authorization.contains("Bearer")) {
String tokenId = authorization.substring("Bearer".length() + 1);
tokenServices.revokeToken(tokenId);
}
}
@ResponseStatus(HttpStatus.ACCEPTED)
@DeleteMapping(value = "revoke")
public void revokeToken(Authentication authentication) {
tokenServices.revokeToken(((OAuth2AuthenticationDetails) authentication
.getDetails()).getTokenValue());
}
}
如果我尝试使用GET方法,则令牌被成功吊销:
curl -X GET -H "Authorization: Bearer e7683428-d06b-429a-9e76-91df9521c897" "http://localhost:8082/oauth/revoke"
2019-08-22 14:26:37.814 DEBUG o.s.w.s.DispatcherServlet - Completed 204 NO_CONTENT
在DELETE method情况下-否:
2019-08-22 14:28:53.551 DEBUG o.s.b.a.a.l.AuditListener - AuditEvent [timestamp=2019-08-22T11:28:53.550Z, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A8B4925366067778DC83CDE4066F1A62, type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
是否有任何建议如何使oauth/revoke DELETE的{{1}}端点正常工作(解决method问题)?
请注意,我也为AUTHORIZATION_FAILURE GET尝试了与DELETE类似的功能。
我的安全限制是:
method