请问有关spring-security-oauth2 2.0.7的配置问题 . 我通过GlobalAuthenticationConfigurerAdapter使用LDAP进行身份验证:
@SpringBootApplication
@Controller
@SessionAttributes("authorizationRequest")
public class AuthorizationServer extends WebMvcConfigurerAdapter {
public static void main(String[] args) {
SpringApplication.run(AuthorizationServer.class, args);
}
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
registry.addViewController("/oauth/confirm_access").setViewName("authorize");
}
@Configuration
public static class JwtConfiguration {
@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
KeyPair keyPair = new KeyStoreKeyFactory(
new ClassPathResource("keystore.jks"), "foobar".toCharArray())
.getKeyPair("test");
converter.setKeyPair(keyPair);
return converter;
}
@Bean
public JwtTokenStore jwtTokenStore(){
return new JwtTokenStore(jwtAccessTokenConverter());
}
}
@Configuration
@EnableAuthorizationServer
public static class OAuth2Config extends AuthorizationServerConfigurerAdapter implements EnvironmentAware {
private static final String ENV_OAUTH = "authentication.oauth.";
private static final String PROP_CLIENTID = "clientid";
private static final String PROP_SECRET = "secret";
private static final String PROP_TOKEN_VALIDITY_SECONDS = "tokenValidityInSeconds";
private RelaxedPropertyResolver propertyResolver;
@Inject
private AuthenticationManager authenticationManager;
@Inject
private JwtAccessTokenConverter jwtAccessTokenConverter;
@Inject
private JwtTokenStore jwtTokenStore;
@Inject
private UserDetailsService userDetailsService;
@Override
public void setEnvironment(Environment environment) {
this.propertyResolver = new RelaxedPropertyResolver(environment, ENV_OAUTH);
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setSupportRefreshToken(true);
tokenServices.setTokenStore(jwtTokenStore);
tokenServices.setAuthenticationManager(authenticationManager);
return tokenServices;
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager).tokenStore(jwtTokenStore).accessTokenConverter(
jwtAccessTokenConverter).userDetailsService(userDetailsService);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer)
throws Exception {
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess(
"isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient(propertyResolver.getProperty(PROP_CLIENTID))
.scopes("read", "write")
.authorities(AuthoritiesConstants.ADMIN, AuthoritiesConstants.USER)
.authorizedGrantTypes("authorization_code", "refresh_token", "password")
.secret(propertyResolver.getProperty(PROP_SECRET))
.accessTokenValiditySeconds(propertyResolver.getProperty(PROP_TOKEN_VALIDITY_SECONDS, Integer.class, 1800));
}
}
@Configuration
@Order(-10)
protected static class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin().loginPage("/login").permitAll()
.and()
.requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
.and()
.authorizeRequests().anyRequest().authenticated();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
@Override
public UserDetailsService userDetailsServiceBean() throws Exception {
return super.userDetailsServiceBean();
}
}
@Configuration
protected static class AuthenticationConfiguration extends
GlobalAuthenticationConfigurerAdapter {
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth
.ldapAuthentication()
.userDnPatterns("uid={0},ou=people")
.groupSearchBase("ou=groups")
.contextSource().ldif("classpath:test-server.ldif");
}
}
}
虽然刷新令牌与spring-security-oauth2的2.0.6版一起工作正常,但它不再适用于版本2.0.7 . 在读取here时,应该在尝试在刷新期间获取新的访问令牌时设置 AuthenticationManager .
据我了解,这与spring-security-oauth2的变化有关 .
遗憾的是,我无法正确设置它 .
org.springframework.security.oauth2.provider.token.DefaultTokenServices#setAuthenticationManager
被调用并注入 AuthenticationManager . 我不确定我是怎么理解 LdapUserDetailsService 会被注入的 . 我唯一看到的是在尝试在令牌刷新调用期间重新验证用户时将调用 PreAuthenticatedAuthenticationProvider .
有人可以告诉我如何做到这一点吗?
ps:我得到的例外情况如下:
p.PreAuthenticatedAuthenticationProvider : PreAuthenticated authentication request: org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken@5775: Principal: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@441d5545: Principal: bob; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER
o.s.s.o.provider.endpoint.TokenEndpoint : Handling error: IllegalStateException, UserDetailsService is required.
3 回答
当我使用自定义
AuthenticationProvider而不是UserDetailsService实现来解决登录身份验证的JWT令牌实现OAuth2服务器时,我遇到了类似的问题 .但是最近我发现如果你想让
refresh_token正常工作,那么Spring引发的错误是正确的 . 对于AuthenticationProvider实现,无法使用refresh_token刷新令牌,因为在这种实现中,如果密码正确,则必须解析,但刷新令牌没有该信息 . 但是,UserDetailsService与密码无关 ._1396998的版本2.0.6有效,因为从不检查用户授权,只检查刷新令牌是否有效(使用私钥签名),但是,如果用户在首次登录后从系统中删除,则使用刷新令牌被删除的用户将无限时间访问您的系统,这是一个很大的安全问题 .
看看我报告的问题:https://github.com/spring-projects/spring-security-oauth/issues/813
您需要的OAuth部分是使用与身份验证器相同的查询创建
LdapUserDetailsService并将其注入AuthorizationServerEndpointsConfigurer. 我没有't think there'支持以@Configuration样式创建UserDetailService(可能值得在JIRA中为此打开票证),但看起来你可以用XML来做 .根据Dave Syer的建议,我创建了一个自定义
LdapUserDetailsService. 可以在以下tag下找到工作解决方案 .应用程序上下文
属性