我对 spring 安全性一般都是新手,我一直在尝试 spring 安全oAuth2 . 如果我在配置中启用了httpBasic并使用基本身份验证标头,我可以使用以下方法隐式从授权 endpoints 获取令牌:
我正在尝试使用表单身份验证而不是基本身份验证 . 但是当我将凭证作为表单数据发送时,我总是被重定向到登录表单 .
这是我的配置:
WebSecurityConfigurerAdapter:
@EnableWebSecurity
public class PortalWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
@Autowired
UserDetailsService userDetailsService;
@Autowired
PasswordEncoder fastPasswordEncoder;
@Autowired
AuthenticationEntryPoint authenticationEntryPoint;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder.userDetailsService(userDetailsService).passwordEncoder(fastPasswordEncoder);
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
AuthenticationEntryPoint authenticationEntryPoint() {
return new OAuth2AuthenticationEntryPoint();
}
@Override
protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception {
http
//When this is enabled, basic authentication works
//.httpBasic().authenticationEntryPoint(authenticationEntryPoint).and()
.formLogin().permitAll().and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().csrf().disable().authorizeRequests()
.antMatchers("/oauth/saveCode").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/oauth/token").fullyAuthenticated().antMatchers("/secure/**").authenticated()
.and().exceptionHandling()
.accessDeniedHandler(new OAuth2AccessDeniedHandler());
}
}
和oAuth2配置:
@Configuration
public class OAuth2ServerConfig {
private static final String RESOURCE_ID = "resource";
private static final int TOKEN_LIVE_SECONDS = 120;
private static final String PORTAL_CLIENT_NAME = "portal";
private static final String PORTAL_CLIENT_SECRET = "portalSecret";
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Autowired
@Qualifier("tokenServices")
private ResourceServerTokenServices tokenServices;
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/oauth/saveCode").permitAll()
.antMatchers("/login").permitAll()
.anyRequest().authenticated().antMatchers("/secure/**").fullyAuthenticated().and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
@Qualifier("tokenServices")
private AuthorizationServerTokenServices tokenServices;
@Autowired
private TokenStore tokenStore;
@Autowired
private ClientDetailsService clientDetailsService;
@Autowired
private UserDetailsService userDetailsService;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient(PORTAL_CLIENT_NAME).secret(PORTAL_CLIENT_SECRET).scopes("read", "write", "trust")
.authorizedGrantTypes("implicit", "authorization_code", "refresh-token").authorities('Admin_Role')
.resourceIds(RESOURCE_ID).accessTokenValiditySeconds(TOKEN_LIVE_SECONDS).autoApprove(true);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.allowFormAuthenticationForClients();
}
}
}
}
我只需要能够获取令牌而不通过登录表单本身(就像调用服务时一样) . 我正在努力实现的目标是什么?提前致谢 .