自定义Spring安全OAuth2工作正常,现在想添加Spring Social集成(facebook登录,google登录等),当用户点击Facebook登录(用户不提供任何用户名/密码)时,Facebook会返回access_token,但是这个access_token我们不能用来查询我的应用程序web服务,为了得到我的应用程序access_token,我们需要传递用户名和密码,并使用grant_type作为密码 . 以下是我的配置文件
AuthorizationServerConfiguration.java
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
DataSource dataSource;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(
AuthorizationServerSecurityConfigurer oauthServer)
throws Exception {
oauthServer.allowFormAuthenticationForClients();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients)
throws Exception {
clients.jdbc(dataSource);
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setSupportRefreshToken(true);
tokenServices.setTokenStore(tokenStore());
tokenServices.setAccessTokenValiditySeconds(86400000);
tokenServices.setRefreshTokenValiditySeconds(86400000);
return tokenServices;
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints
.tokenServices(tokenServices())
.authenticationManager(authenticationManager);
}
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
}
ResourceServerConfiguration.java
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
private String resourceId = "rest_api";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
// @formatter:off
resources.resourceId(resourceId);
// @formatter:on
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/oauth/token").permitAll()
.antMatchers(HttpMethod.GET, "/**/login").permitAll()
.antMatchers(HttpMethod.GET, "/**/callback").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().permitAll();
}
}
最后 WebSecurityConfigurerAdapter.java
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
UserDetailsService userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.userDetailsService(userDetailsService);
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean()
throws Exception {
return super.authenticationManagerBean();
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/oauth/token").permitAll()
.antMatchers(HttpMethod.GET, "/**/login").permitAll()
.antMatchers(HttpMethod.GET, "/**/callback").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().permitAll();
}
}
在SO中读过不同的帖子,但是没有得到任何有用的例子,请指导我 . 提前致谢 . !
2 回答
我有类似的要求从facebook获取访问令牌并通过验证服务器端的facebook令牌生成自己的JWT令牌 .
我修改了这里提到的项目:https://github.com/svlada/springboot-security-jwt
我的自定义如下(我假设您已经有一个facebook访问令牌):
LoginRequest.java
AjaxLoginProcessingFilter.java
AjaxAuthenticationProvider.java
除此之外,我还必须添加自定义BeanPostProcessor来覆盖UsernamePasswordAuthenticationFilter的默认行为,以仅接受令牌作为字段而不是用户名和密码 .
UserPassAuthFilterBeanPostProcessor.java
公共类UserPassAuthFilterBeanPostProcessor实现BeanPostProcessor {
组态: