我正在使用Spring Boot构建休息Web服务 . 使用Spring Security和OAuth2实现身份验证 . 用户通过LDAP服务器进行身份验证 . 这是我的websecurityconfig
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private RestAuthenticationSuccessHandler authenticationSuccessHandler;
@Autowired
private RestAuthenticationEntryPoint restAuthenticationEntryPoint;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.and()
.csrf().disable()
.sessionManagement().sessionCreationPolicy(
SessionCreationPolicy.STATELESS)
.and()
.exceptionHandling()
.authenticationEntryPoint(restAuthenticationEntryPoint)
.and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/logout").permitAll()
.antMatchers("/ristore/**").authenticated()
.anyRequest().authenticated()
.and()
.formLogin()
.successHandler(authenticationSuccessHandler)
.failureHandler(new SimpleUrlAuthenticationFailureHandler());
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public RestAuthenticationSuccessHandler mySuccessHandler(){
return new RestAuthenticationSuccessHandler();
}
@Bean
public SimpleUrlAuthenticationFailureHandler myFailureHandler(){
return new SimpleUrlAuthenticationFailureHandler();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
DefaultSpringSecurityContextSource contextSource = getSource();
auth
.ldapAuthentication()
.userDnPatterns("cn={0},ou=institution,ou=people")
.groupSearchBase("ou=groups")
.contextSource(contextSource);
}
}
其他配置在authserverconfig中完成,包括clientdetailservice .
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer)
throws Exception {
oauthServer.allowFormAuthenticationForClients();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(new InMemoryTokenStore())
.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients
.inMemory()
.withClient("ristoreclient")
.scopes("read")
.authorizedGrantTypes("password", "refresh_token", "client_credentials")
.secret("ristoresecret")
.accessTokenValiditySeconds(60);
}
}
它适用于初始登录 . 但是当我尝试在旧的到期时使用刷新令牌获取新的访问令牌时,我收到了错误"UserDetailsService is required" . 在线搜索答案后,我发现此帖有类似问题:spring-security-oauth2 2.0.7 refresh token UserDetailsService Configuration . 基本上解决方案是创建自定义 LdapUserDetailsService
. 事情是它是在xml配置而不是java中设置的 . 此外,还不清楚这门课程的注入方式和地点 . 在另一个case中,userdetailservice实例将添加到auth服务器 endpoints 配置中 . 本文不提供此类的实现 .
在我看来,拥有userdetailservice的想法是在发出新的访问令牌之前查看该用户是否仍处于活动状态 . 矛盾的是,获取oauth2的refresh_token的请求仅包含以下不包含用户名/密码的信息 .
client_id=clientid
client_secret=clientsecret
refresh_token=1/6BMfW9j53gdGImsiyUH5kU5RsR4zwI9lUVX-tqf8JXQ&
grant_type=refresh_token
OAuth2 for a Spring REST使用Zuul代理作为前端和web api之间的中间层来处理刷新令牌,这使得配置更加复杂 . 我应该如何在Spring Boot中为oauth2实现userdetailsservice,我应该在哪里注入它?