如何解决添加具有相同逻辑的新 jwt oauth 端点
Spring 安全 4.2.3 我有默认端点 /oauth/token,我需要创建具有相同请求参数和响应的新端点。所以,这是我的 WebSecurityConfigurerAdapter
@Configuration
@EnableResourceServer
@AllArgsConstructor
public class ResourceServerConfig extends WebSecurityConfigurerAdapter {
private final AuthenticationManager authenticationManager;
@Override
public void configure(HttpSecurity http) throws Exception {
JWTAuthenticationFilter filter = new JWTAuthenticationFilter(authenticationManager);
http.sessionManagement().sessionCreationPolicy(STATELESS)
.and()
.cors()
.and()
.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.authorizeRequests()
.antMatchers("/bbbbbb/**").authenticated()
.antMatchers("/**").permitAll()
.antMatchers("/aaaaaa/**").permitAll()
.and()
.addFilterafter(filter,BasicAuthenticationFilter.class)
.logout().logoutSuccessUrl("/").permitAll();
}
AuthorizationServerConfigurerAdapter
@Configuration
@EnableAuthorizationServer
@AllArgsConstructor
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
private final TokenProperties tokenProperties;
private final AuthenticationManager authenticationManager;
private final TokenStore tokenStore;
private final AccesstokenConverter accesstokenConverter;
private final UserDetailsService userDetailsService;
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.allowFormAuthenticationForClients();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore)
.accesstokenConverter(accesstokenConverter)
.authenticationManager(authenticationManager)
.userDetailsService(userDetailsService);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("rest-client")
.secret("rest-client")
.authorizedGrantTypes("password","refresh_token")
.authorities("ROLE_CLIENT")
.scopes("read","write")
.accesstokenValiditySeconds(tokenProperties.getTokenLifeTime())
.refreshTokenValiditySeconds(
tokenProperties.getRefreshTokenLifeTime() == 0 ?
tokenProperties.getTokenLifeTime() * 3600 :
tokenProperties.getRefreshTokenLifeTime()
);
}
一些配置
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig {
@Bean
@SuppressWarnings("deprecation")
AuthenticationProvider authenticationProvider(UserDetailsService userDetailsService,PasswordEncoder passwordEncoder,SaltSource saltSource) {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setSaltSource(saltSource);
provider.setUserDetailsService(userDetailsService);
provider.setPasswordEncoder(passwordEncoder);
return provider;
}
}
我使用新端点 “user/verify” 实现了 ClientCredentialsTokenEndpointFilter 以保持安全逻辑。
public class JWTAuthenticationFilter extends ClientCredentialsTokenEndpointFilter {
private final AuthenticationManager authenticationManager;
public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {
super("/user/verify");
this.authenticationManager = authenticationManager;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request,HttpServletResponse response) throws AuthenticationException,IOException,servletexception {
return super.attemptAuthentication(request,response);
}
@Override
protected AuthenticationManager getAuthenticationManager() {
return this.authenticationManager;
}
}
但是我在调试 spring 的流程时发现了。 /oauth/token 调用 InMemoryClientDetailsService#loadClientByClientId 和之后调用 UserDetailsService#loadUserByUsername 的实现,但我的自定义 /user/verify 忽略 InMemoryClientDetailsService 并调用 UserDetailsService#loadUserByUsername,结果我在我的 PasswordEncoder 中遇到了一些异常。我该怎么做才能节省流量?
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
