logo标签列表

Spring Security中的oAuth2客户端密码授权

javaspringspring-securityoauth-2.0
9

我正在使用一组oAuth2受保护的服务。目前的工作方式是:客户端使用他们的用户名和密码登录。我用这些信息交换一个令牌。我将令牌保存在会话中,并每次调用服务时提交它。虽然可以工作,但问题是我完全手动进行,没有充分利用Spring Security oAuth2支持的功能。

下面是具体操作过程:

<!-- Configure Authentication mechanism -->
<authentication-manager alias="authenticationManager">
    <authentication-provider ref="oAuth2AuthenticationProvider"/>
</authentication-manager>


<beans:bean id="oAuth2AuthenticationProvider" class="my.custom.Oauth2AuthenticationProvider">
    <beans:constructor-arg name="accessTokenUri" value="http://x.x.x.x/oauth/token"/>
    <beans:constructor-arg name="clientId" value="myClientId"/>
    <beans:constructor-arg name="clientSecret" value="myClientSecret"/>
    <beans:constructor-arg name="scope">
        <beans:list>
            <beans:value>myScope</beans:value>
        </beans:list>
    </beans:constructor-arg>
</beans:bean>

<beans:bean id="resourceOwnerPasswordAccessTokenProvider" class="org.springframework.security.oauth2.client.token.grant.password.ResourceOwnerPasswordAccessTokenProvider"/>

正如您所见,我自己制作了认证提供程序。它接受标准的UsernamePasswordAuthenticationToken,但会生成我的扩展版本,该版本保留实际的OAuth2AccessToken,从而将其保留在安全上下文中。

public class Oauth2AuthenticationProvider implements AuthenticationProvider {

@Autowired
private ResourceOwnerPasswordAccessTokenProvider provider;

private String accessTokenUri;
private String clientId;
private String clientSecret;
private List<String> scope;

public Oauth2AuthenticationProvider(String accessTokenUri, String clientId, String clientSecret, List<String> scope) {
    this.accessTokenUri = accessTokenUri;
    this.clientId = clientId;
    this.clientSecret = clientSecret;
    this.scope = scope;
}

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    String username = authentication.getName();
    String password = authentication.getCredentials().toString();
    OAuth2AccessToken token = obtainToken(username, password);
    return handleLogonSuccess(authentication, token);
}

private OAuth2AccessToken obtainToken(String username, String password) {
    ResourceOwnerPasswordResourceDetails passwordResourceDetails = new ResourceOwnerPasswordResourceDetails();
    passwordResourceDetails.setUsername(username);
    passwordResourceDetails.setPassword(password);
    passwordResourceDetails.setClientId(clientId);
    passwordResourceDetails.setClientSecret(clientSecret);
    passwordResourceDetails.setScope(scope);
    passwordResourceDetails.setAccessTokenUri(accessTokenUri);
    DefaultAccessTokenRequest defaultAccessTokenRequest = new DefaultAccessTokenRequest();
    OAuth2AccessToken token;
    try {
        token = provider.obtainAccessToken(passwordResourceDetails, defaultAccessTokenRequest);
    } catch (OAuth2AccessDeniedException accessDeniedException) {
        throw new BadCredentialsException("Invalid credentials", accessDeniedException);
    }

    return token;
}

public OAuth2AccessToken refreshToken(OAuth2AuthenticationToken authentication) {
    OAuth2AccessToken token = authentication.getoAuth2AccessToken();
    OAuth2RefreshToken refreshToken = token.getRefreshToken();
    BaseOAuth2ProtectedResourceDetails resourceDetails = new BaseOAuth2ProtectedResourceDetails();
    resourceDetails.setClientId(clientId);
    resourceDetails.setClientSecret(clientSecret);
    resourceDetails.setScope(scope);
    resourceDetails.setAccessTokenUri(accessTokenUri);
    OAuth2AccessToken newToken = provider.refreshAccessToken(resourceDetails, refreshToken, new DefaultAccessTokenRequest());
    authentication.setoAuth2AccessToken(newToken);
    return newToken;
}

public boolean supports(Class<?> authentication) {
    return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
}

private Authentication handleLogonSuccess(Authentication authentication, OAuth2AccessToken token) {

    MyCustomOAuth2AuthenticationToken successAuthenticationToken = new MyCustomOAuth2AuthenticationToken(user, authentication.getCredentials(), calculateAuthorities(authentication), token);

    return successAuthenticationToken;
}

public list<GrantedAuthority> calculateAuthorities(Authentication authentication) {
        //my custom logic that assigns the correct role. e.g. ROLE_USER
}

如您所见,它基本上确保令牌在安全范围内,我可以在每次调用后端服务之前手动提取它。同样,在每次调用之前,我会检查令牌的新鲜度。

这种方法很有效,但我相信我可以使用Spring的oauth命名空间在XML中(我没有使用Java配置)以更少的代码方式实现相同的效果。我找到的大多数示例都包括我不关心的oAuth服务器实现,使我感到困惑。

请问是否有人可以帮助我?

1个回答
6

通过浏览Spring Security OAuth源代码和其他在线解决方案的零碎信息,我整理出了一个类似的解决方案。我使用Java Config,但也许可以帮助您映射到XML配置,以下是示例:

@Configuration
@EnableOAuth2Client
public class RestClientConfig {

    @Value("${http.client.maxPoolSize}")
    private Integer maxPoolSize;

    @Value("${oauth2.resourceId}")
    private String resourceId;

    @Value("${oauth2.clientId}")
    private String clientId;

    @Value("${oauth2.clientSecret}")
    private String clientSecret;

    @Value("${oauth2.accessTokenUri}")
    private String accessTokenUri;


    @Autowired
    private OAuth2ClientContext oauth2ClientContext;


    @Bean
    public ClientHttpRequestFactory httpRequestFactory() {
        return new HttpComponentsClientHttpRequestFactory(httpClient());
    }

    @Bean
    public HttpClient httpClient() {
        PoolingHttpClientConnectionManager connectionManager = new PoolingHttpClientConnectionManager();
        connectionManager.setMaxTotal(maxPoolSize);
        // This client is for internal connections so only one route is expected
        connectionManager.setDefaultMaxPerRoute(maxPoolSize);
        return HttpClientBuilder.create().setConnectionManager(connectionManager).build();
    } 

    @Bean
    public OAuth2ProtectedResourceDetails oauth2ProtectedResourceDetails() {
        ResourceOwnerPasswordResourceDetails details = new ResourceOwnerPasswordResourceDetails();
        details.setId(resourceId);
        details.setClientId(clientId);
        details.setClientSecret(clientSecret);
        details.setAccessTokenUri(accessTokenUri);
        return details;
    }

    @Bean
    public AccessTokenProvider accessTokenProvider() {
        ResourceOwnerPasswordAccessTokenProvider tokenProvider = new ResourceOwnerPasswordAccessTokenProvider();
        tokenProvider.setRequestFactory(httpRequestFactory());
        return new AccessTokenProviderChain(
                  Arrays.<AccessTokenProvider> asList(tokenProvider)
                );
    }

    @Bean
    public OAuth2RestTemplate restTemplate() {
        OAuth2RestTemplate template = new OAuth2RestTemplate(oauth2ProtectedResourceDetails(), oauth2ClientContext);
        template.setRequestFactory(httpRequestFactory());
        template.setAccessTokenProvider(accessTokenProvider());
        return template;
    }   
}

我发现一个重要的问题是,即使只使用单个提供程序,也需要使用AccessTokenProviderChain,否则自动令牌刷新(身份验证后)将无法正常工作。

要在第一次请求中设置用户凭据,您需要这样做:

@Autowired
private OAuth2RestTemplate restTemplate;

restTemplate.getOAuth2ClientContext().getAccessTokenRequest().set("username", username);
restTemplate.getOAuth2ClientContext().getAccessTokenRequest().set("password", password);

接下来,您可以使用RestTemplate方法正常发出请求,例如:

    String url = "http://localhost:{port}/api/users/search/findByUsername?username={username}";

    ResponseEntity<User> responseEntity = restTemplate.getForEntity(
            url, User.class, 8081, username);

如果您想在网络上跟踪请求,您可以将Apache Http Client的日志级别设置为DEBUG,例如使用Spring Boot:

logging.level.org.apache.http=DEBUG

如果用户名和密码在POST请求体中,且格式为x-www-form-urlencoded,该怎么办? - cosbor11
2
@cosbor11 我也曾经问过同样的问题,后来发现我们可以在 ResourceOwnerPasswordResourceDetails 实例的 details 上使用 details.setClientAuthenticationScheme(AuthenticationScheme.form);,这样认证数据就会通过 HTTP 正文发送,而不是使用头部。 - Bernhard
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接