添加具有相同逻辑的新jwt oauth端点

n8ghc7c1  于 2021-09-29  发布在  Java
关注(0)|答案(0)|浏览(158)

SpringSecurity4.2.3我有默认端点/oauth/token,我需要使用相同的请求参数和响应创建新端点。这是我的Web安全配置适配器

@Configuration
@EnableResourceServer
@AllArgsConstructor
public class ResourceServerConfig extends WebSecurityConfigurerAdapter {

    private final AuthenticationManager authenticationManager;

    @Override
    public void configure(HttpSecurity http) throws Exception {
        JWTAuthenticationFilter filter = new JWTAuthenticationFilter(authenticationManager);
        http.sessionManagement().sessionCreationPolicy(STATELESS)
                .and()
                .cors()
                .and()
                .csrf().disable()
                .formLogin().disable()
                .httpBasic().disable()
                .authorizeRequests()
                .antMatchers("/bbbbbb/**").authenticated()
                .antMatchers("/**").permitAll()
                .antMatchers("/aaaaaa/**").permitAll()
                .and()
                .addFilterAfter(filter, BasicAuthenticationFilter.class)
                .logout().logoutSuccessUrl("/").permitAll();
}

授权服务器配置RADAPTER

@Configuration
@EnableAuthorizationServer
@AllArgsConstructor
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    private final TokenProperties tokenProperties;

    private final AuthenticationManager authenticationManager;

    private final TokenStore tokenStore;

    private final AccessTokenConverter accessTokenConverter;

    private final UserDetailsService userDetailsService;

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.allowFormAuthenticationForClients();
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore)
                .accessTokenConverter(accessTokenConverter)
                .authenticationManager(authenticationManager)
                .userDetailsService(userDetailsService);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("rest-client")
                .secret("rest-client")
                .authorizedGrantTypes("password", "refresh_token")
                .authorities("ROLE_CLIENT")
                .scopes("read", "write")
                .accessTokenValiditySeconds(tokenProperties.getTokenLifeTime())
                .refreshTokenValiditySeconds(
                        tokenProperties.getRefreshTokenLifeTime() == 0 ?
                                tokenProperties.getTokenLifeTime() * 3600 :
                                tokenProperties.getRefreshTokenLifeTime()
                );
    }

一些配置

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig {

    @Bean
    @SuppressWarnings("deprecation")
    AuthenticationProvider authenticationProvider(UserDetailsService userDetailsService,
                                                  PasswordEncoder passwordEncoder,
                                                  SaltSource saltSource) {
        DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
        provider.setSaltSource(saltSource);
        provider.setUserDetailsService(userDetailsService);
        provider.setPasswordEncoder(passwordEncoder);
        return provider;
    }
}

我使用新端点“user/verify”实现了clientcredentialstokenendpointfilter,以保持安全逻辑。

public class JWTAuthenticationFilter extends ClientCredentialsTokenEndpointFilter {

    private final AuthenticationManager authenticationManager;

    public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {
        super("/user/verify");
        this.authenticationManager = authenticationManager;
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
        return super.attemptAuthentication(request, response);
    }

    @Override
    protected AuthenticationManager getAuthenticationManager() {
        return this.authenticationManager;
    }
}

但我在调试spring的流时发现。/oauth/token在MemoryClientDetailsService#loadclientbyclientid中调用,并在调用userdetailsservice#loaduserbyusername的实现后调用,但是我的custom/user/verify忽略了inmemoryclientdetailsservice并调用userdetailsservice#loaduserbyusername,结果我的密码编码器中出现了一些异常。我应该做什么来保存流?

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题