1
現在、私はspring securityとOAuth 2.0を有効にしており、すべてが適切に動作しています。ヘッダーではなくリクエスト本体でOAuth 2.0認証情報を送信できますか?
上記のように、私は[email protected]とpassword=abc
私はリクエストボディの代わりにリクエストヘッダにOAuth 2.0の設定を送ることができ、すなわち、要求ヘッダーのクライアントの資格情報を送信しますか?
リクエストボディにトークンを受け入れるための春のOAuthを構成できる設定はありますか?以下
あなたはAuthorizationServerConfigurerAdapterからconfigureメソッドをオーバーライドしているOAuth 2.0の
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
private static String REALM = "MY_OAUTH_REALM";
/*
* The token store is the store where all the tokens are stored, It can be
* InMemory, JDBC, etc.
*/
@Autowired
private TokenStore tokenStore;
@Autowired
private UserApprovalHandler userApprovalHandler;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
/**
* SpringData JPA dataSource injected.
*/
@Autowired
private DataSource dataSource;
/**
* Autowiring the {@link CustomUserDetailsService} for configuring the
* {@link UserDetailsService} which provides the required user details to
* the security context.
*
* This extra implementation of the userDetailsService is necessary because
* after OAuth 2.0 version - 2.0.10.RELEASE the UserDetails service is not
* automatically extracted from the context.
*
* Here is a link to the documentation in the gitHub community. <a href=
* "https://github.com/royclarkson/spring-rest-service-oauth/issues/19">
* Documentation</a>
*/
@Autowired
private UserDetailsService userDetailsService;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
//@formatter:off
clients.jdbc(dataSource);/*.withClient("my-trusted-client")
.authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT").scopes("read", "write", "trust").secret("secret")
.accessTokenValiditySeconds(120).// Access token is only valid for 2 minutes.
refreshTokenValiditySeconds(600);// Refresh token is only valid for 10 minutes.
//@Formatter:on
*/ }
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler)
.authenticationManager(authenticationManager).userDetailsService(userDetailsService);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.realm(REALM + "/client");
}
}
WebSecurityConfigurerAdapterコンフィグ
@Configuration
@EnableWebSecurity
public class OAuth2SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private ClientDetailsService clientDetailsService;
@Autowired
private DataSource dataSource;
@Autowired
private AuthenticationProvider authenticationProvider;
/**
* Defines custom authentication provider.
*/
@Override
protected void configure(AuthenticationManagerBuilder authManagerBuilder) throws Exception {
authManagerBuilder.authenticationProvider(authenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().anonymous().disable().authorizeRequests().antMatchers("/oauth/token").permitAll();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/students/**");
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Bean
@Autowired
public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore) {
TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
handler.setTokenStore(tokenStore);
handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
handler.setClientDetailsService(clientDetailsService);
return handler;
}
/**
* This Approval store is used to direct the OAuth server to use the
* tokenStore that is exposed as a spring bean and uses the database to
* store all the tokens.
*
* @param tokenStore
* @return The Approval store which uses the tokenStore injected into the
* spring context as a bean.
* @throws Exception
*/
@Bean
@Autowired
public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception {
TokenApprovalStore store = new TokenApprovalStore();
store.setTokenStore(tokenStore);
return store;
}
}
リソースサーバ構成
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
private static final String RESOURCE_ID = "my_rest_api";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID).stateless(false);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.anonymous().disable().requestMatchers().antMatchers("/user/**").and().authorizeRequests()
.antMatchers("/user/**").access("hasRole('ADMIN')").and().exceptionHandling()
.accessDeniedHandler(new OAuth2AccessDeniedHandler());
}
}
さて、私が試したとリクエストボディにユーザー名とパスワードを追加し、 –
しかし、{ \t "ユーザー名": "[email protected]"、 \t "password": "abc" } これはエラーです。おそらく、OAuthはヘッダーのユーザー名とパスワードを期待しているからです。クレデンシャルはヘッダーではなくリクエストボディに来るように、春のセキュリティとOAuthに指示する方法はありますか? –
まず、ヘッダーではなくクエリ(URL)で送信しているようです。 'allowFormauthentication ..'を追加していませんでした。 – freakman