2016-05-16 7 views
1

私は、複数の提案に対してSpring Security + Oauth2を使用しています。 cenarioは次のとおりです。公開コンテキスト、プライベートコンテキスト、およびRESTコンテキストがあります(最後の2つは認証されています)。スプリングセキュリティ4 + OAuth2 =悪いクレデンシャル

プライベートコンテキスト(/ private/)の場合、認証されていないユーザーは/ loginにリダイレクトされ、認証前に/ private/indexにリダイレクトされます。 RESTコンテキスト(/ rest/)の場合、ユーザーはトークンを持っていて、その領域にアクセスできます。

これはPOCであり、コードは非常に基本的なものであることを思い出してください。

春-のsecurity.xml

<beans:beans xmlns="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:sec="http://www.springframework.org/schema/security" xmlns:oauth="http://www.springframework.org/schema/security/oauth2" 
xsi:schemaLocation="http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans.xsd 
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security.xsd 
        http://www.springframework.org/schema/security/oauth2 
        http://www.springframework.org/schema/security/spring-security-oauth2.xsd"> 

<sec:http pattern="/oauth/token" create-session="stateless" 
    authentication-manager-ref="clientAuthenticationManager" 
    use-expressions="true" xmlns="http://www.springframework.org/schema/security"> 
    <sec:intercept-url pattern="/oauth/token" access="isAuthenticated()" /> 
    <sec:anonymous enabled="false" /> 
    <sec:http-basic entry-point-ref="clientAuthenticationEntryPoint" /> 
    <!-- include this only if you need to authenticate clients via request 
     parameters --> 
    <sec:custom-filter ref="clientCredentialsTokenEndpointFilter" 
     after="BASIC_AUTH_FILTER" /> 
    <sec:access-denied-handler ref="oauthAccessDeniedHandler" /> 
</sec:http> 

<!-- Spring Security Context --> 
<sec:http auto-config="true" use-expressions="true" 
    xmlns="http://www.springframework.org/schema/security"> 
    <sec:intercept-url pattern="/" access="permitAll" /> 
    <sec:intercept-url pattern="/private/**" access="hasRole('ROLE_USER')" /> 
    <sec:form-login authentication-failure-url="/login?error" /> 
    <sec:logout logout-success-url="/login?logout" /> 
</sec:http> 

<bean id="oauthAuthenticationEntryPoint" 
    class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> 
    <property name="realmName" value="test" /> 
</bean> 

<bean id="clientAuthenticationEntryPoint" 
    class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> 
    <property name="realmName" value="test/client" /> 
    <property name="typeName" value="Basic" /> 
</bean> 

<bean id="oauthAccessDeniedHandler" 
    class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" /> 

<bean id="clientCredentialsTokenEndpointFilter" 
    class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter"> 
    <property name="authenticationManager" ref="clientAuthenticationManager" /> 
</bean> 

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"> 
    <constructor-arg> 
     <list> 
      <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" /> 
      <bean 
       class="org.springframework.security.web.access.expression.WebExpressionVoter" /> 
      <bean class="org.springframework.security.access.vote.AuthenticatedVoter" /> 
     </list> 
    </constructor-arg> 
</bean> 

<sec:authentication-manager id="clientAuthenticationManager" 
    xmlns="http://www.springframework.org/schema/security"> 
    <sec:authentication-provider 
     user-service-ref="clientDetailsUserService" /> 
</sec:authentication-manager> 

<sec:authentication-manager alias="authenticationManager" 
    xmlns="http://www.springframework.org/schema/security"> 
    <sec:authentication-provider> 
     <sec:user-service id="userDetailsService"> 
      <sec:user name="admin" password="admin" authorities="ROLE_ADMIN, ROLE_USER" /> 
      <sec:user name="user" password="user" authorities="ROLE_USER" /> 
     </sec:user-service> 
    </sec:authentication-provider> 
</sec:authentication-manager> 

<bean id="clientDetailsUserService" 
    class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService"> 
    <constructor-arg ref="clientDetails" /> 
</bean> 

<!-- Used for the persistenceof tokens (currently an in memory implementation) --> 
<bean id="tokenStore" 
    class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" /> 

<!-- Used to create token and and every thing about them except for their 
    persistence that is reposibility of TokenStore (Given here is a default implementation) --> 
<bean id="tokenServices" 
    class="org.springframework.security.oauth2.provider.token.DefaultTokenServices"> 
    <property name="tokenStore" ref="tokenStore" /> 
    <property name="supportRefreshToken" value="true" /> 
    <property name="clientDetailsService" ref="clientDetails" /> 
</bean> 

<bean id="userApprovalHandler" 
    class="org.springframework.security.oauth2.provider.approval.DefaultUserApprovalHandler"> 
</bean> 

<!-- authorization-server aka AuthorizationServerTokenServices is an interface 
    that defines everything necessary for token management --> 
<oauth:authorization-server 
    client-details-service-ref="clientDetails" token-services-ref="tokenServices" 
    user-approval-handler-ref="userApprovalHandler"> 
    <oauth:authorization-code /> 
    <oauth:implicit /> 
    <oauth:refresh-token /> 
    <oauth:client-credentials /> 
    <oauth:password /> 
</oauth:authorization-server> 

<oauth:resource-server id="resourceServerFilter" 
    resource-id="test" token-services-ref="tokenServices" /> 
<!-- ClientsDeailsService: Entry Point to clients database (given is in 
    memory implementation) --> 
<oauth:client-details-service id="clientDetails"> 
    <oauth:client client-id="my-trusted-client" 
     authorized-grant-types="password,authorization_code,refresh_token,implicit" 
     authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT" scope="read,write,trust" 
     access-token-validity="60" /> 
    <oauth:client client-id="my-trusted-client-with-secret" 
     authorized-grant-types="password,authorization_code,refresh_token,implicit" 
     secret="somesecret" authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT" /> 
    <oauth:client client-id="my-client-with-secret" 
     authorized-grant-types="client_credentials" authorities="ROLE_CLIENT" 
     scope="read" secret="secret" /> 
    <oauth:client client-id="my-less-trusted-client" 
     authorized-grant-types="authorization_code,implicit" authorities="ROLE_CLIENT" /> 
    <oauth:client client-id="my-less-trusted-autoapprove-client" 
     authorized-grant-types="implicit" authorities="ROLE_CLIENT" /> 
    <oauth:client client-id="my-client-with-registered-redirect" 
     authorized-grant-types="authorization_code,client_credentials" 
     authorities="ROLE_CLIENT" redirect-uri="http://anywhere?key=value" 
     scope="read,trust" /> 
    <oauth:client client-id="my-untrusted-client-with-registered-redirect" 
     authorized-grant-types="authorization_code" authorities="ROLE_CLIENT" 
     redirect-uri="http://anywhere" scope="read" /> 
    <oauth:client client-id="tonr" resource-ids="test" 
     authorized-grant-types="authorization_code,implicit" authorities="ROLE_CLIENT" 
     scope="read,write" secret="secret" /> 
    <!--Self defined client --> 
    <oauth:client client-id="the_client" 
     authorized-grant-types="authorization_code,client_credentials" 
     authorities="ROLE_USER" scope="read,write,trust" secret="secret" /> 
</oauth:client-details-service> 

<sec:global-method-security 
    pre-post-annotations="enabled" proxy-target-class="true" 
    xmlns="http://www.springframework.org/schema/security"> 
    <!--you could also wire in the expression handler up at the layer of the 
     http filters. See https://jira.springsource.org/browse/SEC-1452 --> 
    <sec:expression-handler ref="oauthExpressionHandler" /> 
</sec:global-method-security> 

<oauth:expression-handler id="oauthExpressionHandler" /> 

<oauth:web-expression-handler id="oauthWebExpressionHandler" /> 

答えて

1

問題は解決しました。

は、さらにコンサルティングについては、ちょうど

<sec:authentication-manager alias="authenticationManager" 
xmlns="http://www.springframework.org/schema/security"> 

下記正しいと単語 "エイリアス" を "ID" に変更します。

<sec:authentication-manager id="authenticationManager" 
xmlns="http://www.springframework.org/schema/security"> 

そして作品を!

関連する問題