zoukankan      html  css  js  c++  java
  • spring oauth2 ,spring security整合oauth2.0 JdbcTokenStore实现 解决url-pattern .do .action

    参考以下两个文章:

    http://www.cnblogs.com/0201zcr/p/5328847.html

    http://wwwcomy.iteye.com/blog/2230265

    web.xml 注意这里的<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>   <url-pattern>/*</url-pattern>  而<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>    <url-pattern>*.action</url-pattern>会导致org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter构造器里面的/oauth/token被security拦截,而spring mvc却没有拦截

        <!-- SpringSecurity必须的filter start-->  
        <filter>  
            <filter-name>springSecurityFilterChain</filter-name>  
            <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  
        </filter>    
        <filter-mapping>  
            <filter-name>springSecurityFilterChain</filter-name>  
            <url-pattern>/*</url-pattern>  
        </filter-mapping>
        <!-- SpringSecurity必须的filter end-->
                     
        <servlet>        
            <servlet-name>dispatcher</servlet-name>
            <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
            <init-param>
                <param-name>contextConfigLocation</param-name>            
                <param-value>
                    classpath:applicationContextMvc.xml
                </param-value>
            </init-param>
            <load-on-startup>2</load-on-startup>    
        </servlet>
        <servlet-mapping>
            <servlet-name>dispatcher</servlet-name>
            <url-pattern>*.action</url-pattern>
        </servlet-mapping>
        <!--  /oauth/token 是oauth2登陆验证请求的url     用于获取access_token  ,默认的生存时间是43200秒,即12小时-->
        <http pattern="/oauth/token.action" create-session="stateless" authentication-manager-ref="clientAuthenticationManager">
              <intercept-url pattern="/oauth/token.action" access="IS_AUTHENTICATED_FULLY" />      <!--  可以访问的角色名称,如果需要拦截,需要实现UserDetails接口,实现getAuthorities()方法-->
            <anonymous enabled="false" />
            <http-basic entry-point-ref="oauth2AuthenticationEntryPoint" />
            <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
            <access-denied-handler ref="oauth2AccessDeniedHandler" />
        </http>

    这个authentication-manager 是OAUTH的,还需要另一个spring security ,如果已经在使用spring security 那么只需要配置这一个.ClientDetailsUserDetailsService 实现了spring security的UserDetailsService,在ClientDetailsUserDetailsService 

    的loadUserByUsername并不是验证我们用户的账号密码,验证用户的账号密码在spring security里面已经自己处理了,这里的loadUserByUsername是验证我们的客户端也就是第三方的网址,或者APP,是否有权限访问我们的接口.例如这里我们的第三方APP用户名为mobile_1,密码为secret_1,可以配置多个第三方APP

            <!-- 验证的权限控制 -->
        <authentication-manager id="clientAuthenticationManager">
            <authentication-provider user-service-ref="oauth2ClientDetailsUserService"  />
        </authentication-manager>
        
        
        <oauth2:client-details-service id="clientDetailsService" >
            <oauth2:client client-id="mobile_1" authorized-grant-types="password,authorization_code,refresh_token,implicit" secret="secret_1" scope="read,write,trust" authorities="ROLE_CLIENT,ROLE_TRUSTED_CLIENT"  resource-ids="mobile-resource" />
        </oauth2:client-details-service>
        <beans:bean id="oauth2ClientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
            <beans:constructor-arg ref="clientDetailsService" /> 
        </beans:bean>

    spring security 的authentication-manager  , daoAuthenticationProvider需要自己实现,这里就不贴出来了

          <!-- 权限管理者 -->
           <authentication-manager alias="myAuthenticationManager">
                   <!-- 权限提供者 -->
                   <authentication-provider ref="daoAuthenticationProvider" />
           </authentication-manager>
           
           <beans:bean id="daoAuthenticationProvider" class="com.thesys.common.security.provider.MyDaoAuthenticationProvider">
                  <beans:property name="userDetailsService" ref="securityService" /> 
                  <beans:property name="PasswordEncoder" ref="md5PasswordEncoder" />
            </beans:bean> 

    复制org.springframework.security.oauth2.provider.token.DefaultTokenServices 内容新建类MyTokenService  自己重写 private OAuth2AccessToken createAccessToken(OAuth2Authentication authentication, OAuth2RefreshToken refreshToken)这个方法,实现自己的TOKEN生成方式

                  <!-- for spring oauth2 -->
        <!--token在服务器存储的方式    InMemoryTokenStore :保存在内存     ;JdbcTokenStore : 保存在数据库中 -->
        <beans:bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />
        <!--<beans:bean id="tokenServices"
            class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">-->     <!--令牌服务的实体-->
        <beans:bean id="tokenServices" class="com.thesys.common.security.oauth.MyTokenService" > 
                <beans:property name="tokenStore" ref="tokenStore"></beans:property> 
                <beans:property name="supportRefreshToken" value="true"/> 
                <beans:property name="clientDetailsService" ref="clientDetailsService" />  
        </beans:bean>    <!-- 自己重写的类 -->
                        <!--处理访问成功-->
        <beans:bean id="oauth2AuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" />
        <!--处理访问拒绝-->
        <beans:bean id="oauth2AccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
        <!--处理认证点-->
        <beans:bean id="oauthUserApprovalHandler" class="org.springframework.security.oauth2.provider.approval.DefaultUserApprovalHandler" />
        <!--处理访问控制-->
        <beans:bean id="oauth2AccessDecisionManager"  class="org.springframework.security.access.vote.UnanimousBased">
            <beans:constructor-arg>
                <beans:list>
                    <beans:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
                    <beans:bean class="org.springframework.security.access.vote.RoleVoter" />
                    <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
                </beans:list>
            </beans:constructor-arg>
        </beans:bean>
        
            <!--oauth2 的server所能支持的请求类型-->
        <oauth2:authorization-server client-details-service-ref="clientDetailsService" token-services-ref="tokenServices" user-approval-handler-ref="oauthUserApprovalHandler">
            <oauth2:authorization-code />
            <oauth2:implicit /> 
            <oauth2:refresh-token />
            <oauth2:client-credentials />
            <oauth2:password />
        </oauth2:authorization-server>

    这里解决.do .action的拦截问题, <beans:constructor-arg value="/oauth/token.action" /> 把默认的/oauth/token 改成/oauth/token.action 就可以解决.do或者.action 的拦截问题

     <beans:bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
            <beans:property name="authenticationManager" ref="clientAuthenticationManager" />
            <beans:constructor-arg value="/oauth/token.action" />
        </beans:bean>  
     <intercept-url pattern="/admin**" access="IS_AUTHENTICATED_FULLY" /> 因为没有项目没有角色的设置,只要登录了就可以访问,所以不设置角色验证
       <!--指定spring要保护的资源,如果没有这个,访问控制的时候会说没有Authentication object:-->
        <oauth2:resource-server id="mobileResourceServer" resource-id="mobile-resource" token-services-ref="tokenServices" />
        
        <http pattern="/json**" create-session="never" entry-point-ref="oauth2AuthenticationEntryPoint" access-decision-manager-ref="oauth2AccessDecisionManager">
            <anonymous enabled="false" />
              <intercept-url pattern="/json**" access="IS_AUTHENTICATED_FULLY" /><!--  -->
            <custom-filter ref="mobileResourceServer" before="PRE_AUTH_FILTER" />
            <access-denied-handler ref="oauth2AccessDeniedHandler" />
        </http>
        
        <http pattern="/admin**" create-session="never" entry-point-ref="oauth2AuthenticationEntryPoint" access-decision-manager-ref="oauth2AccessDecisionManager">
            <anonymous enabled="false" />
              <intercept-url pattern="/admin**" access="IS_AUTHENTICATED_FULLY" /> <!-- -->
            <custom-filter ref="mobileResourceServer" before="PRE_AUTH_FILTER" />
            <access-denied-handler ref="oauth2AccessDeniedHandler" />
        </http>

    因为没有设置必须为POST 提交,所以无论GET POST 提交以下请求会返回access_token

    http://localhost:8028/oauth/token.action?client_id=mobile_1&client_secret=secret_1&grant_type=password&username=test&password=1
    1. {
    2.    "access_token": "6cd40d26561c4ac89e447dd5214c7033",
    3.    "token_type": "bearer",
    4.    "refresh_token": "459f7555-e733-43c9-8ab8-016b15a61427",
    5.    "expires_in": 43199,
    6.    "scope": "read trust write"
    7. }

    刷新access_token

    /oauth/token.action?client_id=&client_secret=&grant_type=refresh_token&refresh_token=459f7555-e733-43c9-8ab8-016b15a61427

    {
    "access_token": "859f08ec-7552-45b2-bb54-50328e462646",
    "token_type": "bearer",
    "refresh_token": "26bef8b9-2521-4efd-a81b-1e2873866c8f",
    "expires_in": 2591999,
    "scope": "read trust write"
    }




    然后带着access_token访问,就可以成功访问

    http://localhost:8028/admin.action?access_token=52d33d7d81ee4a388d79bf00387b1325

    没有access_token访问的话,会返回(注意看这里是XML方式返回,因为请求头为空,spring返回默认第一个,如果需要json,那么请在请求头加上accept:application/json)

    http://localhost:8028/admin.action
    1. <oauth>
    2. <error_description>An Authentication object was not found in the SecurityContext</error_description>
    3. <error>unauthorized</error>
    4. </oauth>

     数据库存储方式

        <!--token在服务器存储的方式    InMemoryTokenStore :保存在内存     ;JdbcTokenStore : 保存在数据库中 
        <beans:bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />-->
        <beans:bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore" >

    按照规范建两个表,因为需要访问的第三方不多,我只需要持久化access_token所以没有建立oauth_client_details,oauth_code

    Drop table  if exists oauth_access_token;
    create table oauth_access_token (
      create_time timestamp default now(),
      token_id VARCHAR(255),
      token BLOB,
      authentication_id VARCHAR(255),
      user_name VARCHAR(255),
      client_id VARCHAR(255),
      authentication BLOB,
      refresh_token VARCHAR(255)
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
    
    
    Drop table  if exists oauth_refresh_token;
    create table oauth_refresh_token (
      create_time timestamp default now(),
      token_id VARCHAR(255),
      token BLOB,
      authentication BLOB
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
  • 相关阅读:
    测试成功的Python中文文件读写脚本
    Solaris 10上Matlab 7(R14)安装手记
    人生:对心物互作的反应
    破解windows登录密码的有效方法
    Java实现二维码QRCode的编码和解码
    java调用储存过程的方法
    Java多态性的两个特殊情况
    Java中的TCP/UDP网络通信编程
    C语言之详解#ifdef等宏及妙用
    26个Jquery使用小技巧
  • 原文地址:https://www.cnblogs.com/sweetchildomine/p/5876162.html
Copyright © 2011-2022 走看看