Spring Boot Oauth2 验证资源所有者密码凭证授予的访问令牌

Posted 2023-02-27

【中文标题】Spring Boot Oauth2 验证资源所有者密码凭证授予的访问令牌

【英文标题】：Spring Boot Oauth2 Validating Access Token for Resource Owner Password Credentials Grant

【发布时间】：2017-07-05 23:41:14

【问题描述】：

我正在编写一个过滤器，它会拦截 Restful API 调用、提取 Bearer 令牌并调用授权服务器进行验证。

我在 Spring Boot 中找不到开箱即用的方法，但我确信有一种更简洁的方法可以做到这一点。 这是我所拥有的（伪代码）：

public class SOOTokenValidationFilter extends OncePerRequestFilter 

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
        throws ServletException, IOException 

    String xAuth = request.getHeader("Authorization");

    // validate the value in xAuth
    if(isValid(xAuth) == false)
        throw new SecurityException();
      

    // Create our Authentication and set it in Spring 
      Authentication auth = new Authentication ();
      SecurityContextHolder.getContext().setAuthentication(auth);            

    filterChain.doFilter(request, response);


private boolean isValid (String token)

    // make a call to SSO passing the access token and 
    // return true if validated
    return true;

【参考方案1】：

经验教训，Spring Security Oauth2 文档严重不足，忘记在没有完全梳理源代码的情况下尝试使用该框架。另一方面，代码写得很好，很容易追随 Dave Syer。

这是我的配置：

protected void configure(HttpSecurity http) throws Exception 
    http.csrf().disable();                  
    http.authorizeRequests()
        .antMatchers("/")
        .permitAll()
        .and()      
        .addFilterBefore(getOAuth2AuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
        .exceptionHandling();                        

这是我的 getOAuth2AuthenticationProcessingFilter 方法：

private OAuth2AuthenticationProcessingFilter getOAuth2AuthenticationProcessingFilter()        
    // configure token Extractor
    BearerTokenExtractor tokenExtractor = new BearerTokenExtractor();
    // configure Auth manager
    OAuth2AuthenticationManager manager = new OAuth2AuthenticationManager();
    // configure RemoteTokenServices with your client Id and auth server endpoint
    manager.setTokenServices(remoteTokenServices);

    OAuth2AuthenticationProcessingFilter filter = new OAuth2AuthenticationProcessingFilter();
    filter.setTokenExtractor(tokenExtractor);        
    filter.setAuthenticationManager(manager);
    return filter;

【讨论】：

您好，请问您是如何创建remoteTokenServices..的？

主@Bean public RemoteTokenServices tokenService() RemoteTokenServices tokenService = new RemoteTokenServices(); tokenService.setCheckTokenEndpointUrl("localhost:8080/spring-security-oauth-server/oauth/…); tokenService.setClientId("fooClientIdPassword"); tokenService.setClientSecret("secret"); return tokenService;