spring security oauth2 发布限制

Posted 2023-02-27

【中文标题】spring security oauth2 发布限制

【英文标题】：spring security oauth2 post restriction

【发布时间】：2017-06-08 15:19:38

【问题描述】：

我目前正在尝试使用 spring security oauth2 实现一个 spring 应用程序，以保护我的资源以及从外部设备（例如 ios 或 android 应用程序）接收数据 通过以下spring config设置，我可以达到保护资源的目的，所以基本上任何想查看json数据的人都必须经过

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
       xmlns:sec="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans

       http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security-3.2.xsd
       http://www.springframework.org/schema/security/oauth2
       http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
       http://www.springframework.org/schema/context
       http://www.springframework.org/schema/context/spring-context-3.1.xsd">

<!-- Definition of the Authentication Service -->
<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
      xmlns="http://www.springframework.org/schema/security">
    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
    <anonymous enabled="false"/>
    <http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
    <!-- include this only if you need to authenticate clients via request parameters -->
    <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
    <access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>

<!-- Protected resources -->
<http pattern="/searchResultAPI/**" 
      create-session="never"
      entry-point-ref="oauthAuthenticationEntryPoint"
      access-decision-manager-ref="accessDecisionManager"
      xmlns="http://www.springframework.org/schema/security">
    <anonymous enabled="false"/>
    <intercept-url pattern="/searchResultAPI/**" access="ROLE_USER"/>
    <intercept-url pattern="/receiveUserDataAPI/**" access="ROLE_USER"/>
    <custom-filter ref="resourceServerFilter"
                   before="PRE_AUTH_FILTER"/>
    <access-denied-handler
            ref="oauthAccessDeniedHandler"/>
</http>

<bean id="oauthAuthenticationEntryPoint"
      class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="dstest"/>
</bean>

<bean id="clientAuthenticationEntryPoint"
      class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="dstest/client"/>
    <property name="typeName" value="Basic"/>
</bean>

<bean id="oauthAccessDeniedHandler"
      class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>

<bean id="clientCredentialsTokenEndpointFilter"
      class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
    <property name="authenticationManager" ref="clientAuthenticationManager"/>
</bean>

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
      xmlns="http://www.springframework.org/schema/beans">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/>
            <bean class="org.springframework.security.access.vote.RoleVoter"/>
            <bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
        </list>
    </constructor-arg>
</bean>

<!-- Authentication in config file -->
<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
    <authentication-provider user-service-ref="clientDetailsUserService"/>
</authentication-manager>

<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
    <authentication-provider>
        <user-service id="userDetailsService">
            <user name="admin" password="password" authorities="ROLE_USER"/>
        </user-service>
    </authentication-provider>
</authentication-manager>

<bean id="clientDetailsUserService"
      class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <constructor-arg ref="clientDetails"/>
</bean>

<!-- Token Store  -->
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore"/>

<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
    <property name="tokenStore" ref="tokenStore"/>
    <property name="supportRefreshToken" value="true"/>
    <property name="clientDetailsService" ref="clientDetails"/>
    <!-- VIV -->
    <property name="accessTokenValiditySeconds" value="10"/>
</bean>

<bean id="userApprovalHandler"
      class="org.springframework.security.oauth2.provider.approval.TokenServicesUserApprovalHandler">
    <property name="tokenServices" ref="tokenServices"/>
</bean>

<!-- Token management -->
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices"
                            user-approval-handler-ref="userApprovalHandler">
    <oauth:authorization-code/>
    <oauth:implicit/>
    <oauth:refresh-token/>
    <oauth:client-credentials/>
    <oauth:password/>
</oauth:authorization-server>

<oauth:resource-server id="resourceServerFilter"
                       resource-id="dstest"
                       token-services-ref="tokenServices"/>

<!-- Client Definition -->
<oauth:client-details-service id="clientDetails">

    <oauth:client client-id="my-trusted-client"
                  authorized-grant-types="password,authorization_code,refresh_token,implicit,redirect"
                  authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT"
                  redirect-uri="/web"
                  scope="read,write,trust"
                  access-token-validity="30"
                  refresh-token-validity="600"/>

</oauth:client-details-service>


<sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
    <sec:expression-handler ref="oauthExpressionHandler"/>
</sec:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler"/>
<oauth:web-expression-handler id="oauthWebExpressionHandler"/>

</beans>

1.获取刷新令牌

http://www.sample.com/oauth/token?grant_type=password&client_id=my-trusted-client&username=admin&password=password

刷新令牌交换访问令牌

http://www.sample.com/oauth/token?client_id=my-trusted-client&grant_type=refresh_token&refresh_token=5fbdc1fe-6d26-458a-818f-4e49c41a47ff

最后一步使用访问令牌访问json数据

http://www.sample.com/searchResultAPI/results?search_item_id=0098&access_token=3658213e-5bb0-4c4b-89ca-f0f82513fc22

我对上述检索数据的过程没有任何问题。

但是，当我尝试将一些数据发布到此 url 时（假设 servlet requestmapping 用于此 url，并且所有 gson orm 和模型都已完成等...），spring security 不会停止发布到 http://www.sample.com/receiveUserDataAPI/receiver ，即使最初没有调用oauth/token?grant_type=password&client_id=my-trusted-client&username=admin&password=password 来获取访问令牌。

"customer":
    
        "address": "somewhere",
        "city": "London",
    

它只是通过这个servlet直接将数据放入数据库。 理想情况下，我的计划就像检索数据过程，首先授予用户访问令牌，然后使用令牌发布数据，弹簧安全检查令牌有效，然后接收数据。我想它应该将 json 数据发布到类似 http://www.sample.com/receiveUserDataAPI/receiver?&access_token=3658213e-5bb0-4c4b-89ca-f0f82513fc22 的 URL 上？ 谁能指出我在哪里设置错误或我错过了设置任何属性？ 谢谢

【参考方案1】：

当您的客户端收到访问令牌时，将其放入请求标头中：'Authorization': 'Bearer access_token' 用于您服务器上的任何受保护资源。 Spring 自动检查此令牌和所有者权限。

【讨论】：

errr，没有真正明白...所以基本上，我的服务器不希望从陌生人那里接收任何数据，当有人发帖时，目前，使用上述 oauth2 配置 xml 它不会阻止人们发帖东西。干杯