Spring Security OAuth2 纯资源服务器
Posted
技术标签:
【中文标题】Spring Security OAuth2 纯资源服务器【英文标题】:Spring Security OAuth2 pure resource server 【发布时间】:2013-12-21 11:32:57 【问题描述】:我们已经建立了一个OAuth2授权服务器,所以我需要创建一个对应的资源服务器(单独的服务器)。我们计划使用 Spring Security OAuth2 项目。他们设置资源服务器的文档:
https://github.com/spring-projects/spring-security-oauth/wiki/oAuth2#resource-server-configuration
token-services-ref
应该指向令牌处理 bean。然而,令牌处理似乎是由服务器本身完成的,即使它是资源服务器。似乎没有任何远程令牌服务类或与远程服务器相关的任何配置。这与 CloudFoundary UAA (https://github.com/cloudfoundry/uaa/blob/master/samples/api/src/main/webapp/WEB-INF/spring-servlet.xml) 形成对比,后者具有:
<bean id="tokenServices"
class="org.cloudfoundry.identity.uaa.oauth.RemoteTokenServices">
<property name="checkTokenEndpointUrl" value="$checkTokenEndpointUrl" />
有没有办法将 Spring Security OAuth2 用于与单独的 OAuth2 授权服务器通信的资源服务器?如何设置通信端点?
【问题讨论】:
【参考方案1】:只要授权服务器和资源服务器访问共享的tokenStore
(例如,使用JdbcTokenStore
和公共dataSource
),这是可能的。您可以使用 DefaultTokenServices
引用您共享的 tokenStore
。下面是一个示例 Spring 配置,您应该可以对其进行调整以满足您的需求:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2.xsd">
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.JdbcTokenStore">
<constructor-arg name="dataSource" ref="dataSource" />
</bean>
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
</bean>
<bean id="authenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="myRealm" />
</bean>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<!-- This is not actually used, but it's required by Spring Security -->
<security:authentication-manager alias="authenticationManager" />
<oauth2:expression-handler id="oauthExpressionHandler" />
<oauth2:web-expression-handler id="oauthWebExpressionHandler" />
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
<security:expression-handler ref="oauthExpressionHandler" />
</security:global-method-security>
<oauth2:resource-server id="myResource" resource-id="myResourceId" token-services-ref="tokenServices" />
<security:http pattern="/myPattern/**" create-session="never"
entry-point-ref="authenticationEntryPoint" access-decision-manager-ref="accessDecisionManager">
<security:anonymous enabled="false" />
<security:intercept-url pattern="/**" access="SCOPE_READ" method="GET" />
<security:intercept-url pattern="/**" access="SCOPE_READ" method="HEAD" />
<security:intercept-url pattern="/**" access="SCOPE_READ" method="OPTIONS" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE" method="PUT" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE" method="POST" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE" method="DELETE" />
<security:custom-filter ref="myResource" before="PRE_AUTH_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>
</beans>
【讨论】:
是的!谢谢你,@chris-h。即插即用,很快就成功了 40 分钟,然后是 nerf h-o-r-s-e 的庆祝游戏。【参考方案2】:是的,这是可能的。就像您在问题中已经提到的那样,RemoteTokenServices
是解决方案。
我创建了一个具有独立身份验证和资源服务器的示例。它只是一个示例,可让您快速了解该概念并开放扩展。
Spring-AngularJS-OAuth2-Sample
【讨论】:
难道我们没有任何属性可以配置来实现这一点吗? @Rites 在您的示例中,RemoteTokenServices 正在使用 de /oauth/check_token 端点。使用 /oauth/token_id 端点进行令牌验证呢?你怎么能做到这一点? 你有用于 facebook graph 的 RemoteTokenServices 示例吗? @所有人都知道:***.com/questions/57672643/…以上是关于Spring Security OAuth2 纯资源服务器的主要内容,如果未能解决你的问题,请参考以下文章
Spring-Security OAuth2 设置 - 无法找到 oauth2 命名空间处理程序
Spring Security OAuth2 v5:NoSuchBeanDefinitionException:'org.springframework.security.oauth2.jwt.Jwt
针对授权标头的Spring Security OAuth2 CORS问题