我正在尝试使用Spring安全性创建Oauth服务器,我对它们都是新手。
当我浏览以下网址时,流程是
http://localhost:8080/OAuthServer/oauth/authorize?response_type=code&redirect_uri=http://localhost:8080/client/handler&client_id=test
问题1:我被重定向到登录 http://localhost:8080/OAuthServer/login 但在登录验证后,我的用户被重定向到欢迎页面http://localhost:8080/OAuthServer/而不是授权页面
问题2(奇怪):从欢迎页面退出后再次执行相同的过程:浏览OAuthServer / oauth / authorize ?,它显示登录页面,登录后,它会按预期重定向到授权页面。但这在第一次尝试时没有用。
问题3:现在,每次我浏览OAuthServer / oauth / authorize?它显示授权页面而不是显示登录页面。这次我想验证其他一些用户,但直接进入授权页面。
在所有情况下,没有错误,我获得授权代码,从代码,我获得访问代码和刷新代码,并能够使用访问代码访问我的资源\ employee \ list
我确定这里的配置有误。请帮帮我。
的security.xml
<!-- Entry Url -->
<sec:http pattern="/oauth/token**" create-session="stateless"
entry-point-ref="oauthAuthenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<sec:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<sec:anonymous enabled="false" />
<sec:custom-filter ref="clientCredentialsTokenEndpointFilter"
before="BASIC_AUTH_FILTER" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>
<sec:http pattern="/oauth/authorize**" create-session="never"
entry-point-ref="LoginEntry">
<sec:anonymous enabled="false" />
<sec:intercept-url pattern="/oauth/authorize"
access="IS_AUTHENTICATED_FULLY" />
</sec:http>
<bean id="LoginEntry"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<constructor-arg value="/login" />
</bean>
<sec:http pattern="/employee/**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint" >
<sec:anonymous enabled="false" />
<sec:intercept-url pattern="/employee/**" access="ROLE_USER" />
<sec:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>
<sec:http pattern="/oauth/me**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint">
<sec:anonymous enabled="false" />
<sec:intercept-url pattern="/oauth/me" method="GET"
access="IS_AUTHENTICATED_FULLY" />
<sec:custom-filter ref="resourceServerFilter"
before="PRE_AUTH_FILTER" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>
<sec:http authentication-manager-ref="loginAuthentication"
disable-url-rewriting="true">
<sec:intercept-url pattern="/admin**" access="ROLE_USER" />
<sec:form-login login-page="/login"
authentication-failure-url="/login?error" username-parameter="username"
password-parameter="password" />
<sec:logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<sec:csrf />
</sec:http>
<sec:authentication-manager id="loginAuthentication">
<sec:authentication-provider>
<sec:user-service>
<sec:user name="mkyong" password="123456" authorities="ROLE_USER" />
<sec:user name="test" password="1234" authorities="ROLE_USER" />
</sec:user-service>
</sec:authentication-provider>
</sec:authentication-manager>
<!-- Server -->
<oauth:authorization-server
client-details-service-ref="clientDetails" token-services-ref="tokenServices"
authorization-request-manager-ref="SECAuthorizationRequestManager"
user-approval-handler-ref="SECTokenServicesUserApprovalHandler">
<oauth:authorization-code
authorization-code-services-ref="JdbcAuthorizationCodeServices" />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
</oauth:authorization-server>
<!-- Resource -->
<oauth:resource-server id="resourceServerFilter"
resource-id="springsec" token-services-ref="tokenServices" />
<bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="springsec" />
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler">
</bean>
<bean id="clientCredentialsTokenEndpointFilter" class="com.server.security.SECClientCredentialToken">
<property name="authenticationManager" ref="authenticationManager" />
<property name="clientDetails" ref="clientDetails" />
</bean>
<bean id="userCredentialsTokenEndpointFilter" class="com.server.security.SECUserCredential">
<property name="authenticationManager" ref="loginAuthentication" />
</bean>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider
user-service-ref="clientDetailsUserService" />
</sec:authentication-manager>
<bean id="clientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails" />
</bean>
<bean id="clientDetails" class="com.server.security.SECClientDetailsService">
<property name="id" value="test" />
<property name="secretKey" value="mycompanykey" />
</bean>
<bean id="SECTokenServicesUserApprovalHandler"
class="org.springframework.security.oauth2.provider.approval.TokenServicesUserApprovalHandler">
<property name="tokenServices" ref="tokenServices" />
</bean>
<bean id="SECAuthorizationRequestManager"
class="org.springframework.security.oauth2.provider.DefaultAuthorizationRequestManager">
<constructor-arg ref="clientDetails" />
</bean>
<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="clientDetailsService" ref="clientDetails" />
</bean>
<bean id="JdbcAuthorizationCodeServices"
class="org.springframework.security.oauth2.provider.code.JdbcAuthorizationCodeServices">
<constructor-arg ref="jdbcTemplate" />
</bean>
<bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.JdbcTokenStore">
<constructor-arg ref="jdbcTemplate" />
</bean>
<bean id="jdbcTemplate"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url"
value="jdbc:mysql://serverhost:7306/Oauth?useSSL=false" />
<property name="username" value="username" />
<property name="password" value="password" />
</bean>
<!-- End Persistence Layer -->
<!-- ModelViewController -->
<mvc:annotation-driven />
<mvc:default-servlet-handler />
<context:annotation-config />
<context:component-scan
base-package="com.server.security,com.server.resource,com.server.controller" />
<bean
class="org.springframework.web.servlet.view.ContentNegotiatingViewResolver">
<property name="viewResolvers">
<list>
<bean class="org.springframework.web.servlet.view.BeanNameViewResolver" />
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/" />
<property name="suffix" value=".jsp" />
</bean>
</list>
</property>
<property name="defaultViews">
<list>
<bean
class="org.springframework.web.servlet.view.json.MappingJackson2JsonView" />
</list>
</property>
</bean>
答案 0 :(得分:0)
问题1: 我认为这是因为“/ oauth / authorize **”中的create-session =“never”,请检查jsession是否首次创建并重新检查第二次。
问题2: 因为您已经重定向到主页所以创建了会话以便它可以在其中存储重定向
问题3: 你必须使用隐身窗口使用另一个会话,或者注销并再次使用不同的用户登录