我正在使用Jhipster创建一个用于微服务测试的项目,为此我创建了UAA(Oauth2),网关和微服务。 为了进行身份验证测试,我通过在授权标签中传递用户名/密码,csrf令牌和“基本身份验证”数据,由邮递员向地址http://本地主机:8080 / auth /登录发出了请求。系统可以使用用户名和密码进行身份验证并返回令牌,但是在基本身份验证中输入的用户名和密码似乎不起作用,因为如果我放置或不放置任何信息,系统都会进行身份验证并返回令牌。 我想知道如何在UAA中进行配置,以同时验证授权中告知的密码和用户名?
Postman生成的用于验证身份的curl代码:
curl -X POST \
http://localhost:8080/auth/login \
-H 'Authorization: Basic d2ViX2FwcDM6Y2hhbmdlaXQ=' \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-H 'Postman-Token: 1be3edc2-f13e-4a5c-87aa-f5f8aa5fd254' \
-H 'X-XSRF-TOKEN: 6d194295-32ae-4bc7-803f-da5cd9d1f595' \
-d '{
"username":"admin",
"password":"admin"
}'
configure ClientDetailsServiceConfigurer中的UAAConfiguration类摘录如下:
@Configuration
@EnableAuthorizationServer
public class UaaConfiguration extends AuthorizationServerConfigurerAdapter implements ApplicationContextAware {
// ....
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
int accessTokenValidity = uaaProperties.getWebClientConfiguration().getAccessTokenValidityInSeconds();
accessTokenValidity = Math.max(accessTokenValidity, MIN_ACCESS_TOKEN_VALIDITY_SECS);
int refreshTokenValidity = uaaProperties.getWebClientConfiguration().getRefreshTokenValidityInSecondsForRememberMe();
refreshTokenValidity = Math.max(refreshTokenValidity, accessTokenValidity);
/*
For a better client design, this should be done by a ClientDetailsService (similar to UserDetailsService).
*/
clients.inMemory()
.withClient(uaaProperties.getWebClientConfiguration().getClientId())
.secret(passwordEncoder.encode(uaaProperties.getWebClientConfiguration().getSecret()))
.scopes("openid")
.autoApprove(true)
.authorizedGrantTypes("implicit","refresh_token", "password", "authorization_code")
.accessTokenValiditySeconds(accessTokenValidity)
.refreshTokenValiditySeconds(refreshTokenValidity)
.and()
.withClient(jHipsterProperties.getSecurity().getClientAuthorization().getClientId())
.secret(passwordEncoder.encode(jHipsterProperties.getSecurity().getClientAuthorization().getClientSecret()))
.scopes("web-app")
.autoApprove(true)
.authorizedGrantTypes("client_credentials")
.accessTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSeconds())
.refreshTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSecondsForRememberMe());
}
// ....
}
在application-dev中,文件的末尾看起来像这样(它似乎正在设置默认客户端,但是当我更改它时,令牌结果不会改变):
uaa:
key-store:
name: keystore.jks
password: password
alias: selfsigned
web-client-configuration:
# Access Token is valid for 5 mins
access-token-validity-in-seconds: 300
# Refresh Token is valid for 7 days
refresh-token-validity-in-seconds-for-remember-me: 604800
client-id: web_app
secret: changeit
奇怪的是,当检查令牌信息时,它会显示client_id = web_app:
{
"user_name": "admin",
"scope": [
"openid"
],
"exp": 1533775148,
"iat": 1533774848,
"authorities": [
"ROLE_ADMIN",
"ROLE_USER"
],
"jti": "9dba460c-e66e-4a1d-8085-dfdbff055b56",
"client_id": "web_app"
}