是否有针对Spring Security的Oauth的NON命名空间配置示例?

时间:2011-03-18 18:02:36

标签: oauth spring-security

由于各种原因,我们无法使用Spring的命名空间配置。是否有不使用命名空间配置机制的OAuth 2.0配置示例?大多数情况下,我试图找出过滤器链中需要包含哪个过滤器。

2 个答案:

答案 0 :(得分:3)

以下是我设置的基本OAuth 2.0流程的工作原理(与Tonr / Sparklr演示中的基本相同)。我们的安全设置很复杂,因此我只会重现下面的相关摘要。

首先,过滤链顺序:

BasicUserApprovalFilter, SecurityContextPersistenceFilter, LogoutFilter, UsernamePasswordAuthenticationFilter, BasicAuthenticationFilter, RequestCacheAwareFilter, SecurityContextHolderAwareRequestFilter, AnonymousAuthenticationFilter, SessionManagementFilter, ExceptionTranslationFilter, OAuth2ExceptionHandlerFilter, VerificationCodeFilter, OAuth2AuthorizationFilter, OAuth2ProtectedResourceFilter, FilterSecurityInterceptor

请注意AnonymousAuthenticationFilter 绝对需要 ,即使您不在其他地方使用

现在支持bean:

<bean id="oauth2ExceptionTranslationFilter" class="org.springframework.security.oauth2.provider.OAuth2ExceptionHandlerFilter"/>

<bean id="oauth2VerificationCodeFilter" class="org.springframework.security.oauth2.provider.verification.VerificationCodeFilter">
    <property name="clientDetailsService" ref="clientDetailsService"/>
    <property name="verificationServices" ref="verificationCodeServices"/>
    <property name="userApprovalHandler" ref="oauth2UserApprovalFilter"/>

    <property name="unapprovedAuthenticationHandler">
        <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
            <!-- This is where you define your confirmation page -->
            <property name="defaultFailureUrl" value="/oauth/confirm.action"/>
        </bean>
    </property>
</bean>

<bean id="oauth2AuthorizationFilter" class="org.springframework.security.oauth2.provider.OAuth2AuthorizationFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="authenticationSuccessHandler">
        <bean class="org.springframework.security.oauth2.provider.OAuth2AuthorizationSuccessHandler">
            <property name="tokenServices" ref="tokenServices"/>
        </bean>
    </property>
</bean>

<bean id="oauth2ProtectedResourceFilter" class="org.springframework.security.oauth2.provider.OAuth2ProtectedResourceFilter">
    <property name="tokenServices" ref="tokenServices"/>
</bean>

<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices">
    <property name="supportRefreshToken" value="true"/>
</bean>

<bean id="clientDetailsService" class="org.springframework.security.oauth2.provider.InMemoryClientDetailsService">
    <property name="clientDetailsStore">
        <map>
            <entry key="tonr">
                <bean class="org.springframework.security.oauth2.provider.BaseClientDetails">
                    <property name="clientId" value="tonr"/>
                    <property name="authorizedGrantTypes">
                        <list>
                            <value>authorization_code</value>
                            <value>refresh_token</value>
                        </list>
                    </property>
                </bean>
            </entry>
        </map>
    </property>
</bean>

<bean id="verificationCodeServices" class="org.springframework.security.oauth2.provider.verification.InMemoryVerificationCodeServices"/>

<bean id="oauth2VerificationAuthenticationProvider" class="org.springframework.security.oauth2.provider.verification.VerificationCodeAuthenticationProvider">
    <property name="verificationServices" ref="verificationCodeServices"/>
</bean>

<bean id="oauth2AccessGrantAuthenticationProvider" class="org.springframework.security.oauth2.provider.AccessGrantAuthenticationProvider">
    <property name="clientDetailsService" ref="clientDetailsService"/>
</bean>

<bean id="oauth2RefreshAuthenticationProvider" class="org.springframework.security.oauth2.provider.refresh.RefreshAuthenticationProvider"/>

请注意,服务(客户端,令牌,验证码)只是内存版本中提供的。您需要创建自己的版本才能持久化。

最后,您需要将提供程序绑定到身份验证管理器中:

<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
        <property name="providers">
            <list>
                <ref local="daoAuthenticationProvider"/>
                <ref local="oauth2AccessGrantAuthenticationProvider"/>
                <ref local="oauth2VerificationAuthenticationProvider"/>
                <ref local="oauth2RefreshAuthenticationProvider"/>
                <bean class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
                    <property name="key" value="mykey"/>
                </bean>
            </list>
        </property>
    </bean>

答案 1 :(得分:0)

以下是基于命名空间的OAuth 2.0提供程序配置中为我启动的过滤器。您可以通过设置命名空间并打开spring security上的调试日志来获取它们。

firing Filter: 'BasicUserApprovalFilter'
firing Filter: 'SecurityContextPersistenceFilter'
firing Filter: 'LogoutFilter'
firing Filter: 'UsernamePasswordAuthenticationFilter'
firing Filter: 'BasicAuthenticationFilter'
firing Filter: 'RequestCacheAwareFilter'
firing Filter: 'SecurityContextHolderAwareRequestFilter'
firing Filter: 'AnonymousAuthenticationFilter'
firing Filter: 'SessionManagementFilter'
firing Filter: 'ExceptionTranslationFilter'
firing Filter: 'OAuth2ExceptionHandlerFilter'
firing Filter: 'VerificationCodeFilter'
firing Filter: 'OAuth2AuthorizationFilter'
firing Filter: 'OAuth2ProtectedResourceFilter'
firing Filter: 'FilterSecurityInterceptor'