spring security oauth2 client_credentials模

本文主要简单介绍一下spring security oauth2的client_credentials模式

maven

        <dependency>

            <groupId>org.springframework.security.oauth</groupId>

            <artifactId>spring-security-oauth2</artifactId>

        </dependency>

        <dependency>

            <groupId>org.springframework.boot</groupId>

            <artifactId>spring-boot-starter-security</artifactId>

        </dependency>

        <dependency>

            <groupId>org.springframework.boot</groupId>

            <artifactId>spring-boot-starter-web</artifactId>

        </dependency>

auth server config

@Configuration

@EnableAuthorizationServer //提供/oauth/authorize,/oauth/token,/oauth/check_token,/oauth/confirm_access,/oauth/error

public class OAuth2ServerConfig extends AuthorizationServerConfigurerAdapter {

    @Override

    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {

        oauthServer

                .tokenKeyAccess("permitAll()")

                .checkTokenAccess("isAuthenticated()") //allow check token

                .allowFormAuthenticationForClients();

    }

    @Override

    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {

        clients.inMemory()

                .withClient("demoApp")

                .secret("demoAppSecret")

                .authorizedGrantTypes("client_credentials", "password", "refresh_token")

                .scopes("all")

                .resourceIds("oauth2-resource")

                .accessTokenValiditySeconds(1200)

                .refreshTokenValiditySeconds(50000);

    }

}

resource server config

@Configuration

@EnableResourceServer

public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

}

demo controller

@RestController

@RequestMapping("/api")

public class DemoController {

    @GetMapping("/blog/{id}")

    public String getBlogById(@PathVariable long id) {

        return "this is blog "+id;

    }

}

验证

没有token请求资源

curl -i -H "Accept: application/json" -X GET http://localhost:8080/api/blog/1

返回

HTTP/1.1 401

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: 0

X-Frame-Options: DENY

Cache-Control: no-store

Pragma: no-cache

WWW-Authenticate: Bearer realm="oauth2-resource", error="unauthorized", error_description="Full authentication is required to access this resource"

Content-Type: application/json;charset=UTF-8

Transfer-Encoding: chunked

Date: Sat, 02 Dec 2017 14:31:51 GMT

{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}

client_credentials请求授权

curl -H "Accept: application/json" demoApp:demoAppSecret@localhost:8080/oauth/token -d grant_type=client_credentials

或者

curl -H "Accept: application/json" http://localhost:8080/oauth/token -d "grant_type=client_credentials&client_id=demoApp&client_secret=demoAppSecret"

返回

{"access_token":"6d0ee2b2-c803-49bf-a813-a25bfb59a976","token_type":"bearer","expires_in":1199,"scope":"all"}

携带token请求资源

curl -i -H "Accept: application/json" -H "Authorization: Bearer 6d0ee2b2-c803-49bf-a813-a25bfb59a976" -X GET http://localhost:8080/api/blog/1

或者

curl -i -X GET http://localhost:8080/api/blog/1?access_token=fe8bcab3-1d33-4ef1-b1d0-bd142a480af2

不过这种把token暴露在url中不是太安全

返回

HTTP/1.1 200

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: 0

X-Frame-Options: DENY

X-Application-Context: application

Content-Type: application/json;charset=UTF-8

Content-Length: 14

Date: Sat, 02 Dec 2017 14:31:09 GMT

this is blog 1

check token

curl -i -X POST -H "Accept: application/json" -u "demoApp:demoAppSecret" http://localhost:8080/oauth/check_token?token=3d47e053-de16-4e6f-8ec7-f9247f425a8e

返回

HTTP/1.1 403

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: 0

X-Frame-Options: DENY

Content-Type: application/json;charset=UTF-8

Transfer-Encoding: chunked

Date: Sat, 02 Dec 2017 14:50:32 GMT

{"timestamp":1512226232386,"status":403,"error":"Forbidden","message":"Access is denied","path":"/oauth/check_token"}

需要配置

@Override

    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {

        oauthServer

                .tokenKeyAccess("permitAll()")

                .checkTokenAccess("isAuthenticated()") //allow check token

                .allowFormAuthenticationForClients();

    }

成功返回

HTTP/1.1 200

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: 0

X-Frame-Options: DENY

X-Application-Context: application

Content-Type: application/json;charset=UTF-8

Transfer-Encoding: chunked

Date: Sat, 02 Dec 2017 14:48:33 GMT

{"aud":["oauth2-resource"],"scope":["read"],"exp":1512227200,"client_id":"demoApp"}

token非法

HTTP/1.1 400

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: 0

X-Frame-Options: DENY

X-Application-Context: application

Cache-Control: no-store

Pragma: no-cache

Content-Type: application/json;charset=UTF-8

Transfer-Encoding: chunked

Date: Sat, 02 Dec 2017 14:51:33 GMT

Connection: close

{"error":"invalid_token","error_description":"Token was not recognised"}

doc

增加了文件,另外mvn依赖需要写版本号

<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.3.0.RELEASE</version>
</dependency>

package com.italkbb.homesecurity.alertmessage.security;

import org.springframework.boot.web.servlet.FilterRegistrationBean;

import org.springframework.context.annotation.Bean;

import org.springframework.context.annotation.Configuration;

import org.springframework.security.authentication.AuthenticationManager;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;

import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

import org.springframework.security.crypto.password.PasswordEncoder;

import org.springframework.web.cors.CorsConfiguration;

import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

import org.springframework.web.filter.CorsFilter;

//import org.springframework.security.data.repository.query.SecurityEvaluationContextExtension;

/**

 * Created by wangyunfei on 2017/6/9.

 */

@Configuration

public class SecurityConfig extends WebSecurityConfigurerAdapter {

//    @Autowired

//    private DomainUserDetailsService userDetailsService;

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        http

                .csrf().disable()

                .anonymous().disable()

                .authorizeRequests()

//                .antMatchers("/api-docs/**").permitAll();

    }

    @Bean

    public FilterRegistrationBean corsFilter() {

        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();

        CorsConfiguration config = new CorsConfiguration();

        config.setAllowCredentials(true);

        config.addAllowedOrigin("*");

        config.addAllowedHeader("*");

        config.addAllowedMethod("*");

        source.registerCorsConfiguration("/**", config);

        FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));

        bean.setOrder(0);

        return bean;

    }

/*

    @Bean

    public SecurityEvaluationContextExtension securityEvaluationContextExtension() {

        return new SecurityEvaluationContextExtension();

    }

*/

    //不定义没有password grant_type

    @Override

    @Bean

    public AuthenticationManager authenticationManagerBean() throws Exception {

        return super.authenticationManagerBean();

    }

/*  替换这个不工作,报 null 当调用userDetailsService loadUser时候。

    @Override

    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        auth.userDetailsService(userDetailsService()).passwordEncoder(passwordEncoder());

    }

 */   

/*    @Autowired

    public void configure(AuthenticationManagerBuilder auth) throws Exception {

        System.out.println("");

        auth.userDetailsService(userDetailsService)

                .passwordEncoder(passwordEncoder());

    }

*/

    @Bean

    public PasswordEncoder passwordEncoder(){

//      return new BCryptPasswordEncoder();

        return new PasswordEncoder() {

            @Override

            public boolean matches(CharSequence rawPassword, String encodedPassword) {

                System.out.println("PasswordEncoder:  raw password:" + rawPassword.toString() + " encoded:" + encodedPassword

                        + "================================");

                return true;

            }

            @Override

            public String encode(CharSequence rawPassword) {

                System.out.println("PasswordEncoder: raw password:" + rawPassword.toString() + "================================");

                return rawPassword.toString();

            }

        };

    }

}

spring security oauth2 client_credentials模的更多相关文章

  1. Spring security oauth2 client_credentials认证 最简单示例代码

    基于spring-boot-2.0.0 1,在pom.xml中添加: <!-- security --> <!-- https://mvnrepository.com/artifac ...

  2. Spring Security Oauth2 的配置

    使用oauth2保护你的应用,可以分为简易的分为三个步骤 配置资源服务器 配置认证服务器 配置spring security 前两点是oauth2的主体内容,但前面我已经描述过了,spring sec ...

  3. 转 - spring security oauth2 password授权模式

    原贴地址: https://segmentfault.com/a/1190000012260914#articleHeader6 序 前面的一篇文章讲了spring security oauth2的c ...

  4. Re:从零开始的Spring Security Oauth2(二)

    本文开始从源码的层面,讲解一些Spring Security Oauth2的认证流程.本文较长,适合在空余时间段观看.且涉及了较多的源码,非关键性代码以…代替. 准备工作 首先开启debug信息: l ...

  5. Re:从零开始的Spring Security Oauth2(一)

    前言 今天来聊聊一个接口对接的场景,A厂家有一套HTTP接口需要提供给B厂家使用,由于是外网环境,所以需要有一套安全机制保障,这个时候oauth2就可以作为一个方案. 关于oauth2,其实是一个规范 ...

  6. Spring Security OAuth2 Demo —— 客户端模式(ClientCredentials)

    前情回顾 前几节分享了OAuth2的流程与其它三种授权模式,这几种授权模式复杂程度由大至小:授权码模式 > 隐式授权模式 > 密码模式 > 客户端模式 本文要讲的是最后一种也是最简单 ...

  7. Spring Security 解析(五) —— Spring Security Oauth2 开发

    Spring Security 解析(五) -- Spring Security Oauth2 开发   在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因此决 ...

  8. 基于spring boot2.0+spring security +oauth2.0+ jwt微服务架构

    github地址:https://github.com/hankuikuide/microservice-spring-security-oauth2 项目介绍 该项目是一个演示项目,主要演示了,基于 ...

  9. Spring Cloud 学习 (十) Spring Security, OAuth2, JWT

    通过 Spring Security + OAuth2 认证和鉴权,每次请求都需要经过 OAuth Server 验证当前 token 的合法性,并且需要查询该 token 对应的用户权限,在高并发场 ...

随机推荐

  1. AS使用自带虚拟机报错解决

    Android studio自带的Google虚拟机越来越好用了,所以可以打开这个功能,想用的时候打开使用即可 使用的过程中经常会遇到这样的问题: 19:26 Emulator: emulator: ...

  2. 从零学习Fluter(二):win10上环境搭建以及模拟器和真机调试

    今天呢,又继续看了flutter 弗拉特 的东西,绝的这个东西绝对是比ReactNative更高一层次的,在2018年12月5好,flutter的第一个stale1.0发布了,我们在GitHub上可以 ...

  3. MR单元测试以及DeBug调试

    Hadoop的MapReduce程序提交到集群环境中运行,出问题时定位非常麻烦,有时需要一遍遍修改代码和打印日志来排查问题,哪怕是比较小的问题.如果数据量很大的话调试起来就相当耗费时间. 而且,Map ...

  4. 小小白搭建nextcloud云盘

    我是一名linux的小小白,今天就利用自己的所学搭建属于自己的云盘——nextcloud. 本人学生狗,普通的云盘也要几十块钱,既然我们只是拿来搭建巩固自己知识并不做为生产力,我们就用VMware W ...

  5. spring异步执行报异常No qualifying bean of type 'org.springframework.core.task.TaskExecutor' available

    最近观察项目运行日志的时候突然发现了一个异常, [2018-04-03 10:49:07] 100.0.1.246 http-nio-8080-exec-9 DEBUG org.springframe ...

  6. python之sqlalchemy的使用

    准备数据 from sqlalchemy.ext.declarative import declarative_base from sqlalchemy import Column from sqla ...

  7. 初始数据结构(python语言)

    数据结构 概念:数据结构是指相互之间存在着一种或多种关系的数据元素的集合和该集合中数据元素之间的关系组成 算法复杂度 时间复杂度 时间复杂度是同一问题可用不同算法解决,而一个算法的质量优劣将影响到算法 ...

  8. 磁盘缓存--YYCache 设计思路

    为了设计一个比较好的磁盘缓存,我调查了大量的开源库,包括 TMDiskCache.PINDiskCache.SDWebImage.FastImageCache 等,也调查了一些闭源的实现,包括 NSU ...

  9. 如何判断app的页面是原生的还是H5的webview页面

    1.看布局边界(在手机侧观察) 开发者选项->显示布局边界,页面元素很多的情况下布局是一整块的是h5的,布局密密麻麻的是原生控件.页面有布局的是原生的,否则为h5页面.(仅针对安卓手机试用)如下 ...

  10. Luogu5058 [ZJOI2004]嗅探器

    $Luogu5058 [ZJOI2004]嗅探器 给定一张 \(n\) 个点, \(m\) 条边的无向图,和两点 \(s,\ t\) ,求 \(s\to t\) 编号最小的必经点(排除 \(s,\ t ...