SpringSecurity4.2.3我有默认端点/oauth/token,我需要使用相同的请求参数和响应创建新端点。这是我的Web安全配置适配器
@Configuration
@EnableResourceServer
@AllArgsConstructor
public class ResourceServerConfig extends WebSecurityConfigurerAdapter {
private final AuthenticationManager authenticationManager;
@Override
public void configure(HttpSecurity http) throws Exception {
JWTAuthenticationFilter filter = new JWTAuthenticationFilter(authenticationManager);
http.sessionManagement().sessionCreationPolicy(STATELESS)
.and()
.cors()
.and()
.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.authorizeRequests()
.antMatchers("/bbbbbb/**").authenticated()
.antMatchers("/**").permitAll()
.antMatchers("/aaaaaa/**").permitAll()
.and()
.addFilterAfter(filter, BasicAuthenticationFilter.class)
.logout().logoutSuccessUrl("/").permitAll();
}授权服务器配置RADAPTER
@Configuration
@EnableAuthorizationServer
@AllArgsConstructor
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
private final TokenProperties tokenProperties;
private final AuthenticationManager authenticationManager;
private final TokenStore tokenStore;
private final AccessTokenConverter accessTokenConverter;
private final UserDetailsService userDetailsService;
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.allowFormAuthenticationForClients();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore)
.accessTokenConverter(accessTokenConverter)
.authenticationManager(authenticationManager)
.userDetailsService(userDetailsService);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("rest-client")
.secret("rest-client")
.authorizedGrantTypes("password", "refresh_token")
.authorities("ROLE_CLIENT")
.scopes("read", "write")
.accessTokenValiditySeconds(tokenProperties.getTokenLifeTime())
.refreshTokenValiditySeconds(
tokenProperties.getRefreshTokenLifeTime() == 0 ?
tokenProperties.getTokenLifeTime() * 3600 :
tokenProperties.getRefreshTokenLifeTime()
);
}一些配置
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig {
@Bean
@SuppressWarnings("deprecation")
AuthenticationProvider authenticationProvider(UserDetailsService userDetailsService,
PasswordEncoder passwordEncoder,
SaltSource saltSource) {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setSaltSource(saltSource);
provider.setUserDetailsService(userDetailsService);
provider.setPasswordEncoder(passwordEncoder);
return provider;
}
}我使用新端点“user/verify”实现了clientcredentialstokenendpointfilter,以保持安全逻辑。
public class JWTAuthenticationFilter extends ClientCredentialsTokenEndpointFilter {
private final AuthenticationManager authenticationManager;
public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {
super("/user/verify");
this.authenticationManager = authenticationManager;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
return super.attemptAuthentication(request, response);
}
@Override
protected AuthenticationManager getAuthenticationManager() {
return this.authenticationManager;
}
}但我在调试spring的流时发现。/oauth/token在MemoryClientDetailsService#loadclientbyclientid中调用,并在调用userdetailsservice#loaduserbyusername的实现后调用,但是我的custom/user/verify忽略了inmemoryclientdetailsservice并调用userdetailsservice#loaduserbyusername,结果我的密码编码器中出现了一些异常。我应该做什么来保存流?
暂无答案!
目前还没有任何答案,快来回答吧!