Spring Security OAuth2接受JSON

ycggw6v2  于 2024-01-05  发布在  Spring
关注(0)|答案(6)|浏览(177)

我从Spring OAuth2开始。我想以application/json格式将用户名和密码发送到POST主体中的/oauth/token端点。

  1. curl -X POST -H "Authorization: Basic YWNtZTphY21lc2VjcmV0" -H "Content-Type: application/json" -d '{
  2. "username": "user",
  3. "password": "password",
  4. "grant_type": "password"
  5. }' "http://localhost:9999/api/oauth/token"

字符串
这可能吗?
你能给予我一个建议吗?

spring

6条答案

按热度按时间
ua4mk5z4

ua4mk5z41#

解决方案(不确定是否正确,但它缝,它是工作):
资源服务器配置:

  1. @Configuration
  2. public class ServerEndpointsConfiguration extends ResourceServerConfigurerAdapter {
  4.     @Autowired
  5.     JsonToUrlEncodedAuthenticationFilter jsonFilter;
  7.     @Override
  8.     public void configure(HttpSecurity http) throws Exception {
  9.         http
  10.             .addFilterBefore(jsonFilter, ChannelProcessingFilter.class)
  11.             .csrf().and().httpBasic().disable()
  12.             .authorizeRequests()
  13.             .antMatchers("/test").permitAll()
  14.             .antMatchers("/secured").authenticated();
  15.     }
  16. }

字符串
筛选器:

  1. @Component
  2. @Order(value = Integer.MIN_VALUE)
  3. public class JsonToUrlEncodedAuthenticationFilter implements Filter {
  5.     @Override
  6.     public void init(FilterConfig filterConfig) throws ServletException {
  7.     }
  9.     @Override
  10.     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
  11.             ServletException {
  12.         if (Objects.equals(request.getContentType(), "application/json") && Objects.equals(((RequestFacade) request).getServletPath(), "/oauth/token")) {
  13.             InputStream is = request.getInputStream();
  14.             ByteArrayOutputStream buffer = new ByteArrayOutputStream();
  16.             int nRead;
  17.             byte[] data = new byte[16384];
  19.             while ((nRead = is.read(data, 0, data.length)) != -1) {
  20.                 buffer.write(data, 0, nRead);
  21.             }
  22.             buffer.flush();
  23.             byte[] json = buffer.toByteArray();
  25.             HashMap<String, String> result = new ObjectMapper().readValue(json, HashMap.class);
  26.             HashMap<String, String[]> r = new HashMap<>();
  27.             for (String key : result.keySet()) {
  28.                 String[] val = new String[1];
  29.                 val[0] = result.get(key);
  30.                 r.put(key, val);
  31.             }
  33.             String[] val = new String[1];
  34.             val[0] = ((RequestFacade) request).getMethod();
  35.             r.put("_method", val);
  37.             HttpServletRequest s = new MyServletRequestWrapper(((HttpServletRequest) request), r);
  38.             chain.doFilter(s, response);
  39.         } else {
  40.             chain.doFilter(request, response);
  41.         }
  42.     }
  44.     @Override
  45.     public void destroy() {
  46.     }
  47. }


请求 Package 器:

  1. public class MyServletRequestWrapper extends HttpServletRequestWrapper {
  2.     private final HashMap<String, String[]> params;
  4.     public MyServletRequestWrapper(HttpServletRequest request, HashMap<String, String[]> params) {
  5.         super(request);
  6.         this.params = params;
  7.     }
  9.     @Override
  10.     public String getParameter(String name) {
  11.         if (this.params.containsKey(name)) {
  12.             return this.params.get(name)[0];
  13.         }
  14.         return "";
  15.     }
  17.     @Override
  18.     public Map<String, String[]> getParameterMap() {
  19.         return this.params;
  20.     }
  22.     @Override
  23.     public Enumeration<String> getParameterNames() {
  24.         return new Enumerator<>(params.keySet());
  25.     }
  27.     @Override
  28.     public String[] getParameterValues(String name) {
  29.         return params.get(name);
  30.     }
  31. }


授权服务器配置(禁用/oauth/token端点的基本授权:

  1. @Configuration
  2. public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
  4.     ...
  6.     @Override
  7.     public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
  8.         oauthServer.allowFormAuthenticationForClients(); // Disable /oauth/token Http Basic Auth
  9.     }
  11.     ...
  13. }

展开查看全部
赞(0)分享  回复(0)举报  2024-01-05
vql8enpb

vql8enpb2#

根据OAuth 2规范,
客户端通过向令牌端点发送
下面的参数使用“application/x-www-form-urlencoded”
访问令牌请求应使用application/x-www-form-urlencoded
在Spring Security中,Resource Owner Password Credentials Grant Flow由Spring Security中的ResourceOwnerPasswordTokenGranter#getOAuth2Authentication处理:

  1. protected OAuth2Authentication getOAuth2Authentication(AuthorizationRequest clientToken) {
  2.     Map parameters = clientToken.getAuthorizationParameters();
  3.     String username = (String)parameters.get("username");
  4.     String password = (String)parameters.get("password");
  5.     UsernamePasswordAuthenticationToken userAuth = new UsernamePasswordAuthenticationToken(username, password);

字符串
您可以发送usernamepassword来请求参数。
如果你真的需要使用JSON,有一个解决方案。正如你所看到的,usernamepassword是从请求参数中检索的。因此,如果你将它们从JSON主体传递到请求参数中,它将工作。
这个想法是这样的:
1.创建自定义Spring安全过滤器。
1.在您的自定义过滤器中,创建一个子类HttpRequestWrapper的类。该类允许您 Package 原始请求并从JSON获取参数。
1.在HttpRequestWrapper的子类中,解析请求体中的JSON,得到usernamepasswordgrant_type,并将它们与原始请求参数一起放入新的HashMap中。然后,重写getParameterValuesgetParametergetParameterNamesgetParameterMap的方法,以返回来自新HashMap的值
1.将打包后的请求传递到过滤器链中。
1.在Spring Security Config中配置自定义过滤器。
希望本文能够帮助

展开查看全部
赞(0)分享  回复(0)举报  2024-01-05
flseospp

flseospp3#

对于Spring Security 5,我只需要添加.allowFormAuthenticationForClients()+在另一个答案中提到的JsontoUrlEncodedAuthenticationFilter,就可以让它接受json和x-form post数据。不需要注册资源服务器或任何东西。

赞(0)分享  回复(0)举报  2024-01-05
yzckvree

yzckvree4#

你也可以修改@ jakub-kopaiva解决方案来支持oauth的http基本认证。
资源服务器配置:

  1. @Configuration
  2. public class ServerEndpointsConfiguration extends ResourceServerConfigurerAdapter {
  4.     @Autowired
  5.     JsonToUrlEncodedAuthenticationFilter jsonFilter;
  7.     @Override
  8.     public void configure(HttpSecurity http) throws Exception {
  9.         http
  10.             .addFilterAfter(jsonFilter, BasicAuthenticationFilter.class)
  11.             .csrf().disable()
  12.             .authorizeRequests()
  13.             .antMatchers("/test").permitAll()
  14.             .antMatchers("/secured").authenticated();
  15.     }
  16. }

字符串
使用内部RequestWrapper的过滤器

  1. @Component
  2. public class JsonToUrlEncodedAuthenticationFilter extends OncePerRequestFilter {
  4.     @Override
  5.     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
  7.         if (Objects.equals(request.getServletPath(), "/oauth/token") && Objects.equals(request.getContentType(), "application/json")) {
  9.             byte[] json = ByteStreams.toByteArray(request.getInputStream());
  11.             Map<String, String> jsonMap = new ObjectMapper().readValue(json, Map.class);;
  12.             Map<String, String[]> parameters =
  13.                     jsonMap.entrySet().stream()
  14.                             .collect(Collectors.toMap(
  15.                                     Map.Entry::getKey,
  16.                                     e ->  new String[]{e.getValue()})
  17.                             );
  18.             HttpServletRequest requestWrapper = new RequestWrapper(request, parameters);
  19.             filterChain.doFilter(requestWrapper, response);
  20.         } else {
  21.             filterChain.doFilter(request, response);
  22.         }
  23.     }
  25.     private class RequestWrapper extends HttpServletRequestWrapper {
  27.         private final Map<String, String[]> params;
  29.         RequestWrapper(HttpServletRequest request, Map<String, String[]> params) {
  30.             super(request);
  31.             this.params = params;
  32.         }
  34.         @Override
  35.         public String getParameter(String name) {
  36.             if (this.params.containsKey(name)) {
  37.                 return this.params.get(name)[0];
  38.             }
  39.             return "";
  40.         }
  42.         @Override
  43.         public Map<String, String[]> getParameterMap() {
  44.             return this.params;
  45.         }
  47.         @Override
  48.         public Enumeration<String> getParameterNames() {
  49.             return new Enumerator<>(params.keySet());
  50.         }
  52.         @Override
  53.         public String[] getParameterValues(String name) {
  54.             return params.get(name);
  55.         }
  56.     }
  57. }


你还需要允许x-www-form-urlencoded身份验证

  1. @Configuration
  2. public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
  4.     ...
  6.     @Override
  7.     public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
  8.         oauthServer.allowFormAuthenticationForClients();
  9.     }
  11.     ...
  13. }


通过这种方法,你仍然可以使用基本的auth来使用oauth token和json请求token,如下所示:
表头:

  1. Authorization: Basic bG9yaXpvbfgzaWNwYQ==


正文部分:

  1. {
  2.     "grant_type": "password", 
  3.     "username": "admin", 
  4.     "password": "1234"
  5. }

展开查看全部
赞(0)分享  回复(0)举报  2024-01-05
txu3uszq

txu3uszq5#

您可以使用以下代码修改@ jakub-kopadriva解决方案以仅实现授权服务器。

  1. @Configuration
  2.  @Order(Integer.MIN_VALUE)
  3.  public class AuthorizationServerSecurityConfiguration
  4.     extends org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerSecurityConfiguration {
  6.       @Autowired
  7.       JsonToUrlEncodedAuthenticationFilter jsonFilter;
  9.       @Override
  10.       protected void configure(HttpSecurity httpSecurity) throws Exception {
  11.              httpSecurity
  12.                    .addFilterBefore(jsonFilter, ChannelProcessingFilter.class);
  13.              super.configure(httpSecurity);
  14.       }
  16. }

字符串

展开查看全部
赞(0)分享  回复(0)举报  2024-01-05
yk9xbfzb

yk9xbfzb6#

你好,基于@Jakub Kopkyiva的回答,我已经做了改进,以创建工作的集成测试。只是让你知道, Catalina RequestFacade在Junit中抛出一个错误,而mockmvc使用的MockHttpServletRequest在过滤器中不包含我期望的字段“request”(因此在使用getDeclaredField()时抛出NoSuchFieldException):Field f = request.getClass().getDeclaredField("request");
这就是为什么我使用“Rest Assured”。然而,在这一点上,我遇到了另一个问题,即无论出于何种原因,即使我使用MediaType.APPLICATION_JSON_VALUE,“application/json”的内容类型也会被覆盖到“application/json; charset=utf8”中。然而,条件会查找类似于“application/json;charset=UTF-8”的内容,它位于MediaType.APPLICATION_JSON_UTF8_VALUE后面,并且结论是这将始终是false。
因此,我的行为就像我在PHP中编码时所做的那样,我已经规范化了字符串(所有字符都是小写,没有空格)。

  • JsonToUrlEncodedAuthenticationFilter.java
  1. package com.example.springdemo.configs;
  3. import com.fasterxml.jackson.databind.ObjectMapper;
  4. import lombok.SneakyThrows;
  5. import org.apache.catalina.connector.Request;
  6. import org.springframework.core.annotation.Order;
  7. import org.springframework.http.MediaType;
  8. import org.springframework.security.web.savedrequest.Enumerator;
  9. import org.springframework.stereotype.Component;
  11. import javax.servlet.*;
  12. import javax.servlet.http.HttpServletRequest;
  13. import javax.servlet.http.HttpServletRequestWrapper;
  14. import java.io.BufferedReader;
  15. import java.io.InputStream;
  16. import java.io.InputStreamReader;
  17. import java.lang.reflect.Field;
  18. import java.util.*;
  19. import java.util.stream.Collectors;
  21. @Component
  22. @Order(value = Integer.MIN_VALUE)
  24. public class JsonToUrlEncodedAuthenticationFilter implements Filter {
  26.     private final ObjectMapper mapper;
  28.     public JsonToUrlEncodedAuthenticationFilter(ObjectMapper mapper) {
  29.         this.mapper = mapper;
  30.     }
  32.     @Override
  33.     public void init(FilterConfig filterConfig) {
  34.     }
  36.     @Override
  37.     @SneakyThrows
  38.     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
  39.         Field f = request.getClass().getDeclaredField("request");
  40.         f.setAccessible(true);
  41.         Request realRequest = (Request) f.get(request);
  43.        //Request content type without spaces (inner spaces matter)
  44.        //trim deletes spaces only at the beginning and at the end of the string
  45.         String contentType = realRequest.getContentType().toLowerCase().chars()
  46.                 .mapToObj(c -> String.valueOf((char) c))
  47.                 .filter(x->!x.equals(" "))
  48.                 .collect(Collectors.joining());
  50.         if ((contentType.equals(MediaType.APPLICATION_JSON_UTF8_VALUE.toLowerCase())||
  51.                 contentType.equals(MediaType.APPLICATION_JSON_VALUE.toLowerCase()))
  52.                         && Objects.equals((realRequest).getServletPath(), "/oauth/token")) {
  54.             InputStream is = realRequest.getInputStream();
  55.             try (BufferedReader br = new BufferedReader(new InputStreamReader(is), 16384)) {
  56.                 String json = br.lines()
  57.                         .collect(Collectors.joining(System.lineSeparator()));
  58.                 HashMap<String, String> result = mapper.readValue(json, HashMap.class);
  59.                 HashMap<String, String[]> r = new HashMap<>();
  61.                 for (String key : result.keySet()) {
  62.                     String[] val = new String[1];
  63.                     val[0] = result.get(key);
  64.                     r.put(key, val);
  65.                 }
  66.                 String[] val = new String[1];
  67.                 val[0] = (realRequest).getMethod();
  68.                 r.put("_method", val);
  70.                 HttpServletRequest s = new MyServletRequestWrapper(((HttpServletRequest) request), r);
  71.                 chain.doFilter(s, response);
  72.             }
  74.         } else {
  75.             chain.doFilter(request, response);
  76.         }
  77.     }
  79.     @Override
  80.     public void destroy() {
  81.     }
  83.     class MyServletRequestWrapper extends HttpServletRequestWrapper {
  84.         private final HashMap<String, String[]> params;
  86.         MyServletRequestWrapper(HttpServletRequest request, HashMap<String, String[]> params) {
  87.             super(request);
  88.             this.params = params;
  89.         }
  91.         @Override
  92.         public String getParameter(String name) {
  93.             if (this.params.containsKey(name)) {
  94.                 return this.params.get(name)[0];
  95.             }
  96.             return "";
  97.         }
  99.         @Override
  100.         public Map<String, String[]> getParameterMap() {
  101.             return this.params;
  102.         }
  104.         @Override
  105.         public Enumeration<String> getParameterNames() {
  106.             return new Enumerator<>(params.keySet());
  107.         }
  109.         @Override
  110.         public String[] getParameterValues(String name) {
  111.             return params.get(name);
  112.         }
  113.     }

字符串
Here is the repo with the integration test

展开查看全部
赞(0)分享  回复(0)举报  2024-01-05
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com