3

我需要你对无状态 Spring Security 的帮助。我编写了授权用户的服务,我的security.xml

<http use-expressions="true" create-session="stateless" entry-point-ref="restAuthenticationEntryPoint">        
    <intercept-url pattern="/auth/**" access="permitAll" />
    <intercept-url pattern="/**" access="isAuthenticated()" />      
    <custom-filter ref="myFilter" position="FORM_LOGIN_FILTER"/>                         
</http> 

<beans:bean id="myFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
      <beans:property name="authenticationManager" ref="authenticationManager"/>    
</beans:bean>

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="userDetailsService" /> 
</authentication-manager>

它没有说明,这就是为什么在我的身份验证之后,当我想通过另一个 URL 获取任何东西时,它需要我 401 Unauthorized。我听说过令牌,但我不知道如何实现这一点。

4

1 回答 1

0

马克西姆斯,

这是我在类似情况下所做的:

使用 OAuth - http://oauth.net/

有多个实现 OAuth 规范的库

http://tools.ietf.org/html/rfc6749

Spring 有一个易于配置的实现。为此,Spring 提供了两个示例应用程序(服务器和客户端)。教程可在以下位置获得:

https://github.com/SpringSource/spring-security-oauth/wiki/tutorial

示例工作配置:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
    xmlns:ss="http://www.springframework.org/schema/security" xmlns:mvc="http://www.springframework.org/schema/mvc"
    xmlns:jdbc="http://www.springframework.org/schema/jdbc" xmlns:tx="http://www.springframework.org/schema/tx"
    xmlns:util="http://www.springframework.org/schema/util"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context-3.1.xsd
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security-3.1.xsd
        http://www.springframework.org/schema/security/oauth2 
        http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
        http://www.springframework.org/schema/jdbc 
        http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd
        http://www.springframework.org/schema/tx 
        http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
        http://www.springframework.org/schema/mvc 
        http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
        http://www.springframework.org/schema/util 
        http://www.springframework.org/schema/util/spring-util.xsd
        ">

    <ss:http pattern="/test/customer/**" create-session="stateless"
        access-decision-manager-ref="accessDecisionManager"
        entry-point-ref="oauthAuthenticationEntryPoint"
        xmlns="http://www.springframework.org/schema/security">
        <ss:anonymous enabled="false" />
        <ss:intercept-url pattern="/test/customer/welcome*"
            access="ROLE_USER" />
        <ss:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
        <ss:access-denied-handler ref="oauth2AccessDeniedHandler" />
    </ss:http>

    <ss:http pattern="/oauth/token" create-session="stateless"
        entry-point-ref="oauthAuthenticationEntryPoint"
        authentication-manager-ref="authenticationManager">
        <ss:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
        <ss:anonymous enabled="false" />
        <ss:custom-filter ref="clientCredentialsTokenEndpointFilter"
            before="BASIC_AUTH_FILTER" />
        <ss:access-denied-handler ref="oauth2AccessDeniedHandler" />
    </ss:http>

    <ss:authentication-manager alias="authenticationManager">
        <ss:authentication-provider ref="myAuthenticationProvider" />
    </ss:authentication-manager>

    <oauth:resource-server id="resourceServerFilter" token-services-ref="tokenServices" />

    <bean id="myAuthenticationProvider" class="com.sachin.test.ws.user.MyUserAuthenticationProvider" />

    <bean id="oauthAuthenticationEntryPoint"
        class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
        <property name="realmName" value="myCustomerAppRealm" />
    </bean>

    <bean id="clientDetailsUserService"
        class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
        <constructor-arg ref="clientDetailsService" />
    </bean>

    <oauth:authorization-server
        client-details-service-ref="clientDetailsService" token-services-ref="tokenServices">
        <oauth:authorization-code />
        <oauth:implicit />
        <oauth:refresh-token />
        <oauth:client-credentials />
        <oauth:password />
    </oauth:authorization-server>


    <oauth:client-details-service id="clientDetailsService">
        <oauth:client client-id="admin"
            authorized-grant-types="password,authorization_code,refresh_token,implicit,client_credentials"
            authorities="ROLE_USER, ROLE_TRUSTED_CLIENT" scope="read,write,trust"
            access-token-validity="60" />
    </oauth:client-details-service>

    <bean id="oauth2AccessDeniedHandler"
        class="org.springframework.security.web.access.AccessDeniedHandlerImpl" />

    <bean id="clientCredentialsTokenEndpointFilter"
        class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>

    <bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
        xmlns="http://www.springframework.org/schema/beans">
        <constructor-arg>
            <list>
                <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
                <bean class="org.springframework.security.access.vote.RoleVoter" />
                <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
            </list>
        </constructor-arg>
    </bean>

    <bean id="tokenStore"
        class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />

    <bean id="tokenServices"
        class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
        <property name="tokenStore" ref="tokenStore" />
        <property name="supportRefreshToken" value="true" />
    </bean>

</beans>

将此添加到 web.xml:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

您需要阅读 OAuth 和 Spring 安全性规范以了解我所做的事情。您可以扩展此代码以使用您的数据库在多个服务器之间进行身份验证和令牌共享。

希望这可以帮助。

于 2013-04-26T11:29:42.570 回答