0

我需要添加额外的限制来验证用户。我的用户模型有一个“活动”字段。当用户注册但未使用邮件中的哈希激活他的帐户时,这是错误的。现在,即使用户不活跃,他也会从 Oauth 获得 access_token。我应该如何配置这个?我在考虑 SpringSecurityInterceptor,但我不确定将 Spring Security 与 OAuth2 混淆。这是我的 SpringOAuth2.0 配置:

   @Configuration
public class OAuth2Configuration extends AuthorizationServerConfigurerAdapter {

    private static final String RESOURCE_ID = "restservice";

@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends
        ResourceServerConfigurerAdapter {


    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources
                .resourceId(RESOURCE_ID);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .requestMatcher(new OrRequestMatcher(
                        new AntPathRequestMatcher("/rest/**")
                ))
                .authorizeRequests()

                .anyRequest().access("#oauth2.hasScope('read')");
    }

}


@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends
        AuthorizationServerConfigurerAdapter {

    private TokenStore tokenStore = new InMemoryTokenStore();

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Autowired
    UserDetailsService userDetailsService;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {
        endpoints
                .tokenStore(this.tokenStore)
                .authenticationManager(this.authenticationManager)
                .userDetailsService(userDetailsService)
                .pathMapping("/oauth/token", "/rest/oauth/token");
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients
                .inMemory()
                .withClient("clientapp")
                .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
                .authorities("USER")
                .scopes("read", "write", "trust")
                .resourceIds(RESOURCE_ID)


                  .secret("123456");
        }

    }

}

还有 Spring 安全性

    @Configuration
@Order(2147483640)
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    DataSource dataSource;

    @Autowired
    UserDetailsService userDetailsService;

    @Override
    public void configure(HttpSecurity http) throws Exception {

        http
                .authorizeRequests()
                .antMatchers("/user/**").authenticated()
                .anyRequest().permitAll()
                .and()
                .formLogin()
                .loginPage("/login")
                .usernameParameter("email")
                .passwordParameter("password")
                .defaultSuccessUrl("/user/")
                .successHandler(successHandler())
                .and()
                .logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/")
                .and()
                .rememberMe()
                .tokenRepository(persistentTokenRepository())
                .tokenValiditySeconds(86400)
                .and()
                .csrf().disable();
    }

    @Bean
    public AuthenticationSuccessHandler successHandler() {
        return new UserLoginSuccessHandler();
    }

    @Bean
    public PersistentTokenRepository persistentTokenRepository() {
        JdbcTokenRepositoryImpl tokenRepositoryImpl = new JdbcTokenRepositoryImpl();
        tokenRepositoryImpl.setDataSource(dataSource);
        return tokenRepositoryImpl;
    }

    @Bean
    public SpringSecurityDialect securityDialect() {
        return new SpringSecurityDialect();
    }

    @Autowired
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService)
                .passwordEncoder(new BCryptPasswordEncoder());
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {

        return super.authenticationManagerBean();
    }
}

任何意见将是有益的。

4

1 回答 1

0

如果我理解正确,您不希望您的授权服务器为未激活的用户授予访问令牌?

如果用户存在但未激活,您可以让您UserDetailsService.loadUserByUsername抛出 a 。UsernameNotFoundException

于 2016-04-04T19:05:20.470 回答