2

基於此示例https://spring.io/guides/tutorials/spring-boot-oauth2/我已通過社交網絡實現了帶SSO的應用程序。爲了改善這種方法和存儲訪問/刷新令牌在我的數據庫我已經加入oauth_client_token表:帶有訪問/刷新標記的彈簧啓動OAuth2 SSO未正確存儲在數據庫中

CREATE TABLE IF NOT EXISTS oauth_client_token (
     token_id VARCHAR(255), 
     token BLOB, 
     authentication_id VARCHAR(255), 
     user_name VARCHAR(255), 
     client_id VARCHAR(255), 
     PRIMARY KEY(authentication_id) 
    ); 

,爲了從AuthorizationCodeResourceDetails.isClientOnly()方法返回true擴展ClientResources類:

class ClientResources { 

     private OAuth2ProtectedResourceDetails client = new AuthorizationCodeResourceDetails() { 

      @Override 
      public boolean isClientOnly() { 
       return true; 
      } 

     }; 
     private ResourceServerProperties resource = new ResourceServerProperties(); 

     public OAuth2ProtectedResourceDetails getClient() { 
      return client; 
     } 

     public ResourceServerProperties getResource() { 
      return resource; 
     } 

    } 

這是我的SSO過濾器:

private Filter ssoFilter(ClientResources client, String path) { 
     OAuth2ClientAuthenticationProcessingFilter clientFilter = new OAuth2ClientAuthenticationProcessingFilter(path); 
     OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(client.getClient(), oauth2ClientContext); 

     AccessTokenProviderChain tokenProviderChain = new AccessTokenProviderChain(new ArrayList<>(Arrays.asList(new AuthorizationCodeAccessTokenProvider()))); 
     tokenProviderChain.setClientTokenServices(new JdbcClientTokenServices(dataSource)); 
     oAuth2RestTemplate.setAccessTokenProvider(tokenProviderChain); 

     clientFilter.setRestTemplate(oAuth2RestTemplate); 
     clientFilter.setTokenServices(new OkUserInfoTokenServices(okService, client.getClient().getClientId(), apiUrl, eventService)); 
     clientFilter.setAuthenticationSuccessHandler(new UrlParameterAuthenticationHandler()); 
     return clientFilter; 
    } 

現在我不確定我在右側實現了這個邏輯而不是骯髒的黑客。

請告訴我,如果我已經以正確的方式實施了這件事。

修訂

我敢肯定,現在它是不正確的實現,因爲對我的表oauth_client_token 2個不同的用戶,我只有一個記錄..驗證對象爲null,並且authentication_id只計算依據OAuth2 client_id ..這是錯誤的。我需要在認證不爲空時堅持令牌..但我不知道如何執行當前實現的OAuth2ClientAuthenticationProcessingFilter

現在在當前版本的spring-security-oauth2 2.0.8.RELEASE中,我們在OAuth2ClientAuthenticationProcessingFilter.successfulAuthentication裏面只有一個奇怪的註釋方法:

@Override 
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, 
      FilterChain chain, Authentication authResult) throws IOException, ServletException { 
     super.successfulAuthentication(request, response, chain, authResult); 
     // Nearly a no-op, but if there is a ClientTokenServices then the token will now be stored 
     restTemplate.getAccessToken(); 
    } 

如何正確實現它?

回答