基於此示例https://spring.io/guides/tutorials/spring-boot-oauth2/我已通過社交網絡實現了帶SSO的應用程序。爲了改善這種方法和存儲訪問/刷新令牌在我的數據庫我已經加入oauth_client_token
表:帶有訪問/刷新標記的彈簧啓動OAuth2 SSO未正確存儲在數據庫中
CREATE TABLE IF NOT EXISTS oauth_client_token (
token_id VARCHAR(255),
token BLOB,
authentication_id VARCHAR(255),
user_name VARCHAR(255),
client_id VARCHAR(255),
PRIMARY KEY(authentication_id)
);
,爲了從AuthorizationCodeResourceDetails.isClientOnly()
方法返回true
擴展ClientResources
類:
class ClientResources {
private OAuth2ProtectedResourceDetails client = new AuthorizationCodeResourceDetails() {
@Override
public boolean isClientOnly() {
return true;
}
};
private ResourceServerProperties resource = new ResourceServerProperties();
public OAuth2ProtectedResourceDetails getClient() {
return client;
}
public ResourceServerProperties getResource() {
return resource;
}
}
這是我的SSO過濾器:
private Filter ssoFilter(ClientResources client, String path) {
OAuth2ClientAuthenticationProcessingFilter clientFilter = new OAuth2ClientAuthenticationProcessingFilter(path);
OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(client.getClient(), oauth2ClientContext);
AccessTokenProviderChain tokenProviderChain = new AccessTokenProviderChain(new ArrayList<>(Arrays.asList(new AuthorizationCodeAccessTokenProvider())));
tokenProviderChain.setClientTokenServices(new JdbcClientTokenServices(dataSource));
oAuth2RestTemplate.setAccessTokenProvider(tokenProviderChain);
clientFilter.setRestTemplate(oAuth2RestTemplate);
clientFilter.setTokenServices(new OkUserInfoTokenServices(okService, client.getClient().getClientId(), apiUrl, eventService));
clientFilter.setAuthenticationSuccessHandler(new UrlParameterAuthenticationHandler());
return clientFilter;
}
現在我不確定我在右側實現了這個邏輯而不是骯髒的黑客。
請告訴我,如果我已經以正確的方式實施了這件事。
修訂
我敢肯定,現在它是不正確的實現,因爲對我的表oauth_client_token
2個不同的用戶,我只有一個記錄..驗證對象爲null,並且authentication_id只計算依據OAuth2 client_id ..這是錯誤的。我需要在認證不爲空時堅持令牌..但我不知道如何執行當前實現的OAuth2ClientAuthenticationProcessingFilter
現在在當前版本的spring-security-oauth2 2.0.8.RELEASE中,我們在OAuth2ClientAuthenticationProcessingFilter.successfulAuthentication
裏面只有一個奇怪的註釋方法:
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,
FilterChain chain, Authentication authResult) throws IOException, ServletException {
super.successfulAuthentication(request, response, chain, authResult);
// Nearly a no-op, but if there is a ClientTokenServices then the token will now be stored
restTemplate.getAccessToken();
}
如何正確實現它?