2014-09-23 130 views
0

我試圖用Spring Security和OAuth 2.0身份驗證和授權來構建一個基本的REST服務。在沒有XML配置的情況下實現Spring Security Oauth

我試圖限制所涉及的元素,所以我不是直接使用Spring Security Oauth類來複制依賴於Spring Bean,Spring MVC等的Spring安全宣誓XML配置。

我試圖從/ oauth /令牌獲取訪問令牌時遇到了阻礙。我可能錯過了一些基本的東西,但是Spring Security和Spring Security Oauth都很難將我的頭圍繞起來,我似乎無法找到一個不需要使用額外框架的示例或教程。

任何人都可以看到我要去哪裏錯了嗎?

RestService.java

@Path("/members") 
public class RestService { 

    @Secured({"ROLE_USER"}) 
    @GET 
    @Path("/{id}") 
    @Produces(MediaType.TEXT_PLAIN) 
    public Response readMember(@PathParam("id") String id) { 

     String output; 
     if(Integer.valueOf(id) < members.size()) 
     { 
      output = members.get(Integer.valueOf(id)).toString(); 
     } 
     else 
     { 
      output = "No such member."; 
     } 

     return Response.status(200).entity(output).build(); 
    } 
} 

OAuthServices.java

public class OAuthServices { 

    static private DefaultTokenServices tokenServices = new DefaultTokenServices(); 
    static private InMemoryClientDetailsService clientDetailsService = new InMemoryClientDetailsService(); 

    static { 
     Map<String, ClientDetails> clientDetailsStore = new HashMap<String, ClientDetails>(); 
     BaseClientDetails clientDetails = new BaseClientDetails("client", "resource", null, null, "read,write"); 
     clientDetailsStore.put("client", clientDetails); 
     clientDetailsService.setClientDetailsStore(clientDetailsStore); 
    } 

    public static DefaultTokenServices getTokenServices() { 
     return tokenServices; 
    } 

    public static InMemoryClientDetailsService getClientDetailsService() { 
     return clientDetailsService; 
    } 
} 

SecurityConfig.java

@EnableAuthorizationServer 
@EnableWebSecurity 
@Configuration 
@EnableGlobalMethodSecurity(securedEnabled=true) 
public class SecurityConfig extends WebSecurityConfigurerAdapter implements AuthorizationServerConfigurer { 

    @Configuration 
    protected static class AuthenticationConfiguration extends 
      GlobalAuthenticationConfigurerAdapter { 

     @Override 
     public void init(AuthenticationManagerBuilder auth) throws Exception { 
      auth 
        .inMemoryAuthentication() 
        .withUser("user").password("password").roles("USER") 
        .and() 
        .withUser("admin").password("password").roles("USER", "ADMIN"); 
     } 

    } 

    @Override 
    public void configure(AuthorizationServerSecurityConfigurer security) 
      throws Exception { 
     // TODO Auto-generated method stub 

    } 

    @Override 
    public void configure(ClientDetailsServiceConfigurer clients) 
      throws Exception { 
     // TODO Auto-generated method stub 

    } 

    @Override 
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) 
      throws Exception { 
     // TODO Auto-generated method stub 

    } 
} 

的web.xml

<?xml version="1.0" encoding="UTF-8"?> 
<web-app id="WebApp_ID" version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> 
    <servlet> 
     <servlet-name>jersey-helloworld-servlet</servlet-name> 
     <servlet-class> 
        org.glassfish.jersey.servlet.ServletContainer 
       </servlet-class> 
       <init-param> 
      <param-name>jersey.config.server.provider.packages</param-name> 
      <param-value>com.excentus.springsecurity.rest.test</param-value> 
     </init-param> 
     <load-on-startup>1</load-on-startup> 
    </servlet> 

    <servlet-mapping> 
     <servlet-name>jersey-helloworld-servlet</servlet-name> 
     <url-pattern>/rest/*</url-pattern> 
    </servlet-mapping> 
</web-app> 
+0

這是很多代碼,希望人們審查。如果可能,我建議您更簡潔地陳述您的問題。 – 2014-09-23 20:57:54

+0

我想如果有必要的話可以參考它,但大部分內容不應該是相關的。如果這是不合時宜的,我可以削減它。 – 2014-09-23 21:02:50

回答

0

我可以看到2個錯誤(也許不是整個故事)。

  1. 您正在使用web.xml,但在此處沒有定義Spring Security過濾器。這是鍋爐板代碼,但你必須做到這一點(除非你切換到一個更現代的方式用Spring Boot編寫你的應用程序)。示例(從docs):

    springSecurityFilterChain org.springframework.web.filter.DelegatingFilterProxy

    springSecurityFilterChain /*

  2. 您已經實現AuthorizationServerConfigurer但沒有實現它的任何方法。您至少需要提供客戶詳細信息,例如(從[集成測試(https://github.com/spring-projects/spring-security-oauth/blob/master/tests/annotation/vanilla/src/main/java/demo/Application.java)):

    @Override 
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception { 
        clients.inMemory() 
         .withClient("my-trusted-client") 
          .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit") 
          .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT") 
          .scopes("read", "write", "trust") 
          .resourceIds("oauth2-resource") 
          .accessTokenValiditySeconds(60); 
    } 
    

你的靜態便捷類OAuthServices也是一種反模式,但它不會破壞任何東西(我不認爲它對任何地方使用或者,但也許錯過了)。

相關問題