是否可以通過我的邏輯使用oauth協議來創建clientid並生成訪問令牌來保護api？

Question

通過我的邏輯使用oauth協議創建clientid並生成訪問令牌可以保護api嗎？

根據以下的情況，spring-security.xml令牌會自動生成，但我想使用clientid和訪問令牌爲這個clientid（在db中可用）在api中實現auth。

<beans xmlns="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:context="http://www.springframework.org/schema/context" 
xmlns:oauth="http://www.springframework.org/schema/security/oauth2" 
xmlns:sec="http://www.springframework.org/schema/security" 
xsi:schemaLocation="http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd 
http://www.springframework.org/schema/security 
http://www.springframework.org/schema/security/spring-security-3.1.xsd 
http://www.springframework.org/schema/security/oauth2 
http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd 
http://www.springframework.org/schema/context 
http://www.springframework.org/schema/context/spring-context-3.1.xsd"> 

<!-- Just for testing... --> 
<http pattern="/oauth/cache_approvals" security="none" xmlns="http://www.springframework.org/schema/security" /> 
<http pattern="/oauth/uncache_approvals" security="none" xmlns="http://www.springframework.org/schema/security" /> 

<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager" 
    xmlns="http://www.springframework.org/schema/security"> 
    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" /> 
    <anonymous enabled="false" /> 
    <http-basic entry-point-ref="clientAuthenticationEntryPoint" /> 
    <!-- include this only if you need to authenticate clients via request parameters --> 
    <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" /> 
    <access-denied-handler ref="oauthAccessDeniedHandler" /> 
</http> 

<!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling 
    separately. This isn't mandatory, but it makes it easier to control the behaviour. --> 
<http pattern="/test/*" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint" 
    access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security"> 
    <anonymous enabled="false" /> 
    <intercept-url pattern="/test/*" access="ROLE_USER" /> 
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> 
    <access-denied-handler ref="oauthAccessDeniedHandler" /> 
</http> 

<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> 
    <property name="realmName" value="test" /> 
</bean> 

<bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> 
    <property name="realmName" value="test/client" /> 
    <property name="typeName" value="Basic" /> 
</bean> 

<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" /> 

<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter"> 
    <property name="authenticationManager" ref="clientAuthenticationManager" /> 
</bean> 

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans"> 
    <constructor-arg> 
     <list> 
      <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" /> 
      <bean class="org.springframework.security.access.vote.RoleVoter" /> 
      <bean class="org.springframework.security.access.vote.AuthenticatedVoter" /> 
     </list> 
    </constructor-arg> 
</bean> 

<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security"> 
    <authentication-provider user-service-ref="clientDetailsUserService" /> 
</authentication-manager> 

<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security"> 
    <authentication-provider> 
     <user-service id="userDetailsService"> 
      <user name="user" password="password" authorities="ROLE_USER" /> 
     </user-service> 
    </authentication-provider> 
</authentication-manager> 

<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService"> 
    <constructor-arg ref="clientDetails" /> 
</bean> 

<!-- Used for the persistenceof tokens (currently an in memory implementation) --> 
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" /> 

<!-- Used to create token and and every thing about them except for their persistence that is reposibility of TokenStore (Given here is a   default implementation) --> 
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices"> 
    <property name="tokenStore" ref="tokenStore" /> 
    <property name="supportRefreshToken" value="true" /> 
    <property name="clientDetailsService" ref="clientDetails" /> 
</bean> 

<bean id="userApprovalHandler" class="org.springframework.security.oauth2.provider.approval.TokenServicesUserApprovalHandler"> 
    <property name="tokenServices" ref="tokenServices" /> 
</bean> 

<!-- authorization-server aka AuthorizationServerTokenServices is an interface that defines everything necessary for token management --> 
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices" 
    user-approval-handler-ref="userApprovalHandler"> 
    <oauth:authorization-code /> 
    <oauth:implicit /> 
    <oauth:refresh-token /> 
    <oauth:client-credentials /> 
    <oauth:password /> 
</oauth:authorization-server> 

<oauth:resource-server id="resourceServerFilter" resource-id="test" token-services-ref="tokenServices" /> 
<!-- ClientsDeailsService: Entry Point to clients database (given is in memory implementation) --> 
<oauth:client-details-service id="clientDetails"> 
<!-- client --> 
<oauth:client client-id="the_client" authorized-grant-types="authorization_code,client_credentials" 
     authorities="ROLE_USER" scope="read,write,trust" secret="secret" /> 

<oauth:client client-id="my-trusted-client-with-secret" authorized-grant-types="password,authorization_code,refresh_token,implicit" 
     secret="somesecret" authorities="ROLE_USER" /> 

</oauth:client-details-service> 

<sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true"> 
    <!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 --> 
    <sec:expression-handler ref="oauthExpressionHandler" /> 
</sec:global-method-security> 

<oauth:expression-handler id="oauthExpressionHandler" /> 

<oauth:web-expression-handler id="oauthWebExpressionHandler" /> 

感謝

Answer 1

而不是使用

<oauth:client-details-service id="clientDetails"> 
<oauth:client client-id="the_client" authorized-grant-types="authorization_code,client_credentials" authorities="ROLE_USER"   scope="read,write,trust" secret="secret" /> 
<oauth:client client-id="my-trusted-client-with-secret" authorized-grant-types="password,authorization_code,refresh_token,implicit" 
    secret="somesecret" authorities="ROLE_USER" /> 

使用此

<beans:bean id="clientDetails" class="org.springframework.security.oauth2.provider.JdbcClientDetailsService"> 
    <beans:constructor-arg ref="dataSource" /> 
</beans:bean> 

也可以創建自己的自定義ClientDetailsS​​ervice，如spring-oauth提供的JdbcClientDetailsS​​ervice。

注意： - 當使用JdbcClientDetailsS​​ervice時，將oauth-client-details表與JdbcClientDetailsS​​ervice使用的必要列進行匹配。