spring security oauth2 client_credentials模 

https://www.jianshu.com/p/1c3eea71410e

序

本文主要简单介绍一下spring security oauth2的client_credentials模式

maven

        <dependency> <groupId>org.springframework.security.oauth</groupId> <artifactId>spring-security-oauth2</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> 

auth server config

@Configuration @EnableAuthorizationServer //提供/oauth/authorize,/oauth/token,/oauth/check_token,/oauth/confirm_access,/oauth/error public class OAuth2ServerConfig extends AuthorizationServerConfigurerAdapter { @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer .tokenKeyAccess("permitAll()") .checkTokenAccess("isAuthenticated()") //allow check token .allowFormAuthenticationForClients(); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory() .withClient("demoApp") .secret("demoAppSecret") .authorizedGrantTypes("client_credentials", "password", "refresh_token") .scopes("all") .resourceIds("oauth2-resource") .accessTokenValiditySeconds(1200) .refreshTokenValiditySeconds(50000); } } 

resource server config

@Configuration @EnableResourceServer public class ResourceServerConfig extends ResourceServerConfigurerAdapter { } 

demo controller

@RestController @RequestMapping("/api") public class DemoController { @GetMapping("/blog/{id}") public String getBlogById(@PathVariable long id) { return "this is blog "+id; } } 

验证

没有token请求资源

curl -i -H "Accept: application/json" -X GET http://localhost:8080/api/blog/1 

返回

HTTP/1.1 401 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Cache-Control: no-store Pragma: no-cache WWW-Authenticate: Bearer realm="oauth2-resource", error="unauthorized", error_description="Full authentication is required to access this resource" Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Sat, 02 Dec 2017 14:31:51 GMT {"error":"unauthorized","error_description":"Full authentication is required to access this resource"} 

client_credentials请求授权

curl -H "Accept: application/json" demoApp:demoAppSecret@localhost:8080/oauth/token -d grant_type=client_credentials 

或者

curl -H "Accept: application/json" http://localhost:8080/oauth/token -d "grant_type=client_credentials&client_id=demoApp&client_secret=demoAppSecret" 

返回

{"access_token":"6d0ee2b2-c803-49bf-a813-a25bfb59a976","token_type":"bearer","expires_in":1199,"scope":"all"} 

携带token请求资源

curl -i -H "Accept: application/json" -H "Authorization: Bearer 6d0ee2b2-c803-49bf-a813-a25bfb59a976" -X GET http://localhost:8080/api/blog/1 

或者

curl -i -X GET http://localhost:8080/api/blog/1?access_token=fe8bcab3-1d33-4ef1-b1d0-bd142a480af2 

不过这种把token暴露在url中不是太安全

返回

HTTP/1.1 200 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY X-Application-Context: application Content-Type: application/json;charset=UTF-8 Content-Length: 14 Date: Sat, 02 Dec 2017 14:31:09 GMT this is blog 1 

check token

curl -i -X POST -H "Accept: application/json" -u "demoApp:demoAppSecret" http://localhost:8080/oauth/check_token?token=3d47e053-de16-4e6f-8ec7-f9247f425a8e 

返回

HTTP/1.1 403 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Sat, 02 Dec 2017 14:50:32 GMT {"timestamp":1512226232386,"status":403,"error":"Forbidden","message":"Access is denied","path":"/oauth/check_token"} 

需要配置

@Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer .tokenKeyAccess("permitAll()") .checkTokenAccess("isAuthenticated()") //allow check token .allowFormAuthenticationForClients(); } 

成功返回

HTTP/1.1 200 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY X-Application-Context: application Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Sat, 02 Dec 2017 14:48:33 GMT {"aud":["oauth2-resource"],"scope":["read"],"exp":1512227200,"client_id":"demoApp"} 

token非法

HTTP/1.1 400 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY X-Application-Context: application Cache-Control: no-store Pragma: no-cache Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Sat, 02 Dec 2017 14:51:33 GMT Connection: close {"error":"invalid_token","error_description":"Token was not recognised"} 

doc

• Trying out OAuth2 via CURL
• 403 Forbidden on /oauth/check_token #28
• How to obtain refresh token when using client credentials? #195
• Spring OAuth Authorization Server Requires Scope
• Spring Security OAuth2 – Simple Token Revocation

增加了文件，另外mvn依赖需要写版本号

<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.3.0.RELEASE</version>
</dependency>

package com.italkbb.homesecurity.alertmessage.security;

import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
//import org.springframework.security.data.repository.query.SecurityEvaluationContextExtension;


/**
 * Created by wangyunfei on 2017/6/9.
 */
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//    @Autowired
//    private DomainUserDetailsService userDetailsService;
 
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .anonymous().disable()
                .authorizeRequests()
//                .antMatchers("/api-docs/**").permitAll();
    }

    @Bean
    public FilterRegistrationBean corsFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("*");
        config.addAllowedHeader("*");
        config.addAllowedMethod("*");
        source.registerCorsConfiguration("/**", config);
        FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
        bean.setOrder(0);
        return bean;
    }
    
/*   
    @Bean
    public SecurityEvaluationContextExtension securityEvaluationContextExtension() {
        return new SecurityEvaluationContextExtension();
    }
*/
    //不定义没有password grant_type
    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
    
/*  替换这个不工作，报 null 当调用userDetailsService loadUser时候。
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService()).passwordEncoder(passwordEncoder());
    }
 */   
    
/*    @Autowired
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        System.out.println("");
        
        auth.userDetailsService(userDetailsService)
                .passwordEncoder(passwordEncoder());
    }
*/

    @Bean
    public PasswordEncoder passwordEncoder(){
//      return new BCryptPasswordEncoder();
        return new PasswordEncoder() {

            @Override
            public boolean matches(CharSequence rawPassword, String encodedPassword) {
                System.out.println("PasswordEncoder:  raw password:" + rawPassword.toString() + " encoded:" + encodedPassword
                        + "================================");
                return true;
            }

            @Override
            public String encode(CharSequence rawPassword) {
                System.out.println("PasswordEncoder: raw password:" + rawPassword.toString() + "================================");
                return rawPassword.toString();
            }
        };
    }

}