spring-oauth2登录成功处理程序

Question

有没有办法使用spring-oauth2添加登录成功处理程序？

我尝试使用基本身份验证筛选器,但它只筛选客户端凭据而不是用户凭据.

或者我是否需要创建自定义用户身份验证管理器？

TIA

Answer 1

这个解决方案适用于密码流,对于其他人我不确定.您可以在位于oauth-server配置的http标签中的"before = BASIC_AUTH_FILTER"位置添加自定义过滤器,并且可以通过"oauth/token"的解析响应来实现,因此创建ByteArrayResponseWrapper以获得响应,这里我使用的是TeeOutputStream来自"org.apache.commons commons-io"的课程,

private class ByteArrayResponseWrapper extends HttpServletResponseWrapper {

    public ByteArrayResponseWrapper(ServletResponse response) {
        super((HttpServletResponse) response);
    }

    private ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();

    @Override
    public ServletOutputStream getOutputStream() throws IOException {
        return new DelegatingServletOutputStream(new TeeOutputStream(
                super.getOutputStream(), byteArrayOutputStream));
    }

    public byte[] getByteArray() {
        return this.byteArrayOutputStream.toByteArray();
    }
}

我已经创建了令牌提取器来分离提取access_token的代码

public class OAuth2AccessTokenExtractor implements
    OAuth2AccessTokenExtractor {

private ObjectMapper mapper = new ObjectMapper();

public String getAccessTokenValue(byte[] response) {
    try {
        return mapper.readValue(response, OAuth2AccessToken.class)
                .getValue();
    } catch (JsonParseException e) {
        e.printStackTrace();
    } catch (JsonMappingException e) {
        e.printStackTrace();
    } catch (IOException e) {
        e.printStackTrace();
    }
    return null;
 }

}

在创建你的过滤器后重写doFilter就像这样

private DefaultTokenServices tokenServices;

private OAuth2AccessTokenExtractor tokenExtractor;

@Override
public void doFilter(ServletRequest request, ServletResponse response,
        FilterChain chain) throws IOException, ServletException {

    // create wrapper to read response body
    ByteArrayResponseWrapper responseWraper = new ByteArrayResponseWrapper(
            response);

    // led them go
    chain.doFilter(request, responseWraper);

    // get ClientAuthentication
    Authentication clientAuthentication = SecurityContextHolder
            .getContext().getAuthentication();

    // is authenticated or not to proceed
    if (clientAuthentication != null
            && clientAuthentication.isAuthenticated()) {

        // callBack client authenticated successfully
        onSuccessfulClientAuthentication(request, response,
                clientAuthentication);

        // check response status is success of failure
        if (responseWraper.getStatus() == 200) {

            // extract accessToken from response
            String token = tokenExtractor
                    .getAccessTokenValue(responseWraper.getByteArray());

            if (token != null && !token.isEmpty()) {

                // load authentication from token
                OAuth2Authentication oAuth2Authentication = this.tokenServices
                        .loadAuthentication(token);
                OAuth2AccessToken actualAccessToken = this.tokenServices
                        .getAccessToken(oAuth2Authentication);

                // callBack user authenticated successfully
                onSuccessfulUserAuthentication(request, response,
                        clientAuthentication, oAuth2Authentication,
                        actualAccessToken);
            } else {
                log.error("access token is empty from extractor");
            }
        } else {
            // callBack user authenticated failure
            onFailureUserAuthentication(request, response,
                    clientAuthentication, request.getParameter("username"));
        }
    } else {
        // callBack client authenticated failure
        onFailClientAuthentication(request, response,
                request.getParameter(OAuth2Utils.CLIENT_ID));
    }
}

protected void onSuccessfulClientAuthentication(ServletRequest request,
        ServletResponse response, Authentication authentication) {
}

protected void onFailClientAuthentication(ServletRequest request,
        ServletResponse response, String clientId) {
}

protected void onSuccessfulUserAuthentication(ServletRequest request,
        ServletResponse response, Authentication clientAuthentication,
        OAuth2Authentication userOAuth2Authentication,
        OAuth2AccessToken token) {
}

protected void onFailureUserAuthentication(ServletRequest request,
        ServletResponse response, Authentication clientAuthentication,
        String username) {
}

而create filter实例注入tokenServices.现在onSuccessfulClientAuthentication,onFailClientAuthentication,onSuccessfulUserAuthentication和onFailureUserAuthentication将根据您的身份验证调用

您可以在github上参考此代码

编辑:

当您有默认令牌响应时,上面的代码段工作正常,它只是使用ServletResponseWrapper并提取.但它似乎仍然容易受到攻击,因此您可以通过org.springframework.security.oauth2.provider.token.TokenEnhancer课程了解用户身份验证的成功

请按照此答案了解详情.

Answer 2

我们构建了一个自定义身份验证管理器，将其连接到 OAuth2AuthenticationProcessingFilter 中以完成此操作。管理器的身份验证方法能够从身份验证主体中解压 OAuth2Authentication 和 OAuth2AuthenticationDetails。

<bean id="oAuth2AuthenticationManager" class="org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager">
    <property name="resourceId" value="XXX-api"/>
    <property name="tokenServices" ref="tokenServices"/>
</bean>

<bean id="resourceServerFilter"
      class="org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter">
    <property name="authenticationManager" ref="oAuth2AuthenticationManager"/>
    <property name="tokenExtractor">
        <bean class="com.xxx.oauth.BearerTokenExtractor"/>
    </property>
</bean>