kaf*_*ein 4 spring spring-mvc spring-security spring-security-oauth2
我目前正试图绕过Spring Security OAuth2中访问授权过程的批准/拒绝步骤,因为应该记住先前授权的访问(针对特定的client_id和user_id)并允许将OAuth应用程序重定向到客户端应用程序没有每次询问用户他的批准.
<version.spring-security>3.2.0.RELEASE</version.spring-security>
<version.spring-security-oauth>1.0.5.RELEASE</version.spring-security-oauth>
所以我有一个AccessConfirmationController,它具有/ oauth/confirm_access端点的映射:
@RequestMapping("/oauth/confirm_access")
public ModelAndView getAccessConfirmation(@ModelAttribute final AuthorizationRequest clientAuth)
{
final ClientDetails client = this.clientDetailsService.loadClientByClientId(clientAuth.getClientId());
final TreeMap<String, Object> model = Maps.newTreeMap();
model.put("auth_request", clientAuth);
model.put("client", client);
return new ModelAndView("access_confirmation", model);
}
非常经典的处理访问确认方式.
现在我知道我必须检查(在此方法的某处)当前经过身份验证的用户(Principal)是否先前已批准访问权限,如果是,我们应该只检索用户关联的令牌,并且可能只是通过redirect_uri向他发送令牌.
Spring Security中有一个允许令牌检索的内部端点:
@FrameworkEndpoint
@RequestMapping(value = "/oauth/token")
public class TokenEndpoint extends AbstractEndpoint {
@RequestMapping
public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal,
@RequestParam(value = "grant_type", required = false) String grantType,
@RequestParam Map<String, String> parameters) {
// the logic here
}
}
如何从我的控制器中调用此框架端点?它甚至是最好的方式(〜最佳实践?)吗?
提前致谢,
您只需在配置中设置autoAprove = true即可
@Configuration
@EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("my-client")
.secret("secret")
.authorizedGrantTypes("authorization_code")
.autoApprove(true)
.scopes("scope");
}
}
| 归档时间: |
|
| 查看次数: |
4735 次 |
| 最近记录: |