Spring Security OAuth2的Web和移动客户端

Mak*_*sim 17 java spring oauth spring-security spring-security-oauth2

我试图围绕OAuth2和Spring Security OAuth,特别是OAuth提供商服务.我正在尝试实现以下内容:

  1. OAuth提供商
  2. 资源服务器(应使用OAuth提供程序保护的RESTful Web服务(1))
  3. Web客户端(使用Spring Security保护但应使用OAuth Provider(1)对用户进行身份验证的Web客户端应用程序
  4. 原生移动客户端(Android和iOS)也应使用OAuth Provider(1)进行身份验证

所有这些模块彼此独立,即在不同的项目中分开,并将托管在不同的域上,例如(1)http://oauth.web.com,(2)http://rest.web.com, (3)http://web.com

我的两个问题是:

A.如何实施Web客户端项目,以便在用户登录受保护页面或单击"登录"按钮时,重定向到OAuth提供者URL,登录,并在具有所有用户角色的Web客户端上进行身份验证,以及同时需要知道使用了哪个客户端.@EnableResourceServer(与实现资源服务器的方式相同;请参阅下面的代码)以获取用户的详细信息?我是否必须管理访问令牌并始终将其包含在对资源服务器的调用中,或者它可以以某种方式自动完成?

B.在我将要开发的移动应用程序上实现安全性的最佳方法是什么.我是否应该使用密码宏来进行此身份验证,因为应用程序将由我构建,我将在本机屏幕中将用户名和密码作为基本身份验证通过SSL发送到服务器?是否有任何示例我可以查看与Spring Security OAuth的对话并返回用户详细信息.

这是我对OAuth项目(1)和资源项目(2)的实现:

1. OAuth提供商

OAuth2服务器配置(大部分代码来自HERE)

@Configuration
@EnableAuthorizationServer
public class OAuth2ServerConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Autowired
    DataSource dataSource;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints
                .tokenStore(tokenStore())
                .approvalStore(approvalStore())
                .authorizationCodeServices(authorizationCodeServices())
        ;
    }

    @Bean
    public JdbcClientDetailsService clientDetailsService() {
        return new JdbcClientDetailsService(dataSource);
    }

    @Bean
    public TokenStore tokenStore() {
        return new JdbcTokenStore(dataSource);
    }

    @Bean
    public ApprovalStore approvalStore() {
        return new JdbcApprovalStore(dataSource);
    }

    @Bean
    public AuthorizationCodeServices authorizationCodeServices() {
        return new JdbcAuthorizationCodeServices(dataSource);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.withClientDetails(clientDetailsService());
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {

        oauthServer.checkTokenAccess("permitAll()");
    }
}
Run Code Online (Sandbox Code Playgroud)

网络安全配置

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    private CustomUserDetailsService customUserDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.csrf().disable(); // TODO. Enable this!!!

        http.authorizeRequests()
                .and()
                .formLogin()
//                .loginPage("/login") // manually defining page to login
//                .failureUrl("/login?error") // manually defining page for login error
                .usernameParameter("email")
                .permitAll()

                .and()
                .logout()
//                .logoutUrl("/logout")
                .logoutSuccessUrl("/")
                .permitAll();
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .userDetailsService(customUserDetailsService)
                .passwordEncoder(new BCryptPasswordEncoder());
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
}
Run Code Online (Sandbox Code Playgroud)

UserDetailsS​​ervice(customUserDetailsS​​ervice)

@Service
public class CustomUserDetailsService implements UserDetailsService{

    private final UserService userService;

    @Autowired
    public CustomUserDetailsService(UserService userService) {
        this.userService = userService;
    }

    public Authority loadUserByUsername(String email) throws UsernameNotFoundException {
        User user = userService.getByEmail(email)
                .orElseThrow(() -> new UsernameNotFoundException(String.format("User with email=%s was not found", email)));
        return new Authority(user);
    }
}
Run Code Online (Sandbox Code Playgroud)

2.资源服务器(RESTful WS)

配置(大部分框架代码都来自示例)

@Configuration
@EnableResourceServer
public class OAuth2ResourceConfig extends ResourceServerConfigurerAdapter{

    @Autowired
    DataSource dataSource;

    String RESOURCE_ID = "data_resource";

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        TokenStore tokenStore = new JdbcTokenStore(dataSource);
        resources
                .resourceId(RESOURCE_ID)
                .tokenStore(tokenStore);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                // For some reason we cant just "permitAll" OPTIONS requests which are needed for CORS support. Spring Security
                // will respond with an HTTP 401 nonetheless.
                // So we just put all other requests types under OAuth control and exclude OPTIONS.
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/**").access("#oauth2.hasScope('read')")
                .antMatchers(HttpMethod.POST, "/**").access("#oauth2.hasScope('write')")
                .antMatchers(HttpMethod.PATCH, "/**").access("#oauth2.hasScope('write')")
                .antMatchers(HttpMethod.PUT, "/**").access("#oauth2.hasScope('write')")
                .antMatchers(HttpMethod.DELETE, "/**").access("#oauth2.hasScope('write')")
                .and()

                // Add headers required for CORS requests.
                .headers().addHeaderWriter((request, response) -> {
            response.addHeader("Access-Control-Allow-Origin", "*");

            if (request.getMethod().equals("OPTIONS")) {
                response.setHeader("Access-Control-Allow-Methods", request.getHeader("Access-Control-Request-Method"));
                response.setHeader("Access-Control-Allow-Headers", request.getHeader("Access-Control-Request-Headers"));
            }
        });    
    }
}
Run Code Online (Sandbox Code Playgroud)

WS控制器:

@RestController
@RequestMapping(value = "/todos")
public class TodoController {

    @Autowired
    private TodoRepository todoRepository;

    @RequestMapping(method = RequestMethod.GET)
    public List<Todo> todos() {
        return todoRepository.findAll();
    }

   // other methods
}
Run Code Online (Sandbox Code Playgroud)

Man*_*kus 8

如何实现Web客户端项目,以便在用户登录受保护页面或单击"登录"按钮时,重定向到OAuth提供程序URL,登录,并在具有所有用户角色的Web客户端上进行身份验证,以及需要知道使用了哪个客户端

您希望将OAuth用作SSO.

选项1,使用spring cloud https://spring.io/blog/2015/02/03/sso-with-oauth2-angular-js-and-spring-security-part-v

选项2,手动处理SSO过程:

在您的Web客户端中,使用授权授权将登录页面配置为OAuth服务器.

protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable(); // TODO. Enable this!!!
    http.authorizeRequests()
    .and()
    .formLogin()
    .loginPage("http://oauth.web.com/oauth/authorize?response_type=code&client_id=webclient&redirect_uri=http://web.com") // manually defining page to login
    //.failureUrl("/login?error") // manually defining page for login error
    .usernameParameter("email")
    .permitAll()   
    .and()
    .logout()
    //.logoutUrl("/logout")
    .logoutSuccessUrl("/")
    .permitAll();
}
Run Code Online (Sandbox Code Playgroud)

身份验证和授权过程完成后,您将被重定向到具有授权码的Web客户端http://web.com/?code=jYWioI.您的Web客户端应该在您的oauth服务器上使用令牌访问权交换此代码.在您的oauth服务器上,创建用于检索用户信息的端点

@RestController
public class UserRestService {

  @RequestMapping("/user")
  public Principal user(Principal user) {
    // you can also return User object with it's roles
    // {"details":...,"principal":{"username":"user",...},"name":"user"}
    return user;
  }

}
Run Code Online (Sandbox Code Playgroud)

然后,您的Web客户端可以通过发送具有对上述休息端点的令牌访问权限的请求来访问用户详细信息,并根据响应对用户进行身份验证.

我是否必须管理访问令牌并始终将其包含在对资源服务器的调用中,或者它可以以某种方式自动完成?

每个请求都必须包含令牌访问.如果你想自动完成,spring提供了Oauth 2客户端http://projects.spring.io/spring-security-oauth/docs/oauth2.html

在我将要开发的移动应用程序上实现安全性的最佳方法是什么.我是否应该使用密码宏来进行此身份验证,因为应用程序将由我构建,我将在本机屏幕中将用户名和密码作为基本身份验证通过SSL发送到服务器?

由于您使用的是本机屏幕,因此密码授予就足够了,但您可以存储刷新令牌,这样您就可以请求令牌访问而无需重复身份验证过程.

是否有任何示例我可以查看与Spring Security OAuth的对话并返回用户详细信息.

请参阅上面的示例代码或查看此https://spring.io/blog/2015/02/03/sso-with-oauth2-angular-js-and-spring-security-part-v