InMemoryTokenStore如何与Spring Security OAuth2一起使用,这是从黑客角度来看最安全的方法吗？

Question

我是Spring Security OAuth2使用版本2.0.10.RELEASE实现的新手.我开发的代码使用'InMemoryTokenStore'和我印象深刻,它的工作方式(它创建access_token,'refresh_token'等..),但我没有关于它是如何工作还不够了解.任何人都可以帮助了解/了解它是如何工作的？

'InMemoryTokenStore'从黑客角度来看,最安全的实现是什么？我也看到有通过的OAuth2等提供的多种实现JdbcTokenStore,JwtTokenStore,KeyStoreKeyFactory.我不认为access_token像JdbcTokenStore这样的好主意存储到数据库中.

我们应该遵循哪些实施以及为什么？

spring-security-oauth2.xml文件

<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
    xmlns:sec="http://www.springframework.org/schema/security" xmlns:mvc="http://www.springframework.org/schema/mvc"
    xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
        http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd ">


    <http pattern="/oauth/token" auto-config="true" use-expressions="true"  create-session="stateless"  authentication-manager-ref="authenticationManager"
        xmlns="http://www.springframework.org/schema/security" > 

        <!-- <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" /> -->
        <intercept-url pattern="/oauth/token" access="permitAll" />
        <anonymous enabled="false" />
        <http-basic entry-point-ref="clientAuthenticationEntryPoint" />
        <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" /> 
        <access-denied-handler ref="oauthAccessDeniedHandler" />
        <!-- Added this to fix error -->
        <sec:csrf disabled="true" />
    </http>

    <http pattern="/resources/**" auto-config="true" use-expressions="true" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
        xmlns="http://www.springframework.org/schema/security">
        <anonymous enabled="false" />
        <intercept-url pattern="/resources/**" method="GET" />
        <!-- <intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_FULLY" /> -->
        <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
        <access-denied-handler ref="oauthAccessDeniedHandler" />
        <!-- Added this to fix error -->
        <sec:csrf disabled="true" />
    </http>

    <http pattern="/logout" create-session="never"  auto-config="true" use-expressions="true"
        entry-point-ref="oauthAuthenticationEntryPoint"
        xmlns="http://www.springframework.org/schema/security">
        <anonymous enabled="false" />
        <intercept-url pattern="/logout" method="GET" />
        <sec:logout invalidate-session="true" logout-url="/logout" success-handler-ref="logoutSuccessHandler"   />
        <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
        <access-denied-handler ref="oauthAccessDeniedHandler" />
        <!-- Added this to fix error -->
        <sec:csrf disabled="true" />
    </http>

    <bean id="logoutSuccessHandler" class="demo.oauth2.authentication.security.LogoutImpl" >
        <property name="tokenstore" ref="tokenStore"></property>
    </bean>

    <bean id="oauthAuthenticationEntryPoint"
        class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    </bean>

    <bean id="clientAuthenticationEntryPoint"
        class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
        <property name="realmName" value="springsec/client" />
        <property name="typeName" value="Basic" />
    </bean>

    <bean id="oauthAccessDeniedHandler"
        class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler">
    </bean>

    <bean id="clientCredentialsTokenEndpointFilter"
        class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>

    <authentication-manager alias="authenticationManager"
        xmlns="http://www.springframework.org/schema/security">
        <authentication-provider user-service-ref="clientDetailsUserService" />
    </authentication-manager>

    <bean id="clientDetailsUserService"
        class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
        <constructor-arg ref="clientDetails" />
    </bean>

    <bean id="clientDetails" class="demo.oauth2.authentication.security.ClientDetailsServiceImpl"/>

    <authentication-manager id="userAuthenticationManager" 
        xmlns="http://www.springframework.org/schema/security">
        <authentication-provider  ref="customUserAuthenticationProvider">
        </authentication-provider>
    </authentication-manager>

    <bean id="customUserAuthenticationProvider"
        class="demo.oauth2.authentication.security.CustomUserAuthenticationProvider">
    </bean>

    <oauth:authorization-server
        client-details-service-ref="clientDetails" token-services-ref="tokenServices">
        <oauth:authorization-code />
        <oauth:implicit/>
        <oauth:refresh-token/>
        <oauth:client-credentials />
        <oauth:password authentication-manager-ref="userAuthenticationManager"/>
    </oauth:authorization-server>

    <oauth:resource-server id="resourceServerFilter"
        resource-id="springsec" token-services-ref="tokenServices" />

    <!-- <bean id="tokenStore"
        class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" /> -->

    <bean id="tokenStore"
          class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />

    <bean id="tokenServices" 
        class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
        <property name="tokenStore" ref="tokenStore" />
        <property name="supportRefreshToken" value="true" />
        <property name="accessTokenValiditySeconds" value="300000"></property>
        <property name="clientDetailsService" ref="clientDetails" />
    </bean>


    <mvc:annotation-driven />   <!-- Declares explicit support for annotation-driven MVC controllers  @RequestMapping, @Controller -->

    <mvc:default-servlet-handler />

    <bean id="MyResource" class="demo.oauth2.authentication.resources.MyResource"></bean>

</beans>

Answer 1

你把几件事混在一起.InMemoryTokenStore,JwtTokenStore和JdbcTokenStore仅应用于不同的情况.没有哪一种更安全,哪种更安全.

JwtTokenStore

JwtTokenStore将与令牌相关的数据编码到令牌本身中.它不会使令牌持久化,并且需要JwtAccessTokenConverter作为JWT编码令牌和OAuth身份验证信息之间的转换器.(Shameer Kunjumohamed的"Spring Essentials",Hamidreza Sattari).

重要的是,令牌根本没有持久存在,并且基于签名"即时"验证.

一个缺点是您不能轻易撤销访问令牌,因此它们通常被授予短期到期,并且撤销在刷新令牌处理.另一个缺点是,如果您在其中存储大量用户凭据信息,则令牌可能会变得非常大.JwtTokenStore并不是真正的"商店",因为它不会持久存储任何数据.阅读更多

InMemoryTokenStore

InMemoryTokenStore在服务器内存中存储令牌,因此几乎不可能在不同的服务器之间共享它们.重新启动授权服务器时,您将丢失InMemoryTokenStore中的所有访问令牌.我更喜欢仅在开发期间而不是在生产环境中使用InMemoryTokenStore.

默认的InMemoryTokenStore对于单个服务器来说非常好(即,在发生故障的情况下流量较低且不与备份服务器进行热交换).大多数项目可以从这里开始,也可以在开发模式下以这种方式运行,以便轻松启动没有依赖关系的服务器.阅读更多

JdbcTokenStore

该JdbcTokenStore是一样的东西,这在关系数据库中存储令牌数据的JDBC版本.如果可以在服务器之间共享数据库,则使用JDBC版本,如果只有一个服务器,则扩展同一服务器的实例;如果有多个组件,则使用授权和资源服务器.要使用JdbcTokenStore,您需要在类路径上使用"spring-jdbc".阅读更多

在JdbcTokenStore的情况下,您将令牌保存在真实数据库中.因此,在重新启动授权服务的情况下,您是安全的.令牌也可以在服务器之间轻松共享并被撤销.但是你对数据库有更多的依赖性.