如果我想为一个客户端保护REST服务器,那么spring-security OAuth2的最小设置是什么?我不想使用任何不必要的设置或实现任何不必要的bean.对于spring-security + OAuth2,可能已经有一个"简单"的教程/示例了吗?(虽然我试图避免过于充满希望)
我当前的工作设置(使用来自sparklr上下文的副本+过去+ wtf)感觉太多了:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices">
<oauth:client-credentials />
</oauth:authorization-server>
<sec:authentication-manager alias="clientAuthenticationManager">
<sec:authentication-provider user-service-ref="clientDetailsUserService" />
</sec:authentication-manager>
<http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<oauth:resource-server id="resourceServerFilter"
resource-id="rest_server" token-services-ref="tokenServices" />
<oauth:client-details-service id="clientDetails">
<oauth:client client-id="the_client" authorized-grant-types="client_credentials"
authorities="ROLE_RESTREAD" secret="1234567890" />
</oauth:client-details-service> …我们有一个基于Oauth2的REST服务器(资源+授权),由spring-security + spring web + jersey为我们的REST资源.其中大部分工作都很顺利,但是当在带有错误凭据的用户名密码流中命中/ oauth/token时,我们不仅会获得400(因为规范是正确的),而是在响应中将整个堆栈跟踪作为JSON .我已经搜索和调试并摸索了,但无法找到罪魁祸首.这可能是一个弹簧安全设置吗?还是弹簧网?或者使用泽西匹配资源的servlet?
响应示例(缩写):
$ curl -X POST -v --data "grant_type=password&username=admin&password=wrong_password&client_id=my_client" http://localhost:9090/oauth/token
* ...
* Connected to localhost (::1) port 9090 (#0)
* ...
> POST /oauth/token HTTP/1.1
> ...
> Accept: */*
> ...
> Content-Type: application/x-www-form-urlencoded
>
* ...
< HTTP/1.1 400 Bad Request
< ...
< Content-Type: application/json;charset=UTF-8
< ...
<
* ...
curl: (56) Recv failure: Connection reset by peer
{
"cause": null,
"stackTrace": [{
"methodName": "getOAuth2Authentication",
"fileName": "ResourceOwnerPasswordTokenGranter.java",
"lineNumber": 62, …我们有一个使用的rest API Spring OAuth2.用户通过身份验证后,所有JSON响应都采用以下格式:
{"code" : 12345, "data" : "..." }
但是,身份验证失败的JSON响应与上述格式不一致,因为它由Spring处理.
例如,如果凭据不正确,客户端将获得带有JSON响应的HTTP状态代码400,如下所示:
{"error": "invalid_grant", "error_description": "Bad credentials" }
如果用户帐户被锁定,客户端将获得具有JSON响应的HTTP状态代码400,如下所示
{"error":"invalid_grant","error_description":"User account is locked"}
所有这一切都是因为Spring TokenEndpoint.handleException()正在处理与/ oauth/token相关的异常
我想更改OAuth2失败的JSON响应以遵循第一种格式.
这是我迄今为止尝试过的但没有成功:
任何上述方法或新方法的任何帮助将受到高度赞赏.
我没有尝试过这种方法,因为我无法更改现有客户端的上下文路径.