如果我想为一个客户端保护REST服务器,那么spring-security OAuth2的最小设置是什么?我不想使用任何不必要的设置或实现任何不必要的bean.对于spring-security + OAuth2,可能已经有一个"简单"的教程/示例了吗?(虽然我试图避免过于充满希望)
我当前的工作设置(使用来自sparklr上下文的副本+过去+ wtf)感觉太多了:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices">
<oauth:client-credentials />
</oauth:authorization-server>
<sec:authentication-manager alias="clientAuthenticationManager">
<sec:authentication-provider user-service-ref="clientDetailsUserService" />
</sec:authentication-manager>
<http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<oauth:resource-server id="resourceServerFilter"
resource-id="rest_server" token-services-ref="tokenServices" />
<oauth:client-details-service id="clientDetails">
<oauth:client client-id="the_client" authorized-grant-types="client_credentials"
authorities="ROLE_RESTREAD" secret="1234567890" />
</oauth:client-details-service> …我们有一个正在使用的应用程序spring-security-oauth2:1.0.我试图将其更改为更新版本spring-security-oauth2:2.0.7.RELEASE.一些类被删除,一些包结构被更改,我设法整理所有这些东西,我能够没有任何问题启动服务器.但我在这里遇到一个奇怪的问题.
随着OAuth2 - 1.0 version,当我们在用户登录使用做了GET要求/oauth/token,例如:
它以前工作得很好.
当我尝试同样的事情时,首先GET由于TokenEndPoint.java中的逻辑,我无法提出请求
private Set<HttpMethod> allowedRequestMethods = new HashSet<HttpMethod>(Arrays.asList(HttpMethod.POST));
@RequestMapping(value = "/oauth/token", method=RequestMethod.GET)
public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal, @RequestParam
Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
if (!allowedRequestMethods.contains(HttpMethod.GET)) {
throw new HttpRequestMethodNotSupportedException("GET");
}
return postAccessToken(principal, parameters);
}
我试图POST提出与上述URL相同的请求,但我收到InsufficientAuthenticationException了错误消息
没有客户端身份验证.尝试添加适当的身份验证筛选器
这是因为下面的POST请求控制器TokenEndpoint.java.当我调试时,我看到它principal是null.
@RequestMapping(value = "/oauth/token", method=RequestMethod.POST)
public …