使用 Spring 安全性 OAUTH2 获取用户名和密码以在授权类型 "password" 中进行验证
Fetching user name & password to Verify in Grant type "password" using Spring security OAUTH2
我想从请求中提取用户名和密码,以便与数据库进行交叉验证。
我正在努力实现的目标
从 HTTP 请求中提取信息 username=Test&password=Test@123
并从数据库而不是 application.properties.
中的硬编码值对其进行测试
目前我可以为 --user testClient:123456 实现。
请建议一种实现名称和密码的方法。
Http Call :
curl -X POST --user testClient:123456 http://localhost:8090/oauth/token -H "accept: application/json" -H "content-type: application/x-www-form-urlencoded" -d "grant_type=password&username=Test&password=Test@123&scope=read_profile"
application.properties :
**security.user.name=Test
security.user.password=Test@123**
spring.datasource.url=jdbc:mysql://localhost/oauth
spring.datasource.username=root
spring.datasource.password=password
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
spring.jpa.properties.hibernate.hbm2ddl.auto=validate
授权服务器Class
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.approval.ApprovalStore;
import org.springframework.security.oauth2.provider.approval.JdbcApprovalStore;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore;
import javax.sql.DataSource;
@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationServer extends
AuthorizationServerConfigurerAdapter {
private static final Logger logger = LoggerFactory.getLogger(OAuth2AuthorizationServer.class);
@Autowired
AuthenticationManager authenticationManager;
@Autowired
private DataSource dataSource;
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Bean
public ApprovalStore approvalStore() {
return new JdbcApprovalStore(dataSource);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints
.approvalStore(approvalStore())
.tokenStore(tokenStore())
// important to add if want to add support the password
.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients)
throws Exception {
clients.jdbc(dataSource);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(4);
}
}
您正在使用 Spring 的实现端点 /oauth/token 来获取令牌。此端点存在于 TokenEndpoint class.
@RequestMapping(
value = {"/oauth/token"},
method = {RequestMethod.POST}
)
public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
if (!(principal instanceof Authentication)) {
throw new InsufficientAuthenticationException("There is no client authentication. Try adding an appropriate authentication filter.");
} else {
此端点采用主体对象和地图。作为 Basic Auth 传递的客户端凭据作为 Principal 和其他参数,如 grant_type、username、password、scope 等作为请求参数中的映射。
OAuth2RequestFactory 使用这些参数和经过身份验证的客户端信息来创建令牌请求。然后,TokenGranter 接受此令牌请求以授予令牌。
这些事情发生在幕后,因此您不必为请求明确提取用户信息。
我想从请求中提取用户名和密码,以便与数据库进行交叉验证。
我正在努力实现的目标 从 HTTP 请求中提取信息 username=Test&password=Test@123 并从数据库而不是 application.properties.
中的硬编码值对其进行测试目前我可以为 --user testClient:123456 实现。 请建议一种实现名称和密码的方法。
Http Call :
curl -X POST --user testClient:123456 http://localhost:8090/oauth/token -H "accept: application/json" -H "content-type: application/x-www-form-urlencoded" -d "grant_type=password&username=Test&password=Test@123&scope=read_profile"
application.properties :
**security.user.name=Test
security.user.password=Test@123**
spring.datasource.url=jdbc:mysql://localhost/oauth
spring.datasource.username=root
spring.datasource.password=password
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
spring.jpa.properties.hibernate.hbm2ddl.auto=validate
授权服务器Class
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.approval.ApprovalStore;
import org.springframework.security.oauth2.provider.approval.JdbcApprovalStore;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore;
import javax.sql.DataSource;
@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationServer extends
AuthorizationServerConfigurerAdapter {
private static final Logger logger = LoggerFactory.getLogger(OAuth2AuthorizationServer.class);
@Autowired
AuthenticationManager authenticationManager;
@Autowired
private DataSource dataSource;
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Bean
public ApprovalStore approvalStore() {
return new JdbcApprovalStore(dataSource);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints
.approvalStore(approvalStore())
.tokenStore(tokenStore())
// important to add if want to add support the password
.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients)
throws Exception {
clients.jdbc(dataSource);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(4);
}
}
您正在使用 Spring 的实现端点 /oauth/token 来获取令牌。此端点存在于 TokenEndpoint class.
@RequestMapping(
value = {"/oauth/token"},
method = {RequestMethod.POST}
)
public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
if (!(principal instanceof Authentication)) {
throw new InsufficientAuthenticationException("There is no client authentication. Try adding an appropriate authentication filter.");
} else {
此端点采用主体对象和地图。作为 Basic Auth 传递的客户端凭据作为 Principal 和其他参数,如 grant_type、username、password、scope 等作为请求参数中的映射。
OAuth2RequestFactory 使用这些参数和经过身份验证的客户端信息来创建令牌请求。然后,TokenGranter 接受此令牌请求以授予令牌。
这些事情发生在幕后,因此您不必为请求明确提取用户信息。