Spring HTTP 中的 OAuth2 访问令牌 Header
Spring OAuth2 Access Token in HTTP Header
我正在尝试实施 Spring Oauth2 设置,授权服务器在其自身的应用程序中,资源服务器在单独的应用程序中。
我会从一开始就说,由于当前系统的限制,我不得不使用旧版本的 Spring / Spring 安全,直到我们可以在系统中进行规划升级:
- Spring: 3.1.1 Spring
- 安全性:3.2.7
- Spring OAuth:1.0.5
我一切正常,但是,当我从资源服务器请求受限资源时,我必须提供 access_token 作为查询参数。
我更愿意将其作为 HTTP header 提供。 Spring Security Oauth 中是否有内置功能可以执行此操作?
资源服务器配置
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<!-- Resource Server Filter -->
<oauth:resource-server id="resourceServerFilter" resource-id="someResourceId" token-services-ref="tokenServices"/>
<!-- END Resource Server Filter -->
<!-- Protected resources -->
<http pattern="/rest/BasicService/**" create-session="stateless" xmlns="http://www.springframework.org/schema/security" entry-point-ref="oauthAuthenticationEntryPoint">
<anonymous enabled="false"/>
<intercept-url pattern="/rest/BasicService/**" access="ROLE_USER"/>
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER"/>
<access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>
<!-- END Protected resources -->
<!-- Authentication -->
<sec:authentication-manager xmlns="http://www.springframework.org/schema/security" />
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" xmlns="http://www.springframework.org/schema/beans"/>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>
<!-- END Authentication -->
<!-- Token Store -->
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.JdbcTokenStore">
<constructor-arg ref="myJdbcTokenStore" />
</bean>
<bean id="myJdbcTokenStore" class="org.springframework.jndi.JndiObjectFactoryBean">
<property name="jndiName" value="java:comp/env/jdbc/someJNDIDatabaseName"/>
</bean>
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore"/>
</bean>
<!-- END Token Store -->
</beans>
正如prtk_shah评论中提到的,令牌类型需要添加到授权中header。
授权:不记名
如果您正在使用 spring boot magic 可能是通过遵循 their example,您只想将 authenticationScheme 设置为 header。任务完成。
security:
oauth2:
client:
...
authenticationScheme: header
我正在尝试实施 Spring Oauth2 设置,授权服务器在其自身的应用程序中,资源服务器在单独的应用程序中。
我会从一开始就说,由于当前系统的限制,我不得不使用旧版本的 Spring / Spring 安全,直到我们可以在系统中进行规划升级:
- Spring: 3.1.1 Spring
- 安全性:3.2.7
- Spring OAuth:1.0.5
我一切正常,但是,当我从资源服务器请求受限资源时,我必须提供 access_token 作为查询参数。
我更愿意将其作为 HTTP header 提供。 Spring Security Oauth 中是否有内置功能可以执行此操作?
资源服务器配置
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<!-- Resource Server Filter -->
<oauth:resource-server id="resourceServerFilter" resource-id="someResourceId" token-services-ref="tokenServices"/>
<!-- END Resource Server Filter -->
<!-- Protected resources -->
<http pattern="/rest/BasicService/**" create-session="stateless" xmlns="http://www.springframework.org/schema/security" entry-point-ref="oauthAuthenticationEntryPoint">
<anonymous enabled="false"/>
<intercept-url pattern="/rest/BasicService/**" access="ROLE_USER"/>
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER"/>
<access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>
<!-- END Protected resources -->
<!-- Authentication -->
<sec:authentication-manager xmlns="http://www.springframework.org/schema/security" />
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" xmlns="http://www.springframework.org/schema/beans"/>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>
<!-- END Authentication -->
<!-- Token Store -->
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.JdbcTokenStore">
<constructor-arg ref="myJdbcTokenStore" />
</bean>
<bean id="myJdbcTokenStore" class="org.springframework.jndi.JndiObjectFactoryBean">
<property name="jndiName" value="java:comp/env/jdbc/someJNDIDatabaseName"/>
</bean>
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore"/>
</bean>
<!-- END Token Store -->
</beans>
正如prtk_shah评论中提到的,令牌类型需要添加到授权中header。
授权:不记名
如果您正在使用 spring boot magic 可能是通过遵循 their example,您只想将 authenticationScheme 设置为 header。任务完成。
security:
oauth2:
client:
...
authenticationScheme: header