Java Spring Security OAuth2 纯资源服务器
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20384543/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring Security OAuth2 pure resource server
提问by Explosion Pills
We already have an OAuth2 authorization server set up, so I need to create a corresponding resource server (separate server). We plan to use the Spring Security OAuth2 project. Their documentation for setting up a resource server:
我们已经设置了OAuth2授权服务器,所以我需要创建一个相应的资源服务器(单独的服务器)。我们计划使用 Spring Security OAuth2 项目。他们设置资源服务器的文档:
https://github.com/spring-projects/spring-security-oauth/wiki/oAuth2#resource-server-configuration
https://github.com/spring-projects/spring-security-oauth/wiki/oAuth2#resource-server-configuration
token-services-refshould point to the token-handling bean. However it seems like the token handling is done by the server itself even though it is the resource server. There doesn't seem to be any remote token services class or any configuration relating to a remote server. This is in contrast with the CloudFoundary UAA (https://github.com/cloudfoundry/uaa/blob/master/samples/api/src/main/webapp/WEB-INF/spring-servlet.xml) which has:
token-services-ref应该指向令牌处理 bean。然而,令牌处理似乎是由服务器本身完成的,即使它是资源服务器。似乎没有任何远程令牌服务类或与远程服务器相关的任何配置。这与 CloudFoundary UAA ( https://github.com/cloudfoundry/uaa/blob/master/samples/api/src/main/webapp/WEB-INF/spring-servlet.xml)形成对比,后者具有:
<bean id="tokenServices"
class="org.cloudfoundry.identity.uaa.oauth.RemoteTokenServices">
<property name="checkTokenEndpointUrl" value="${checkTokenEndpointUrl}" />
Is there any way to use Spring Security OAuth2 for a resource server that communicates with a separate OAuth2 Authorization server? How can I set the communication endpoint?
有没有办法将 Spring Security OAuth2 用于与单独的 OAuth2 授权服务器通信的资源服务器?如何设置通信端点?
采纳答案by Chris H.
This is possible as long as the authorization server and resource server(s) access a shared tokenStore(e.g. using JdbcTokenStorewith a common dataSource). You can just use DefaultTokenServiceswith a reference to your shared tokenStore. Below is an example Spring config which you should be able to tweak to fit your needs:
只要授权服务器和资源服务器访问共享tokenStore(例如使用JdbcTokenStore公共dataSource),这是可能的。您可以只使用DefaultTokenServices对您共享的tokenStore. 下面是一个示例 Spring 配置,您应该能够对其进行调整以满足您的需求:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2.xsd">
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.JdbcTokenStore">
<constructor-arg name="dataSource" ref="dataSource" />
</bean>
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
</bean>
<bean id="authenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="myRealm" />
</bean>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<!-- This is not actually used, but it's required by Spring Security -->
<security:authentication-manager alias="authenticationManager" />
<oauth2:expression-handler id="oauthExpressionHandler" />
<oauth2:web-expression-handler id="oauthWebExpressionHandler" />
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
<security:expression-handler ref="oauthExpressionHandler" />
</security:global-method-security>
<oauth2:resource-server id="myResource" resource-id="myResourceId" token-services-ref="tokenServices" />
<security:http pattern="/myPattern/**" create-session="never"
entry-point-ref="authenticationEntryPoint" access-decision-manager-ref="accessDecisionManager">
<security:anonymous enabled="false" />
<security:intercept-url pattern="/**" access="SCOPE_READ" method="GET" />
<security:intercept-url pattern="/**" access="SCOPE_READ" method="HEAD" />
<security:intercept-url pattern="/**" access="SCOPE_READ" method="OPTIONS" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE" method="PUT" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE" method="POST" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE" method="DELETE" />
<security:custom-filter ref="myResource" before="PRE_AUTH_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>
</beans>
回答by Rites
Yes its possible. Like you have already mentioned in your question, RemoteTokenServicesis the solution.
是的,它可能。就像您在问题中已经提到的那样,RemoteTokenServices是解决方案。
I have created one sample which has separate auth and resource server. Its just a sample to give a quick idea about the concept and open for extension.
我创建了一个具有单独身份验证和资源服务器的示例。它只是一个示例,可以快速了解这个概念并开放扩展。
