java 使用 Spring Boot 1.3.2(没有 spring-cloud-security)和 @EnableOAuth2Sso 配置 AuthenticationSuccessHandler
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/35622563/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Configuring an AuthenticationSuccessHandler with Spring Boot 1.3.2 (without spring-cloud-security) and @EnableOAuth2Sso
提问by Jim.R
We have a Spring Boot 1.3.2/Webflow web app which we're converting to use SSO. I've followed the steps in the "Migrating OAuth2 Apps from Spring Boot 1.2 to 1.3" blog and have the app handing off to our Auth server for authentication and the web app using the token to populate it's security context correctly.
我们有一个 Spring Boot 1.3.2/Webflow Web 应用程序,我们将其转换为使用 SSO。我已按照“将 OAuth2 应用程序从 Spring Boot 1.2 迁移到 1.3”博客中的步骤进行操作,并将应用程序移交给我们的 Auth 服务器进行身份验证,并让 Web 应用程序使用令牌正确填充其安全上下文。
The only piece not working is the custom authentication success handler we have that configures a few bits in the users session before they continue to their landing page.
唯一不起作用的是我们拥有的自定义身份验证成功处理程序,它在用户继续访问其登录页面之前在用户会话中配置了一些位。
This is currently configured as follows in our security config, which extends WebSecurityConfigurerAdapter
这当前在我们的安全配置中配置如下,它扩展了 WebSecurityConfigurerAdapter
@Override
protected void configure(HttpSecurity http) throws Exception {
// These are all the unprotected endpoints.
http.authorizeRequests()
.antMatchers(new String[] { "/", "/login", "/error",
"/loginFailed", "/static/**" })
.permitAll();
// Protect all the other endpoints with a login page.
http.authorizeRequests().anyRequest()
.hasAnyAuthority("USER", "ADMIN").and().formLogin().loginPage("/login").failureUrl("/loginFailed")
.successHandler(customAuthenticationSuccessHandler()).and().logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
http.exceptionHandling().accessDeniedHandler(new AccessDeniedHandler() {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException, ServletException {
if (accessDeniedException instanceof CsrfException) {
response.sendRedirect(request.getContextPath() + "/logout");
}
}
});
}
I can see the handler being configured during startup, but it is never called once the user has successfully logged in. All of the questions I've found on the subject refer to using a OAuth2SsoConfigurerAdapter, however as we're no longer using spring-cloud-security this class is not available.
我可以看到在启动期间配置的处理程序,但是一旦用户成功登录,它就永远不会被调用。我在该主题上发现的所有问题都涉及使用 OAuth2SsoConfigurerAdapter,但是因为我们不再使用 spring-云安全此类不可用。
UPDATE: I've discovered that this is possible using a BeanPostProcessor:
更新:我发现使用 BeanPostProcessor 可以做到这一点:
public static class DefaultRolesPrefixPostProcessor implements BeanPostProcessor, PriorityOrdered {
@Override
public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
if (bean instanceof FilterChainProxy) {
FilterChainProxy chains = (FilterChainProxy) bean;
for (SecurityFilterChain chain : chains.getFilterChains()) {
for (Filter filter : chain.getFilters()) {
if (filter instanceof OAuth2ClientAuthenticationProcessingFilter) {
OAuth2ClientAuthenticationProcessingFilter oAuth2ClientAuthenticationProcessingFilter = (OAuth2ClientAuthenticationProcessingFilter) filter;
oAuth2ClientAuthenticationProcessingFilter
.setAuthenticationSuccessHandler(customAuthenticationSuccessHandler());
}
}
}
}
return bean;
}
}
Is there a better way to configure this though?
有没有更好的方法来配置它?
回答by Somaiah Kumbera
If you follow Dave Syers excellent Spring boot oauth2 tutorial, you will end up with a method that returns your ssoFilter
如果您遵循 Dave Syers 出色的Spring boot oauth2 教程,您将最终得到一个返回 ssoFilter 的方法
I added a setAuthenticationSuccessHandler to this filter
我向这个过滤器添加了一个 setAuthenticationSuccessHandler
@Autowired
private CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler;
private Filter ssoFilter() {
OAuth2ClientAuthenticationProcessingFilter facebookFilter = new OAuth2ClientAuthenticationProcessingFilter("/login/facebook");
OAuth2RestTemplate facebookTemplate = new OAuth2RestTemplate(facebook(), oauth2ClientContext);
facebookFilter.setRestTemplate(facebookTemplate);
facebookFilter.setTokenServices(new UserInfoTokenServices(facebookResource().getUserInfoUri(), facebook().getClientId()));
facebookFilter.setAuthenticationSuccessHandler(customAuthenticationSuccessHandler);
return facebookFilter;
}
And my CustomAuthenticationSuccessHandler was just a component that extended AuthenticationSuccessHandler
而我的 CustomAuthenticationSuccessHandler 只是一个扩展 AuthenticationSuccessHandler 的组件
@Component
public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
//implementation
}
}
}
