Java 如何获取 Spring Boot 和 OAuth2 示例以使用默认密码以外的密码授予凭据
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26621693/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to get Spring Boot and OAuth2 example to use password grant credentials other than the default
提问by Shawn Sherwood
I'm following the basic Spring Boot OAuth2 example from Dave Syer: https://github.com/dsyer/sparklr-boot/blob/master/src/main/java/demo/Application.java
我正在关注 Dave Syer 的基本 Spring Boot OAuth2 示例:https: //github.com/dsyer/sparklr-boot/blob/master/src/main/java/demo/Application.java
@Configuration
@ComponentScan
@EnableAutoConfiguration
@RestController
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@RequestMapping("/")
public String home() {
return "Hello World";
}
@Configuration
@EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
// Just for laughs, apply OAuth protection to only 2 resources
.requestMatchers().antMatchers("/","/admin/beans").and()
.authorizeRequests()
.anyRequest().access("#oauth2.hasScope('read')");
// @formatter:on
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("sparklr");
}
}
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
clients.inMemory()
.withClient("my-trusted-client")
.authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write", "trust")
.resourceIds("sparklr")
.accessTokenValiditySeconds(60)
.and()
.withClient("my-client-with-registered-redirect")
.authorizedGrantTypes("authorization_code")
.authorities("ROLE_CLIENT")
.scopes("read", "trust")
.resourceIds("sparklr")
.redirectUris("http://anywhere?key=value")
.and()
.withClient("my-client-with-secret")
.authorizedGrantTypes("client_credentials", "password")
.authorities("ROLE_CLIENT")
.scopes("read")
.resourceIds("sparklr")
.secret("secret");
// @formatter:on
}
}
}
The example works very well for both types of grants, but the password grant uses the Spring Boot default security user (the one that echo's out "Using default security password: 927ca0a0-634a-4671-bd1c-1323a866618a" during startup).
该示例适用于两种类型的授权,但密码授权使用 Spring Boot 默认安全用户(在启动期间回显“使用默认安全密码:927ca0a0-634a-4671-bd1c-1323a866618a”的那个)。
My question is how do you override the default user account and actually rely on a WebSecurityConfig? I've added a section like this:
我的问题是如何覆盖默认用户帐户并实际依赖 WebSecurityConfig?我添加了一个这样的部分:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
protected static class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder authManagerBuilder)
throws Exception {
authManagerBuilder.inMemoryAuthentication().withUser("user")
.password("password").roles("USER");
}
}
But it does not seem to override the default Spring user/password even though the documentation suggests that it should.
但它似乎并没有覆盖默认的 Spring 用户/密码,即使文档建议它应该这样做。
What am I missing to get this working?
我缺少什么才能使其正常工作?
回答by Shawn Sherwood
As I'm still on 2.0.3, I tried a few more things and this appears to be working:
由于我仍在使用 2.0.3,因此我尝试了更多操作,这似乎有效:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
protected static class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder authManagerBuilder) throws Exception {
authManagerBuilder
.inMemoryAuthentication()
.withUser("user1").password("password1").roles("USER").and()
.withUser("admin1").password("password1").roles("ADMIN");
}
@Bean
@Override
public AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
}
By explicitly defining the authenticationManager bean, the built-in user authentication went away and it started relying on my own inMemoryAuthentication. When 2.0.4 is released, I'll re-evaluate the solution that Dave posted above as it looks like it will be more elegant.
通过显式定义 authenticationManager bean,内置的用户身份验证消失了,它开始依赖我自己的 inMemoryAuthentication。当 2.0.4 发布时,我将重新评估 Dave 上面发布的解决方案,因为它看起来会更优雅。
回答by webmadeup
@Configuration
protected static class AuthenticationManagerConfiguration extends GlobalAuthenticationConfigurerAdapter {
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("min").password("min").roles("USER");
}
}
