【发布时间】:2018-02-08 09:11:59
【问题描述】:
我正在实施某种 SSO 系统。我在我的应用程序中使用 Spring security oauth 2。我有一个客户端应用程序 (localhost:8081) 和一个服务器应用程序 (localhost:8080)。
用户尝试从客户端应用程序登录。客户端应用程序依次启动身份验证流程。它发送到 Server App 身份验证请求 http://localhost:8080/authorize?response_type=code&client_id=client&scope=openid+email+address+profile+phone&redirect_uri=localhost:8081/login&nonce=3fc29332c5377&state=18960fbd838be
有一个重定向到登录页面,在服务器上输入凭据并提交表单验证成功。
之后,我希望流程继续授权并转到 org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint 中的 oauth/authorize 端点 为了生成授权代码并将其发送回客户端应用程序。 但事实并非如此。
请帮我解释一下为什么?为什么在成功验证后,流程不会进入 oauth/authorize 端点。
这是我的登录和点配置:
<security:http pattern="/mylogin"
create-session="stateless"
entry-point-ref="oauthAuthenticationEntryPoint">
<security:intercept-url pattern="/mylogin" access="permitAll"/>
<security:csrf disabled="true"/>
<security:custom-filter before="PRE_AUTH_FILTER" ref="customAuthenticationFilter"/>
<security:custom-filter ref="authRequestFilter" after="SECURITY_CONTEXT_FILTER" />
<security:logout logout-url="/logout" />
<security:anonymous />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:headers>
<security:frame-options policy="DENY" />
</security:headers>
</security:http>
这是我的自定义身份验证过滤器:
public class CustomAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
private static Logger logger = LoggerFactory.getLogger(CustomAuthenticationFilter.class);
public CustomAuthenticationFilter() {
super("/mylogin");
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
if (!HttpMethod.POST.name().equals(request.getMethod())) {
if(logger.isDebugEnabled()) {
logger.debug("Authentication method not supported. Request method: " + request.getMethod());
}
throw new AuthenticationServiceException("Authentication method not supported");
}
String username = request.getParameter("j_username");
String password = request.getParameter("j_password");
if (StringUtils.isBlank(username) || StringUtils.isBlank(password)) {
throw new AuthenticationServiceException("Username or Password not provided");
}
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
setDetails(request, authRequest);
Authentication auth = this.getAuthenticationManager().authenticate(authRequest);
return auth;
}
protected void setDetails(HttpServletRequest request,
UsernamePasswordAuthenticationToken authRequest) {
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
}
}
这是我的授权服务器配置:
<oauth:authorization-server
client-details-service-ref="defaultOAuth2ClientDetailsEntityService"
authorization-request-manager-ref="connectOAuth2RequestFactory"
token-services-ref="defaultOAuth2ProviderTokenService"
user-approval-handler-ref="tofuUserApprovalHandler"
request-validator-ref="oauthRequestValidator"
redirect-resolver-ref="blacklistAwareRedirectResolver"
authorization-endpoint-url="/authorize"
token-endpoint-url="/token"
error-page="/error">
<oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
<oauth:implicit />
<oauth:refresh-token/>
<oauth:client-credentials/>
<oauth:password/>
<oauth:custom-grant token-granter-ref="chainedTokenGranter" />
<oauth:custom-grant token-granter-ref="jwtAssertionTokenGranter" />
<oauth:custom-grant token-granter-ref="deviceTokenGranter" />
</oauth:authorization-server>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
【问题讨论】:
标签: java spring security oauth-2.0 single-sign-on