Grails 3 - Spring 安全 OAuth2 提供者 - 自定义安全提供者被忽略

Question

我的配置是：

• Grails 框架 3.0.11
• “org.grails.plugins:spring-security-core:3.0.3”
• “org.grails.plugins:spring-security-oauth2-provider:3.0.0-RC1”

我已经指定了我的自定义 UserDetailsS​​ervice（实现 GrailsUserDetailsS​​ervice）、自定义 User Details 类（扩展 GrailsUser）以及自定义安全身份验证提供程序（扩展 AbstractUserDetailsAuthenticationProvider）。

我把它放到resources.groovy中如下：

userDetailsService(My2nUserDetailsService)

my2nAuthenticationProvider(My2nAuthenticationProvider) {
    userDetailsService = ref('userDetailsService')
}

现在我的问题是，当我想向 /oauth/token 发送 POST 时，我的自定义提供程序 (my2nAuthenticationProvider) 被忽略并默认为 daoAuthenticationProvider em> 被使用并且它失败了，因为这个提供者调用了默认的用户详细信息服务（所以再次......我的自定义 My2nUserDetailsS​​ervice 被忽略了）并且一切都失败了。

这就是我配置 Spring Security 核心和 Spring Security Oauth2 提供者的方式：

// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'cz.quanti.my2n.domains.my2n.My2nUser'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'cz.quanti.my2n.domains.my2n.My2nUserRole'
grails.plugin.springsecurity.authority.className = 'cz.quanti.my2n.domains.my2n.My2nRole'
grails.plugin.springsecurity.rejectIfNoRule = false
grails.plugin.springsecurity.fii.rejectPublicInvocations = true
grails.plugin.springsecurity.securityConfigType = 'InterceptUrlMap'
grails.plugin.springsecurity.logout.postOnly = false
grails.plugin.springsecurity.password.algorithm = 'SHA-256'
grails.plugin.springsecurity.password.hash.iterations = 1
grails.plugin.springsecurity.providerNames = [
        'my2nAuthenticationProvider'
]
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    [pattern: '/oauth/authorize.dispatch', access: "IS_AUTHENTICATED_ANONYMOUSLY"],
    [pattern: '/oauth/token.dispatch', access: "IS_AUTHENTICATED_ANONYMOUSLY"]
]

// https://grails-plugins.github.io/grails-spring-security-core/v2/guide/filters.html
grails.plugin.springsecurity.filterChain.chainMap = [
            [pattern: '/oauth/token', filters: 'JOINED_FILTERS,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-exceptionTranslationFilter'],
            [pattern: '/oauth/authorize', filters: 'JOINED_FILTERS,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-exceptionTranslationFilter'],
            ...
            [pattern: '/**', filters: 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter,-oauth2BasicAuthenticationFilter,-oauth2ExceptionTranslationFilter,-restTokenValidationFilter,-restExceptionTranslationFilter']   // Traditional chain
    ]

// Added by the Spring Security OAuth2 Provider plugin:
grails.plugin.springsecurity.oauthProvider.clientLookup.className = 'cz.quanti.my2n.domains.hipmo.OauthClient'
grails.plugin.springsecurity.oauthProvider.authorizationCodeLookup.className = 'cz.quanti.my2n.domains.hipmo.OauthAuthorizationCode'
grails.plugin.springsecurity.oauthProvider.accessTokenLookup.className = 'cz.quanti.my2n.domains.hipmo.OauthAccessToken'
grails.plugin.springsecurity.oauthProvider.refreshTokenLookup.className = 'cz.quanti.my2n.domains.hipmo.OauthRefreshToken'
grails.plugin.springsecurity.oauthProvider.authorization.requireScope = false

请给我一些建议好吗？

Answer 1

您将 securityConfigType 声明为“InterceptUrlMap”，但您使用 controllerAnnotations 进行映射。更新 securityConfigType 以使用“注释”

Answer 2

我没有使用过那个插件，但是如果你想让你的 bean 注册替换插件注册的那个，你需要在 resources.groovy 中使用相同的 bean 名称。通过查看插件源，我假设您想要替换 clientCredentialsAuthenticationProvider bean，因此您的提供者注册应该看起来像

clientCredentialsAuthenticationProvider(My2nAuthenticationProvider) {
   userDetailsService = ref('userDetailsService')

}