带有oauth spring身份验证的移动restful api

Question

我正在尝试设置一个连接到我的后端 mysql 数据库的 restful api。

基本上我希望来自移动设备的 www.mydomain.com/mobile/details 调用发送带有访问令牌的标头，如果它已经从 mysql 数据库中保存的用户名和密码进行身份验证，如果它没有收到请求令牌并重新验证应用程序。

希望有人可以向我指出如何将访问令牌存储在数据库中，这样用户就不必在每次使用应用程序时重新进行身份验证

这是我的 security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/beans 
                       http://www.springframework.org/schema/beans/spring-beans.xsd
                       http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
                       http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                       http://www.springframework.org/schema/security
                       http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<http pattern="/oauth/token" create-session="stateless"
    authentication-manager-ref="clientAuthenticationManager">
    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
    <anonymous enabled="false" />
    <http-basic entry-point-ref="clientAuthenticationEntryPoint" />
    <custom-filter ref="clientCredentialsTokenEndpointFilter"
        after="BASIC_AUTH_FILTER" />
    <access-denied-handler ref="oauthAccessDeniedHandler" />
</http>

<http pattern="/mobile/**" create-session="never"
    entry-point-ref="oauthAuthenticationEntryPoint"
    access-decision-manager-ref="accessDecisionManager">
    <anonymous enabled="false" />
    <intercept-url pattern="/mobile/**" access="ROLE_USER" />
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    <access-denied-handler ref="oauthAccessDeniedHandler" />
</http>

<authentication-manager id="clientAuthenticationManager">
    <authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>

<authentication-manager>
    <authentication-provider user-service-ref="authenticationServiceImpl" />
</authentication-manager>

<beans:bean id="clientDetailsUserService"
    class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <beans:constructor-arg ref="clientDetails" />
</beans:bean>

<beans:bean id="oauthAuthenticationEntryPoint"
    class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <beans:property name="realmName" value="mobile" />
</beans:bean>

<beans:bean id="clientAuthenticationEntryPoint"
    class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <beans:property name="realmName" value="mobile" />
    <beans:property name="typeName" value="Basic" />
</beans:bean>

<beans:bean id="oauthAccessDeniedHandler"
    class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

<beans:bean id="clientCredentialsTokenEndpointFilter"
    class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
    <beans:property name="authenticationManager" ref="clientAuthenticationManager" />
</beans:bean>

<oauth:client-details-service id="clientDetails">
    <oauth:client client-id="mobile" resource-ids="introround"
        authorized-grant-types="authorization_code,client_credentials"
        authorities="ROLE_USER" scope="read,write" secret="secret" />
</oauth:client-details-service>

<beans:bean id="tokenStore"
    class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />

<beans:bean id="tokenServices"
    class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
    <beans:property name="tokenStore" ref="tokenStore" />
    <beans:property name="supportRefreshToken" value="true" />
    <beans:property name="clientDetailsService" ref="clientDetails" />
</beans:bean>

<beans:bean id="userApprovalHandler"
    class="org.springframework.security.oauth2.provider.approval.TokenServicesUserApprovalHandler">
    <beans:property name="tokenServices" ref="tokenServices" />
</beans:bean>

<beans:bean id="accessDecisionManager"
    class="org.springframework.security.access.vote.UnanimousBased">
    <beans:constructor-arg>
        <beans:list>
            <beans:bean
                class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
            <beans:bean class="org.springframework.security.access.vote.RoleVoter" />
            <beans:bean
                class="org.springframework.security.access.vote.AuthenticatedVoter" />
        </beans:list>
    </beans:constructor-arg>
</beans:bean>

<oauth:resource-server id="resourceServerFilter"
    resource-id="mobile" token-services-ref="tokenServices" />

<oauth:authorization-server
    client-details-service-ref="clientDetails" token-services-  ref="tokenServices"
    user-approval-handler-ref="userApprovalHandler">
    <oauth:authorization-code />
    <oauth:implicit />
    <oauth:refresh-token />
    <oauth:client-credentials />
    <oauth:password />
</oauth:authorization-server>

</beans:beans>

/oauth/token?grant_type=client_credentials&client_id=mobile&client_secret=secret

{"access_token":"8bd477f8-c48b-4ef2-bd3a-88c4e1c10b61","token_type":"bearer","expires_in":43199,"scope":"read write"}

get introround.com/mobile/details 获取此响应 An Authentication object was not found in the SecurityContext 未授权 -

Answer 1

您必须以以下方式访问您的资源：

http://yourserver.com/protected_resource?access_token={your access_token here}。

每次。

当您的访问令牌过期时，您必须使用刷新令牌生成一个新令牌，并改用新生成的访问令牌。