【发布时间】:2018-05-12 02:08:18
【问题描述】:
我有一个关于如何将我的 Spring Boot 服务器配置为资源服务器的问题,同时接收来自 Ionic 3 中构建的移动应用程序的访问令牌。
我使用 Azure Active Directory 让用户登录,并且因为我希望用户登录我的应用程序,所以我使用隐式 OAuth2 流。在我的 Ionic 应用程序中,我使用此 (https://github.com/AzureAD/azure-activedirectory-library-for-cordova) apache cordova 插件来显示登录表单(来自 Microsoft AAD),并使用正确的凭据接收访问令牌和到期日期。
我将我的 Spring Boot 应用程序用作 REST API。移动应用程序中的用户调用端点,例如:
https://localhost:8080/period
https://localhost:8080/declaration/1
etc...
当然,我想保护这些资源,因为现在任何人都可以调用它们。现在我在 Authorization 标头中发送访问令牌,如下所示:
let host = "https://localhost:8080/";
let headers = new Headers();
headers.append('Authorization',access_token);
let options = new RequestOptions({headers: headers});
consle.log(this.http.get(this.host + "period",options));
我整天都在寻找教程、文档、堆栈主题等...但我找不到我正在寻找将访问令牌发送到资源服务器的位置的情况。我也很难理解这些教程中发生了什么。到目前为止,这是我设法理解的内容以及我在 Spring Boot 应用程序中所拥有的内容:
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = false, securedEnabled = true)
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/period/**").hasRole("USER")
.antMatchers("/files/**").hasRole("USER")
.antMatchers("/declaration/**").hasRole("USER");
}
}
我的问题是:
如何处理访问代码并将资源返回给用户?
编辑:
所以我尝试使用过滤器来拦截传入的 HTTP 流量并从标头中获取令牌,如下所示:
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.provider.authentication.BearerTokenExtractor;
import org.springframework.security.oauth2.provider.authentication.TokenExtractor;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
public class OAuth2AuthenticationProcessingFilter implements Filter,InitializingBean {
private final static Log logger = LogFactory.getLog(OAuth2AuthenticationProcessingFilter.class);
private TokenExtractor tokenExtractor = new BearerTokenExtractor();
@Override
public void init(FilterConfig filterConfig) throws ServletException {
System.out.println("Initialize OAuth2 filter");
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
System.out.println("Do filter");
final boolean debug = logger.isDebugEnabled();
final HttpServletRequest req = (HttpServletRequest) request;
final HttpServletResponse res = (HttpServletResponse) response;
System.out.println("xxxxxxxxxxxxxxxxxxxxxxxxxxxx");
System.out.println(req.getHeader("Authorization"));
System.out.println("xxxxxxxxxxxxxxxxxxxxxxxxxxxx");
}
@Override
public void destroy() {
System.out.println("Destroying OAuth2 filter");
}
@Override
public void afterPropertiesSet() throws Exception {
}
}
但是过滤器(doFilter)只有在我这样设置配置时才会被调用:
.antMatchers("/period/**").permitAll()
如果我这样使用它,过滤器 (doFilter) 将不会被调用(init 仍然调用):
.antMatchers("/period/**").permitAll()
所以我认为过滤器不是这里的方法吗?
编辑:所以在我发现这个 Github Repo 提供了我需要的一切之后,我就开始工作了:
【问题讨论】:
标签: cordova azure spring-boot ionic-framework oauth-2.0