我正在升级现有的Client Credentials Oauth2以使用spring boot 2。
授权服务器使用Basic Auth和(client:secret)
的Base64编码
我正在使用RedisTokenStore来存储令牌。
我正在努力应对新升级的Oauth2配置所需的配置。我找不到一个适当的文档,指出我的客户端凭据流程。
随着Spring 5 Security的更新,密码编码失败,我得到: -
java.lang.IllegalArgumentException:没有为id“null”错误映射PasswordEncoder
以下是我的配置: -
@Configuration
public class WebConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.
csrf().disable().
authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/oauth/token").permitAll();
}
}
AuthorizationServer和ResourceServer
@Configuration
@EnableAuthorizationServer
public class Oauth2Configuration extends AuthorizationServerConfigurerAdapter {
@Autowired
private ClientDetailsService clientDetailsService;
@Autowired
private JedisConnectionFactory jedisConnFactory;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(clientDetailsService);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore());
super.configure(endpoints);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
String idForEncode = "bcrypt";
Map<String, PasswordEncoder> encoderMap = new HashMap<>();
encoderMap.put(idForEncode, new BCryptPasswordEncoder());
return new DelegatingPasswordEncoder(idForEncode, encoderMap);
}
@Bean
public TokenStore tokenStore() {
return new Oauth2TokenStore(jedisConnFactory);
}
@Configuration
@EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/verify_token").authenticated()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers(HttpMethod.GET, "/info").permitAll()
.antMatchers(HttpMethod.GET, "/health").permitAll();
}
}
}
RedisTokenStore
public class Oauth2TokenStore extends RedisTokenStore {
@Autowired
private ClientDetailsService clientDetailsService;
public Oauth2TokenStore(RedisConnectionFactory connectionFactory) {
super(connectionFactory);
}
@Override
public void storeAccessToken(OAuth2AccessToken token, OAuth2Authentication authentication) {
Object principal = authentication.getPrincipal();
//Principal is consumer key since we only support client credential flow
String consumerKey = (String) principal;
//get client detials
ClientDetails clientDetails = clientDetailsService.loadClientByClientId(consumerKey);
// Logic to Create JWT
.
.
.
//Set it to Authentication
authentication.setDetails(authToken);
super.storeAccessToken(token, authentication);
}
@Override
public OAuth2Authentication readAuthentication(String token) {
OAuth2Authentication oAuth2Authentication = super.readAuthentication(token);
if (oAuth2Authentication == null) {
throw new InvalidTokenException("Access token expired");
}
return oAuth2Authentication;
}
}
}
当我在spring安全密码编码更新后存储在redis存储中时,我还需要对令牌进行编码吗?
此错误表示存储的密码不以密码类型为前缀。
例如,您的哈希密码可能类似于:
$2a$10$betZ1XaM8rTUQHwWS.cyIeTKJySBfZsmC3AYxYjwa4fHtr6i/.9oG
但是,Spring Security现在期待:
{bcrypt}$2a$10$betZ1XaM8rTUQHwWS.cyIeTKJySBfZsmC3AYxYjwa4fHtr6i/.9oG
你基本上有two options。第一个是配置你的DelegatingPasswordEncoder
应该是默认值:
@Bean
public PasswordEncoder passwordEncoder() {
String idForEncode = "bcrypt";
BCryptPasswordEncoder bcrypt = new BCryptPasswordEncoder();
Map<String, PasswordEncoder> encoderMap =
Collections.singletonMap(idForEncode, bcrypt);
DelegatingPasswordEncoder delegating =
new DelegatingPasswordEncoder(idForEncode, encoderMap);
delegating.setDefaultPasswordEncoderForMatches(bcrypt);
return delegating;
}
或者第二种方法是对密码存储进行批量升级(以{bcrypt}
为前缀)。
我不确定你的ClientDetailsService
是从哪里拉出来的,但我会开始寻找那里。
更新:但是,这假定您的现有密码是加密的。如果不是,那么您将提供适当的编码器:
@Bean
public PasswordEncoder passwordEncoder() {
String idForEncode = "bcrypt";
PasswordEncoder existing = new MyPasswordEncoder();
PasswordEncoder updated = new BCryptPasswordEncoder();
Map<String, PasswordEncoder> encoderMap =
Collections.singletonMap(idForEncode, updated);
DelegatingPasswordEncoder delegating =
new DelegatingPasswordEncoder(idForEncode, encoderMap);
delegating.setDefaultPasswordEncoderForMatches(existing);
return delegating;
}