是否有关于 Oauth for Spring Security 的非命名空间配置的示例？

Question

由于各种原因，我们不能使用 Spring 的命名空间配置。是否有不使用命名空间配置机制的 OAuth 2.0 配置示例？大多数情况下，我试图找出过滤器链中需要包含哪个过滤器。

Answer 1

以下是在基于命名空间的 OAuth 2.0 提供程序配置中为我触发的过滤器。您可以通过设置命名空间并在 spring security 上打开调试日志来获取它们。

firing Filter: 'BasicUserApprovalFilter'
firing Filter: 'SecurityContextPersistenceFilter'
firing Filter: 'LogoutFilter'
firing Filter: 'UsernamePasswordAuthenticationFilter'
firing Filter: 'BasicAuthenticationFilter'
firing Filter: 'RequestCacheAwareFilter'
firing Filter: 'SecurityContextHolderAwareRequestFilter'
firing Filter: 'AnonymousAuthenticationFilter'
firing Filter: 'SessionManagementFilter'
firing Filter: 'ExceptionTranslationFilter'
firing Filter: 'OAuth2ExceptionHandlerFilter'
firing Filter: 'VerificationCodeFilter'
firing Filter: 'OAuth2AuthorizationFilter'
firing Filter: 'OAuth2ProtectedResourceFilter'
firing Filter: 'FilterSecurityInterceptor'

Answer 2

以下是我为使基本 OAuth 2.0 流程正常工作而进行的设置（与 Tonr/Sparklr 演示中的基本相同）。我们的安全设置很复杂，所以我将仅在下面重现相关的 sn-ps。

一、过滤器链序：

BasicUserApprovalFilter, SecurityContextPersistenceFilter, LogoutFilter, UsernamePasswordAuthenticationFilter, BasicAuthenticationFilter, RequestCacheAwareFilter, SecurityContextHolderAwareRequestFilter, AnonymousAuthenticationFilter, SessionManagementFilter, ExceptionTranslationFilter, OAuth2ExceptionHandlerFilter, VerificationCodeFilter, OAuth2AuthorizationFilter, OAuth2ProtectedResourceFilter, FilterSecurityInterceptor

请注意，AnonymousAuthenticationFilter 是绝对必需的，即使您没有在其他任何地方使用它。

现在支持bean：

<bean id="oauth2ExceptionTranslationFilter" class="org.springframework.security.oauth2.provider.OAuth2ExceptionHandlerFilter"/>

<bean id="oauth2VerificationCodeFilter" class="org.springframework.security.oauth2.provider.verification.VerificationCodeFilter">
    <property name="clientDetailsService" ref="clientDetailsService"/>
    <property name="verificationServices" ref="verificationCodeServices"/>
    <property name="userApprovalHandler" ref="oauth2UserApprovalFilter"/>

    <property name="unapprovedAuthenticationHandler">
        <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
            <!-- This is where you define your confirmation page -->
            <property name="defaultFailureUrl" value="/oauth/confirm.action"/>
        </bean>
    </property>
</bean>

<bean id="oauth2AuthorizationFilter" class="org.springframework.security.oauth2.provider.OAuth2AuthorizationFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="authenticationSuccessHandler">
        <bean class="org.springframework.security.oauth2.provider.OAuth2AuthorizationSuccessHandler">
            <property name="tokenServices" ref="tokenServices"/>
        </bean>
    </property>
</bean>

<bean id="oauth2ProtectedResourceFilter" class="org.springframework.security.oauth2.provider.OAuth2ProtectedResourceFilter">
    <property name="tokenServices" ref="tokenServices"/>
</bean>

<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices">
    <property name="supportRefreshToken" value="true"/>
</bean>

<bean id="clientDetailsService" class="org.springframework.security.oauth2.provider.InMemoryClientDetailsService">
    <property name="clientDetailsStore">
        <map>
            <entry key="tonr">
                <bean class="org.springframework.security.oauth2.provider.BaseClientDetails">
                    <property name="clientId" value="tonr"/>
                    <property name="authorizedGrantTypes">
                        <list>
                            <value>authorization_code</value>
                            <value>refresh_token</value>
                        </list>
                    </property>
                </bean>
            </entry>
        </map>
    </property>
</bean>

<bean id="verificationCodeServices" class="org.springframework.security.oauth2.provider.verification.InMemoryVerificationCodeServices"/>

<bean id="oauth2VerificationAuthenticationProvider" class="org.springframework.security.oauth2.provider.verification.VerificationCodeAuthenticationProvider">
    <property name="verificationServices" ref="verificationCodeServices"/>
</bean>

<bean id="oauth2AccessGrantAuthenticationProvider" class="org.springframework.security.oauth2.provider.AccessGrantAuthenticationProvider">
    <property name="clientDetailsService" ref="clientDetailsService"/>
</bean>

<bean id="oauth2RefreshAuthenticationProvider" class="org.springframework.security.oauth2.provider.refresh.RefreshAuthenticationProvider"/>

请注意，服务（客户端、令牌、验证码）只是在内存版本中提供的。您需要创建自己的版本才能持久化。

最后，您需要将提供程序绑定到您的身份验证管理器中：

<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
        <property name="providers">
            <list>
                <ref local="daoAuthenticationProvider"/>
                <ref local="oauth2AccessGrantAuthenticationProvider"/>
                <ref local="oauth2VerificationAuthenticationProvider"/>
                <ref local="oauth2RefreshAuthenticationProvider"/>
                <bean class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
                    <property name="key" value="mykey"/>
                </bean>
            </list>
        </property>
    </bean>