spring-securty-oauth2端點

原創 意猶未盡 2024-05-10 13:59

在接入oauth2之後可以訪問相關oauth2接口

[/oauth/authorize]
[/oauth/token]
[/oauth/check_token]
[/oauth/confirm_access]
[/oauth/token_key]
[/oauth/error]

會好奇是如何實現的。其實內部是基於spring mvc

我們搭建oauth2服務器會有以下配置

@Configuration
@EnableAuthorizationServer//<1>具體端點初始化在這裏
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
 .......
}

<1>

@Target({ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
@Documented
//<2>AuthorizationServerEndpointsConfiguration 爲端點初始化自動化配置類
@Import({AuthorizationServerEndpointsConfiguration.class, AuthorizationServerSecurityConfiguration.class})
public @interface EnableAuthorizationServer {
}

<2>

@Configuration
@Import({TokenKeyEndpointRegistrar.class})
public class AuthorizationServerEndpointsConfiguration {
    private AuthorizationServerEndpointsConfigurer endpoints = new AuthorizationServerEndpointsConfigurer();
    @Autowired
    private ClientDetailsService clientDetailsService;
    @Autowired
    private List<AuthorizationServerConfigurer> configurers = Collections.emptyList();

    public AuthorizationServerEndpointsConfiguration() {
    }

   
    //<3> /oauth/authorize spring mvchandler
    @Bean
    public AuthorizationEndpoint authorizationEndpoint() throws Exception {
        AuthorizationEndpoint authorizationEndpoint = new AuthorizationEndpoint();
        FrameworkEndpointHandlerMapping mapping = this.getEndpointsConfigurer().getFrameworkEndpointHandlerMapping();
        authorizationEndpoint.setUserApprovalPage(this.extractPath(mapping, "/oauth/confirm_access"));
        authorizationEndpoint.setProviderExceptionHandler(this.exceptionTranslator());
        authorizationEndpoint.setErrorPage(this.extractPath(mapping, "/oauth/error"));
        authorizationEndpoint.setTokenGranter(this.tokenGranter());
        authorizationEndpoint.setClientDetailsService(this.clientDetailsService);
        authorizationEndpoint.setAuthorizationCodeServices(this.authorizationCodeServices());
        authorizationEndpoint.setOAuth2RequestFactory(this.oauth2RequestFactory());
        authorizationEndpoint.setOAuth2RequestValidator(this.oauth2RequestValidator());
        authorizationEndpoint.setUserApprovalHandler(this.userApprovalHandler());
        return authorizationEndpoint;
    }

     // /oauth/token spring mvchandler
    @Bean
    public TokenEndpoint tokenEndpoint() throws Exception {
        TokenEndpoint tokenEndpoint = new TokenEndpoint();
        tokenEndpoint.setClientDetailsService(this.clientDetailsService);
        tokenEndpoint.setProviderExceptionHandler(this.exceptionTranslator());
        tokenEndpoint.setTokenGranter(this.tokenGranter());
        tokenEndpoint.setOAuth2RequestFactory(this.oauth2RequestFactory());
        tokenEndpoint.setOAuth2RequestValidator(this.oauth2RequestValidator());
        tokenEndpoint.setAllowedRequestMethods(this.allowedTokenEndpointRequestMethods());
        return tokenEndpoint;
    }

     // /oauth/check_token spring mvchandler
    @Bean
    public CheckTokenEndpoint checkTokenEndpoint() {
        CheckTokenEndpoint endpoint = new CheckTokenEndpoint(this.getEndpointsConfigurer().getResourceServerTokenServices());
        endpoint.setAccessTokenConverter(this.getEndpointsConfigurer().getAccessTokenConverter());
        endpoint.setExceptionTranslator(this.exceptionTranslator());
        return endpoint;
    }

    // /oauth/confirm_access 端點
    @Bean
    public WhitelabelApprovalEndpoint whitelabelApprovalEndpoint() {
        return new WhitelabelApprovalEndpoint();
    }

    // /oauth/error 端點
    @Bean
    public WhitelabelErrorEndpoint whitelabelErrorEndpoint() {
        return new WhitelabelErrorEndpoint();
    }

    //<3>spring mvc RequestMappingHandlerMapping 擴展暴露端點
    @Bean
    public FrameworkEndpointHandlerMapping oauth2EndpointHandlerMapping() throws Exception {
        return this.getEndpointsConfigurer().getFrameworkEndpointHandlerMapping();
    }

}

<4>

public class FrameworkEndpointHandlerMapping extends RequestMappingHandlerMapping {

    //<5>匹配端點
    protected boolean isHandler(Class<?> beanType) {
        return AnnotationUtils.findAnnotation(beanType, FrameworkEndpoint.class) != null;
    }

}

<5>

//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//

package org.springframework.security.oauth2.provider.endpoint;

import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.BadClientCredentialsException;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.common.exceptions.UnsupportedGrantTypeException;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientRegistrationException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2RequestValidator;
import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestValidator;
import org.springframework.util.StringUtils;
import org.springframework.web.HttpRequestMethodNotSupportedException;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;

@FrameworkEndpoint //oauth2端點標記
public class TokenEndpoint extends AbstractEndpoint {
    private OAuth2RequestValidator oAuth2RequestValidator = new DefaultOAuth2RequestValidator();
    private Set<HttpMethod> allowedRequestMethods;

    public TokenEndpoint() {
        this.allowedRequestMethods = new HashSet(Arrays.asList(HttpMethod.POST));
    }

    @RequestMapping(
        value = {"/oauth/token"},
        method = {RequestMethod.GET}
    )
    public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal, @RequestParam Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
        if (!this.allowedRequestMethods.contains(HttpMethod.GET)) {
            throw new HttpRequestMethodNotSupportedException("GET");
        } else {
            return this.postAccessToken(principal, parameters);
        }
    }

    @RequestMapping(
        value = {"/oauth/token"},
        method = {RequestMethod.POST}
    )
    public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
        if (!(principal instanceof Authentication)) {
            throw new InsufficientAuthenticationException("There is no client authentication. Try adding an appropriate authentication filter.");
        } else {
            String clientId = this.getClientId(principal);
            ClientDetails authenticatedClient = this.getClientDetailsService().loadClientByClientId(clientId);
            TokenRequest tokenRequest = this.getOAuth2RequestFactory().createTokenRequest(parameters, authenticatedClient);
            if (clientId != null && !clientId.equals("") && !clientId.equals(tokenRequest.getClientId())) {
                throw new InvalidClientException("Given client ID does not match authenticated client");
            } else {
                if (authenticatedClient != null) {
                    this.oAuth2RequestValidator.validateScope(tokenRequest, authenticatedClient);
                }

                if (!StringUtils.hasText(tokenRequest.getGrantType())) {
                    throw new InvalidRequestException("Missing grant type");
                } else if (tokenRequest.getGrantType().equals("implicit")) {
                    throw new InvalidGrantException("Implicit grant type not supported from token endpoint");
                } else {
                    if (this.isAuthCodeRequest(parameters) && !tokenRequest.getScope().isEmpty()) {
                        this.logger.debug("Clearing scope of incoming token request");
                        tokenRequest.setScope(Collections.emptySet());
                    }

                    if (this.isRefreshTokenRequest(parameters)) {
                        tokenRequest.setScope(OAuth2Utils.parseParameterList((String)parameters.get("scope")));
                    }

                    OAuth2AccessToken token = this.getTokenGranter().grant(tokenRequest.getGrantType(), tokenRequest);
                    if (token == null) {
                        throw new UnsupportedGrantTypeException("Unsupported grant type");
                    } else {
                        return this.getResponse(token);
                    }
                }
            }
        }
    }

    protected String getClientId(Principal principal) {
        Authentication client = (Authentication)principal;
        if (!client.isAuthenticated()) {
            throw new InsufficientAuthenticationException("The client is not authenticated.");
        } else {
            String clientId = client.getName();
            if (client instanceof OAuth2Authentication) {
                clientId = ((OAuth2Authentication)client).getOAuth2Request().getClientId();
            }

            return clientId;
        }
    }

    @ExceptionHandler({HttpRequestMethodNotSupportedException.class})
    public ResponseEntity<OAuth2Exception> handleHttpRequestMethodNotSupportedException(HttpRequestMethodNotSupportedException e) throws Exception {
        if (this.logger.isInfoEnabled()) {
            this.logger.info("Handling error: " + e.getClass().getSimpleName() + ", " + e.getMessage());
        }

        return this.getExceptionTranslator().translate(e);
    }

    @ExceptionHandler({Exception.class})
    public ResponseEntity<OAuth2Exception> handleException(Exception e) throws Exception {
        if (this.logger.isErrorEnabled()) {
            this.logger.error("Handling error: " + e.getClass().getSimpleName() + ", " + e.getMessage(), e);
        }

        return this.getExceptionTranslator().translate(e);
    }

    @ExceptionHandler({ClientRegistrationException.class})
    public ResponseEntity<OAuth2Exception> handleClientRegistrationException(Exception e) throws Exception {
        if (this.logger.isWarnEnabled()) {
            this.logger.warn("Handling error: " + e.getClass().getSimpleName() + ", " + e.getMessage());
        }

        return this.getExceptionTranslator().translate(new BadClientCredentialsException());
    }

    @ExceptionHandler({OAuth2Exception.class})
    public ResponseEntity<OAuth2Exception> handleException(OAuth2Exception e) throws Exception {
        if (this.logger.isWarnEnabled()) {
            this.logger.warn("Handling error: " + e.getClass().getSimpleName() + ", " + e.getMessage());
        }

        return this.getExceptionTranslator().translate(e);
    }

    private ResponseEntity<OAuth2AccessToken> getResponse(OAuth2AccessToken accessToken) {
        HttpHeaders headers = new HttpHeaders();
        headers.set("Cache-Control", "no-store");
        headers.set("Pragma", "no-cache");
        return new ResponseEntity(accessToken, headers, HttpStatus.OK);
    }

    private boolean isRefreshTokenRequest(Map<String, String> parameters) {
        return "refresh_token".equals(parameters.get("grant_type")) && parameters.get("refresh_token") != null;
    }

    private boolean isAuthCodeRequest(Map<String, String> parameters) {
        return "authorization_code".equals(parameters.get("grant_type")) && parameters.get("code") != null;
    }

    public void setOAuth2RequestValidator(OAuth2RequestValidator oAuth2RequestValidator) {
        this.oAuth2RequestValidator = oAuth2RequestValidator;
    }

    public void setAllowedRequestMethods(Set<HttpMethod> allowedRequestMethods) {
        this.allowedRequestMethods = allowedRequestMethods;
    }
}

 

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

多線程和多進程 - 初窺

一、說明 在平常工作中,我們使用top命令查看一臺linux服務器的cpu使用情況時,會發現某個進程的cpu使用率會超過100%,這是爲什麼? 二、舉例 實驗環境爲 CentOS7.6 + Python2.7 1. 多線程、多進程在操作系統

小豹子加油 2024-05-20 14:36:10

Xming - xmanager的替代方案

一、概述 安裝某些數據庫的時候使用圖像化還是比較方便的,但是由於服務器一般不提供圖形化界面。之前一直都是使用Xmanager去導出圖形,但是Xmanager是收費的,公司不讓用,所以找了一款可以完美替代的產品Xming,本文將介紹xming

小豹子加油 2024-05-20 14:36:10

Mysql - 數據庫時區是客戶端屬性還是服務端屬性

一、說明 同事問我數據庫的時區是客戶端屬性還是服務端屬性,我覺得這個問題十分有意思,之前沒怎麼留意,自己來做下實驗。 首先介紹幾個術語。 GMT(Greenwich Mean Time),格林尼治平均時間。 UTC(Coordinated

小豹子加油 2024-05-20 14:36:10

sql求連續值問題

一. 找出表test1中tflag字段連續出現3次及以上爲1的行 思路:1. 對行進行編號,2. 對相鄰三行進行求和算出值作爲sumflag,3. 如果值爲3,則該行以及接下來的2行都輸出出來,通過自關聯解決。 WITH tmp AS (

小豹子加油 2024-05-20 14:36:10

SQL優化-20231016

數據結構 數據庫的表和索引缺一不可 表 特點: 無序,插入速度快,查找速度慢 索引(B+Tree) 特點:有序,插入速度慢,查找速度快 查找的效率比較,如果按照讀取的數據塊來計算? 測試數據 TABLE_OWNER TABLE

小豹子加油 2024-05-20 14:36:10

兩臺數據庫在數據寫入時性能的差異

介紹:我有兩臺數據庫,分別稱爲200和203,200和203的服務器性能配置相當,203的配置甚至還要好一點。都是安裝的centos7.7,oracle 19C,均已開日誌歸檔,這兩臺服務器在同一個機房,同一個網段。當我在本地使用JDBC去

小豹子加油 2024-05-20 14:36:10

Linux安裝MySQL配置教程

1.使用系統的root賬戶 2.切換到 /use/local 目錄下 3.下載mysql  根據自己需要安裝的版本下載。 wget https://dev.mysql.com/get/Downloads/MySQL-8.0/mysq

莫等閒也 2024-05-20 14:34:20

salesforce零基礎學習(一百三十七)零碎知識點小總結(九)

本篇參考:  https://help.salesforce.com/s/articleView?id=release-notes.rn_lab_conditional_visibiliy_tab.htm&release=250&type=

zero.zhang 2024-05-20 14:34:10

sql server sp_executesql 中使用表變量進行查詢

示例demo: DECLARE @table IdTableType INSERT INTO @table SELECT Id FROM dbo.t_pl_test DECLARE @SearchSQL NVARCHAR(MAX) SE

自閉玩家 2024-05-20 14:32:10

Flink精確消費一次

 在大數據計算裏面,計算引擎是處於承上啓下的作用,對上承接數據源,對下承接各種各種數據庫,比如mysql、oracle。對於任何數據計算來說要想精確消費一次,就需要支持事務或者冪等,我們最常見的支持事務的就是單點的oracle、mysql數

人不瘋狂枉一生 2024-05-20 14:27:59

5款.NET開源、免費、功能強大的圖表庫

LiveCharts2 LiveCharts2是一個.NET開源(MIT License)、簡單、靈活、交互式且功能強大的.NET圖表、地圖和儀表,現在幾乎可以在任何地方運行如:Maui、Uno Platform、Blazor-wasm、W

追逐時光 2024-05-20 14:26:59

終於搞懂了!原來 Vue 3 的 generate 是這樣生成 render 函數的

前言 在之前的 面試官:來說說vue3是怎麼處理內置的v-for、v-model等指令? 文章中講了transform階段處理完v-for、v-model等指令後,會生成一棵javascript AST抽象語法樹。這篇文章我們來接着講gen

你假裝沒察覺 2024-05-20 14:26:19

Markdown基礎語法2024測試

標題一 標題二 標題三 標題四 標題五 標題六 hr 加粗字體 b 斜體字體 i 引用內容 code 超鏈接 a blockquote ol > li 有序列表 ul > li 無須列表 pre 代碼塊 p 表格標

喵喵撲 2024-05-20 14:26:09

ue5生成vs工程報錯-msvc版本太舊

ue生成VS工程報錯 右鍵 - uproject ,Generating VisualStudio project files ,報錯信息如下:就是我安裝的msvc版本太舊 Running C:/Program Files/Epic Ga

趙青青 2024-05-20 14:25:39

vscode 清理遠程服務器內存

因網絡中斷或其他原因,有時候服務器上留下較多無用的vscode-server進程,佔用內存資源 可以採用如下命令kill進程 ps uxa | grep .vscode-server | awk '{print $2}' | xargs k

張博的博客 2024-05-20 14:24:58