春季安全的OAuth實現

Question

我從http://spring-security-oauth.codehaus.org/tutorial.html下載示例項目，並試圖實現我的trialsite

下面是我派出XML

<bean id="urlMapping" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping"> 
    <property name="mappings"> 
    <props> 
     <prop key="/oauth/authorization">oauthController</prop> 
    </props> 
    </property> 
    <property name="alwaysUseFullPath" value="true"/> 
</bean> 

<bean id="oauthController" class="mypackage.OauthController"> 
    <property name="clientDetailsService" ref="clientDetails"/> 
</bean> 

下面是應用程序上下文

<security:http auto-config='true' access-denied-page="/index.jsp"> 
    <security:intercept-url pattern="/oauth/**" access="ROLE_USER" /> 
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 

    <security:form-login authentication-failure-url="/index.jsp" default-target-url="/index.jsp" login-page="/index.jsp" /> 
    <security:logout logout-success-url="/index.jsp" /> 
</security:http> 

<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices"> 
    <property name="supportRefreshToken" value="true"/> 
</bean> 

<oauth:provider client-details-service-ref="clientDetails" token-services-ref="tokenServices" > 
    <oauth:verification-code user-approval-page="/oauth/authorization"/> 
</oauth:provider> 

<oauth:client-details-service id="clientDetails"> 
    <oauth:client clientId="client1" authorizedGrantTypes="authorization_code"/> 
</oauth:client-details-service> 

發送後來自客戶的要求

http://localhost:8080/trialsite/oauth/user/authorize?client_id=client1&redirect_uri=http%3A%2F%2Flocalhost%3A8888%2Ftonr%2Ftrialsite%2Faccess.jsp&response_type=code

我得到404錯誤（找不到資源），可能是什麼問題？

Answer 1

請確保您有後續的配置：標籤：

<http pattern="/oauth/(users|clients)/.*" request-matcher="regex" 
    create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint" 
    use-expressions="true" xmlns="http://www.springframework.org/schema/security"> 
    <anonymous enabled="false" /> 
    <intercept-url pattern="/oauth/users/([^/].*?)/tokens/.*" 
     access="#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('write')" 
     method="DELETE" /> 
    <intercept-url pattern="/oauth/users/.*" 
     access="#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('read')" 
     method="GET" /> 
    <intercept-url pattern="/oauth/clients/.*" 
     access="#oauth2.clientHasRole('ROLE_CLIENT') and #oauth2.isClient() and #oauth2.hasScope('read')" 
     method="GET" /> 
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> 
    <access-denied-handler ref="oauthAccessDeniedHandler" /> 
    <expression-handler ref="oauthWebExpressionHandler" /> 
</http> 

你的 「http ...安全」 之前。

還要確保您使用的用戶已經使用ROLE_USER登錄。

Answer 2

您必須將springservlet調度程序添加到web.xml ....因爲端點（oauth/authorize和oauth/token）是由spring servlet處理的，您還必須添加並在您的provider.xml頁面中。 ............