春季安全和OAuth2用戶生成定製的交付式

Question

我使用Spring +的OAuth2保護Web服務隊令牌和我添加了一個自定義的交付式（定製補助金）：

<bean id="myTokenGranter" class="com.example.oauth2.MyTokenGranter" /> 

<oauth:authorization-server client-details-service-ref="client-details-service" token-services-ref="tokenServices"> 
    <oauth:refresh-token/> 
    <oauth:password/> 
    <oauth:custom-grant token-granter-ref="myTokenGranter" /> 
</oauth:authorization-server> 

春調用執行正好。但是我不知道我該如何在這裏實際生成一個令牌。我發現他們使用了一個名爲「RandomValueStringGenerator」的類，但我不確定是否沒有更好的方法，而且我不知道如何生成一個「好」的令牌，因爲它應該是多長時間，或者如果spring檢查令牌的唯一性實際上等等。有沒有一種方法可以在這裏調用Spring自己的生成器部分？

這是我現在tokengranter類：

public class MyTokenGranter implements TokenGranter { 

private RandomValueStringGenerator generator = new RandomValueStringGenerator(); 

@Override 
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) { 
    //...logic added here later 
    return new DefaultOAuth2AccessToken(generator.generate()); 
} 

}

我不能找到一個很好的例子，還有半隻實現測試tokengranter春季ouath2來源。

Answer 1

好吧，這可以通過org.springframework.security.oauth2.provider.token.AbstractTokenGranter來實現，或者通過複製它或者試圖傳遞正確的構造函數。我只是將它發佈給任何有同樣問題的人。您還可以擴展AbstractTokenGranter但我未能通過適當的構造

這是我實現：

public class MyTokenGranter implements TokenGranter { 

@Autowired 
private AuthorizationServerTokenServices tokenService; 

@Autowired 
private ClientDetailsService clientDetailsService; 

@Autowired 
private DefaultOAuth2RequestFactory defaultOauth2RequestFactory; 

private String grantType; 

@Override 
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) { 
    if (!this.grantType.equals(grantType)) { 
     return null; 
    } 
    String clientId = tokenRequest.getClientId(); 
    ClientDetails client = clientDetailsService.loadClientByClientId(clientId); 
    validateGrantType(grantType, client); 
    return getAccessToken(client, tokenRequest); 
} 

protected OAuth2AccessToken getAccessToken(ClientDetails client, TokenRequest tokenRequest) { 
    return tokenService.createAccessToken(getOAuth2Authentication(client, tokenRequest)); 
} 

protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) { 
    OAuth2Request storedOAuth2Request = defaultOauth2RequestFactory.createOAuth2Request(client, tokenRequest); 
    return new OAuth2Authentication(storedOAuth2Request, null); 
} 

protected void validateGrantType(String grantType, ClientDetails clientDetails) { 
    Collection<String> authorizedGrantTypes = clientDetails.getAuthorizedGrantTypes(); 
    if (authorizedGrantTypes != null && !authorizedGrantTypes.isEmpty() 
      && !authorizedGrantTypes.contains(grantType)) { 
     throw new InvalidClientException("Unauthorized grant type: " + grantType); 
    } 
} 

public String getGrantType() { 
    return grantType; 
} 

public void setGrantType(String grantType) { 
    this.grantType = grantType; 
} 

}

XML配置：

<bean id="myTokenGranter" class="com.example.MyTokenGranter"> 
    <property name="grantType" value="custom-grant" /> 
</bean> 
<oauth:authorization-server client-details-service-ref="clientDetailsService" token-services-ref="tokenServices"> 
    <oauth:refresh-token/> 
    <oauth:password/> 
    <oauth:custom-grant token-granter-ref="myTokenGranter" /> 
</oauth:authorization-server> 

Answer 2

更多的只是一個供參考，但如果擴展AbstractTokenGranter，則可以使用constructor-arg。例如：

public class MyTokenGranter extends AbstractTokenGranter 
{ 
    private static final String GRANT_TYPE = "custom-grant"; 

    protected MyTokenGranter(
      AuthorizationServerTokenServices tokenServices, 
      ClientDetailsService clientDetailsService) 
    { 
     super(tokenServices, clientDetailsService, GRANT_TYPE); 
    } 

    @Override 
    protected OAuth2Authentication getOAuth2Authentication(AuthorizationRequest clientToken) 
    { 
     throw new RuntimeException("Not implemented"); 
    } 
} 

和

<bean id="myTokenGranter" class="com.example.MyTokenGranter"> 
    <constructor-arg ref="tokenServices"/> 
    <constructor-arg ref="clientDetailsService"/> 
</bean>