我们已经设置了OAuth2授权服务器,因此我需要创建一个相应的资源服务器(单独的服务器)。我们计划使用Spring Security OAuth2项目。他们关于设置资源服务器的文档:
https://github.com/spring-projects/spring-security- oauth/wiki/oAuth2#resource-server-configuration
token-services- ref应该指向令牌处理bean。但是,似乎令牌处理是由服务器本身完成的,即使它是资源服务器。似乎没有任何远程令牌服务类或与远程服务器有关的任何配置。这与CloudFoundary UAA(https://github.com/cloudfoundry/uaa/blob/master/samples/api/src/main/webapp/WEB- INF/spring- servlet.xml)相反。
token-services- ref
<bean id="tokenServices" class="org.cloudfoundry.identity.uaa.oauth.RemoteTokenServices"> <property name="checkTokenEndpointUrl" value="${checkTokenEndpointUrl}" />
是否可以将Spring Security OAuth2用于与单独的OAuth2授权服务器通信的资源服务器?如何设置通讯端点?
只要授权服务器和资源服务器访问共享tokenStore(例如,JdbcTokenStore与common一起使用dataSource),就可以这样做。您可以仅使用DefaultTokenServices对您的shared的引用tokenStore。下面是一个示例Spring配置,您应该可以对其进行调整以适合您的需求:
tokenStore
JdbcTokenStore
dataSource
DefaultTokenServices
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xmlns:oauth2="http://www.springframework.org/schema/security/oauth2" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd"> <bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.JdbcTokenStore"> <constructor-arg name="dataSource" ref="dataSource" /> </bean> <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices"> <property name="tokenStore" ref="tokenStore" /> </bean> <bean id="authenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> <property name="realmName" value="myRealm" /> </bean> <bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" /> <bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"> <constructor-arg> <list> <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" /> <bean class="org.springframework.security.access.vote.RoleVoter" /> <bean class="org.springframework.security.access.vote.AuthenticatedVoter" /> </list> </constructor-arg> </bean> <!-- This is not actually used, but it's required by Spring Security --> <security:authentication-manager alias="authenticationManager" /> <oauth2:expression-handler id="oauthExpressionHandler" /> <oauth2:web-expression-handler id="oauthWebExpressionHandler" /> <security:global-method-security pre-post-annotations="enabled" proxy-target-class="true"> <security:expression-handler ref="oauthExpressionHandler" /> </security:global-method-security> <oauth2:resource-server id="myResource" resource-id="myResourceId" token-services-ref="tokenServices" /> <security:http pattern="/myPattern/**" create-session="never" entry-point-ref="authenticationEntryPoint" access-decision-manager-ref="accessDecisionManager"> <security:anonymous enabled="false" /> <security:intercept-url pattern="/**" access="SCOPE_READ" method="GET" /> <security:intercept-url pattern="/**" access="SCOPE_READ" method="HEAD" /> <security:intercept-url pattern="/**" access="SCOPE_READ" method="OPTIONS" /> <security:intercept-url pattern="/**" access="SCOPE_WRITE" method="PUT" /> <security:intercept-url pattern="/**" access="SCOPE_WRITE" method="POST" /> <security:intercept-url pattern="/**" access="SCOPE_WRITE" method="DELETE" /> <security:custom-filter ref="myResource" before="PRE_AUTH_FILTER" /> <security:access-denied-handler ref="oauthAccessDeniedHandler" /> <security:expression-handler ref="oauthWebExpressionHandler" /> </security:http> </beans>
