1. 首页
  2. 问答
  3. Spring Oauth2。在DaoAuthenticationProvider中未设置密码编码器

Spring Oauth2。在DaoAuthenticationProvider中未设置密码编码器

2014-09-24 87 views
9

我对Spring Oauth和Spring Security颇为陌生。我正在尝试在我的项目中使用client_credentials流程。现在我设法使用我自己的CustomDetailsS​​ervice来从我的系统中已经存在的数据库中获取client_id和密码(秘密)。唯一的问题是我无法更改AuthorizationServer使用的DaoAuthenticationProvider中的密码编码器 - 它默认设置为PlaintextPasswordEncoder。我无法按照它的方式配置它,例如SHAPasswordEncoder。它总是使用明文编码器。我可能不太了解这个流程,因为我是Spring的新手。Spring Oauth2。在DaoAuthenticationProvider中未设置密码编码器

下面是我的一些代码(与不工作DaoAuthenticationProvider的时候的配置):

SecurityConfig.java

@Configuration 
public class SecurityConfig extends WebSecurityConfigurerAdapter { 

private static final String RESOURCE_ID = "restservice"; 

@Override 
public void configure(WebSecurity web) throws Exception { 
    web.ignoring().antMatchers("/register/**"); 

} 

@Override 
public AuthenticationManager authenticationManagerBean() throws Exception { 
    return super.authenticationManagerBean(); 
} 

@Override 
protected void configure(AuthenticationManagerBuilder auth) throws Exception { 
    auth.authenticationProvider(daoAuthenticationProvider()); 
} 

@Bean 
public DaoAuthenticationProvider daoAuthenticationProvider() { 
    DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider(); 
    daoAuthenticationProvider.setUserDetailsService(userDetailsService()); 
    daoAuthenticationProvider.setPasswordEncoder(passwordEncoder()); 
    return daoAuthenticationProvider; 
} 

@Bean 
public PasswordEncoder passwordEncoder() { 
    return new ShaPasswordEncoder(); 
} 

@Configuration 
@EnableAuthorizationServer 
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter { 

    @Autowired 
    private MyCustomClientDetailsService myCustomClientDetailsService; 

    @Override 
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) 
      throws Exception { 
     endpoints.tokenStore(tokenStore()); 
    } 

    @Bean 
    public ResourceServerTokenServices defaultTokenServices() { 
     final DefaultTokenServices defaultTokenServices = new DefaultTokenServices(); 
     defaultTokenServices.setSupportRefreshToken(true); 
     defaultTokenServices.setTokenStore(tokenStore()); 
     return defaultTokenServices; 
    } 

    @Bean 
    public TokenStore tokenStore() { 
     return new InMemoryTokenStore(); 
    } 

    @Override 
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception { 
     clients.withClientDetails(myCustomClientDetailsService); 
    } 

    @Bean 
    public MyCustomClientDetailsService detailsService() { 
     return new MyCustomClientDetailsService(); 
    } 
} 

@Configuration 
@EnableResourceServer 
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter { 

    ... 
} 
}

而定制ClientDetailsS​​ervice类:

public class MyCustomClientDetailsService implements ClientDetailsService { 

@Autowired 
private UserService userService; 

@Override 
public ClientDetails loadClientByClientId(String clientId) throws ClientRegistrationException { 

    User fan = userService.getFan(clientId); 

    if (fan == null) { 
     throw new NoSuchClientException("No client with requested id: " + clientId); 
    } 

    BaseClientDetails details = new BaseClientDetails(clientId, restservice, "write", "client_credentials", "USER"); 

    details.setClientSecret(fan.getEncodedPassword()); 

    return details; 
} 
}

的encodedPassword即取从我的UserService始终是一个很差的证书,因为DaoAuthenticationProvider默认设置了一个PlaintextPasswordEncoder。

我在那里错过了什么? 是否可以在DaoAuthenticationProvider中设置用于检查凭证的密码编码器?或者我必须编写自己的AuthenticationProvider,它会按照我想要的方式进行检查?

来源

2014-09-24 gajos

+1

我有完全相同的问题你有没有找到一个解决覆盖configure? – Leon 2015-10-04 11:47:52

回答

14

,我发现这个问题的解决办法是在AuthorizationServerConfigurerAdapter

@Override 
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { 
    oauthServer.passwordEncoder(passwordEncoder); 
}

来源

2015-10-05 06:18:50 Leon

+1

请注意,我还必须在'WebControlsConfigurerAdapter'子类的'configure(AuthenticationManagerBuilder auth)'覆盖中像这样设置它:'auth.userDetailsS​​ervice(userDetailsS​​ervice).passwordEncoder(passwordEncoder)'否则只有client_secret被编码,但不是用户的密码。 – 2016-02-04 19:46:10

+0

thx为client_secret提示,我忘了编码它 – davey 2017-06-25 14:19:59

-1

如果您只想配置其他通道编码器的弹簧认证,请使用此配置。

<bean id="encoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"/> 

<authentication-manager alias="authenticationManager"> 
     <authentication-provider user-service-ref="authenticationService"> 
     <password-encoder ref ="encoder" /> 

      <!-- <user-service> 
       <user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN"/> 
      </user-service> --> 
     </authentication-provider> 
    </authentication-manager>

注: - 在创建你需要与此相同的密码编码加密类用户的userpassword。

来源

2014-09-24 10:47:41

+0

我不是在做同样的事情,而是使用基于Java的配置。我正在设置authenticationProvider: auth.authenticationProvider(daoAuthenticationProvider()); 以前配置为使用SHAPasswordEncoder。或者我错了吗? – gajos 2014-09-24 11:02:59

+0

您可以使用任何passwordEncoder进行配置。只要记住用户密码应该使用相同的passwordEncoder类编码方法进行加密。 – 2014-09-24 11:33:31

+0

在XML配置我们可以参考另一个的PasswordEncoder,<豆ID = “DaoAuthenticationProvider还可以为” 类= “org.springframework.security.providers.dao.DaoAuthenticationProvider”> <属性名= “的UserDetailsS​​ervice” REF = “inMemoryDaoImpl”/> <属性名= “saltSource” REF豆= “saltSource”/> <属性名= “的PasswordEncoder” REF = “的PasswordEncoder”/> – 2014-09-24 11:38:10

相关问题

 相关问题