i using spring boot application , have rest controllers. started using oauth 2.0 in spring secure apis. here configuration classes have.
@configuration @enableresourceserver public class oauth2resourceserverconfig extends resourceserverconfigureradapter { private static final string hu_rest_resource_id = "rest_api"; @autowired datasource datasource; @bean public tokenstore tokenstore() { return new jdbctokenstore(datasource); } @override public void configure(resourceserversecurityconfigurer resources) { resources.resourceid(hu_rest_resource_id).stateless(false); } @override public void configure(httpsecurity http) throws exception { //define url patterns enable oauth2 security http. requestmatchers().antmatchers("/user/**").and(). authorizerequests().antmatchers("/user/**").access("#oauth2.hasscope('read') or (!#oauth2.isoauth() , hasrole('role_user'))"); } } @configuration @enableauthorizationserver public class oauth2authorizationserverconfig extends authorizationserverconfigureradapter { @autowired datasource datasource; @autowired private authenticationmanager authenticationmanager; @override public void configure(clientdetailsserviceconfigurer clients) throws exception { clients.inmemory() .withclient("my-trusted-client") .authorizedgranttypes("password","refresh_token") .authorities("role_client", "role_trusted_client") .scopes("read", "write", "trust") .accesstokenvalidityseconds(60) .refreshtokenvalidityseconds(600) .and() .withclient("my-trusted-client-with-secret") .authorizedgranttypes("password", "authorization_code", "refresh_token", "implicit") .authorities("role_user") .scopes("read", "write", "trust") .accesstokenvalidityseconds(60) .refreshtokenvalidityseconds(600); } @bean public tokenstore tokenstore() { return new jdbctokenstore(datasource); // access , refresh tokens maintain in database } @override public void configure(authorizationserverendpointsconfigurer endpoints) throws exception { endpoints.tokenstore(tokenstore()).authenticationmanager(authenticationmanager); } @override public void configure(authorizationserversecurityconfigurer oauthserver) throws exception { oauthserver.allowformauthenticationforclients(); } } @configuration public class globalauthenticationconfig extends globalauthenticationconfigureradapter { @override public void init(authenticationmanagerbuilder auth) throws exception { auth.inmemoryauthentication().withuser("user1").password("user1123").roles("user"); auth.inmemoryauthentication().withuser("user2").password("user2123").roles("admin"); } } now, when hit url http://localhost:8080/oauth/token?grant_type=password&client_id=my-trusted-client-with-secret&username=user1&password=user1123 following access tokens , refresh tokens,
{ "access_token": "87379d65-6012-4484-ba6f-e4c61766ede3", "token_type": "bearer", "refresh_token": "8b0d0ae3-0855-4465-9d89-a1c31c031b8a", "expires_in": 59, "scope": "read write trust" } my question why pass credentials query parameter? can make post request , send required parameters in object post request? if yes, how can it? second question is, here using inmemory authentication, i.e 2 users hard coded in code. how can make check database user credentials?
when use https (which should) complete query encrypted before being sent through network, explained here: are querystring parameters secure in https (http + ssl)?
regarding second question, if want spring check authorized users database, have create class inheriting userdetailsmanagerhttp://docs.spring.io/autorepo/docs/spring-security/4.0.3.release/apidocs/org/springframework/security/provisioning/userdetailsmanager.html
you can implement different methods, specially loaduserbyusername(string username) implements userdetailsservice (which used spring authentication manager), code queries database relevant data.
this other question describes how add manager spring application how make userdetailsmanager available bean
Comments
Post a Comment