对于最新的稳定版本,请使用 Spring Security 6.5.3spring-doc.cadn.net.cn

OAuth 2.0 不记名Tokens

不记名Tokens解析

默认情况下,资源服务器会在Authorization页眉。 但是,这可以通过多种方式进行定制。spring-doc.cadn.net.cn

从自定义标头读取持有者Tokens

例如,您可能需要从自定义标头读取持有者Tokens。 为此,您可以公开一个DefaultBearerTokenResolver作为 bean,或将实例连接到 DSL,如以下示例所示:spring-doc.cadn.net.cn

自定义持有者Tokens标头
@Bean
BearerTokenResolver bearerTokenResolver() {
    DefaultBearerTokenResolver bearerTokenResolver = new DefaultBearerTokenResolver();
    bearerTokenResolver.setBearerTokenHeaderName(HttpHeaders.PROXY_AUTHORIZATION);
    return bearerTokenResolver;
}
@Bean
fun bearerTokenResolver(): BearerTokenResolver {
    val bearerTokenResolver = DefaultBearerTokenResolver()
    bearerTokenResolver.setBearerTokenHeaderName(HttpHeaders.PROXY_AUTHORIZATION)
    return bearerTokenResolver
}
<http>
    <oauth2-resource-server bearer-token-resolver-ref="bearerTokenResolver"/>
</http>

<bean id="bearerTokenResolver"
        class="org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver">
    <property name="bearerTokenHeaderName" value="Proxy-Authorization"/>
</bean>

或者,在提供程序同时使用自定义标头和值的情况下,您可以使用HeaderBearerTokenResolver相反。spring-doc.cadn.net.cn

从表单参数读取持有者Tokens

或者,您可能希望从表单参数中读取Tokens,这可以通过配置DefaultBearerTokenResolver,如下所示:spring-doc.cadn.net.cn

表单参数不记名Tokens
DefaultBearerTokenResolver resolver = new DefaultBearerTokenResolver();
resolver.setAllowFormEncodedBodyParameter(true);
http
    .oauth2ResourceServer(oauth2 -> oauth2
        .bearerTokenResolver(resolver)
    );
val resolver = DefaultBearerTokenResolver()
resolver.setAllowFormEncodedBodyParameter(true)
http {
    oauth2ResourceServer {
        bearerTokenResolver = resolver
    }
}
<http>
    <oauth2-resource-server bearer-token-resolver-ref="bearerTokenResolver"/>
</http>

<bean id="bearerTokenResolver"
        class="org.springframework.security.oauth2.server.resource.web.HeaderBearerTokenResolver">
    <property name="allowFormEncodedBodyParameter" value="true"/>
</bean>

不记名Tokens传播

现在,资源服务器已经验证了Tokens,将其传递给下游服务可能会很方便。 这很简单ServletBearerExchangeFilterFunction,您可以在以下示例中看到:spring-doc.cadn.net.cn

@Bean
public WebClient rest() {
    return WebClient.builder()
            .filter(new ServletBearerExchangeFilterFunction())
            .build();
}
@Bean
fun rest(): WebClient {
    return WebClient.builder()
            .filter(ServletBearerExchangeFilterFunction())
            .build()
}

当上述情况WebClient用于执行请求,Spring Security 将查找当前Authentication并提取任何AbstractOAuth2Token凭据。 然后,它将在Authorization页眉。spring-doc.cadn.net.cn

例如:spring-doc.cadn.net.cn

this.rest.get()
        .uri("https://other-service.example.com/endpoint")
        .retrieve()
        .bodyToMono(String.class)
        .block()
this.rest.get()
        .uri("https://other-service.example.com/endpoint")
        .retrieve()
        .bodyToMono<String>()
        .block()

将调用other-service.example.com/endpoint,添加不记名TokensAuthorization标题。spring-doc.cadn.net.cn

在需要覆盖此行为的地方,只需自己提供标头即可,如下所示:spring-doc.cadn.net.cn

this.rest.get()
        .uri("https://other-service.example.com/endpoint")
        .headers(headers -> headers.setBearerAuth(overridingToken))
        .retrieve()
        .bodyToMono(String.class)
        .block()
this.rest.get()
        .uri("https://other-service.example.com/endpoint")
        .headers{  headers -> headers.setBearerAuth(overridingToken)}
        .retrieve()
        .bodyToMono<String>()
        .block()

在这种情况下,筛选器将回退,并简单地将请求转发到 Web 筛选器链的其余部分。spring-doc.cadn.net.cn

OAuth 2.0 客户端筛选器函数不同,此筛选器函数不会尝试续订Tokens(如果Tokens已过期)。 要获得此级别的支持,请使用 OAuth 2.0 客户端过滤器。

RestTemplate支持

没有RestTemplate等效于ServletBearerExchangeFilterFunction目前,但您可以使用自己的拦截器非常简单地传播请求的持有者Tokens:spring-doc.cadn.net.cn

@Bean
RestTemplate rest() {
	RestTemplate rest = new RestTemplate();
	rest.getInterceptors().add((request, body, execution) -> {
		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
		if (authentication == null) {
			return execution.execute(request, body);
		}

		if (!(authentication.getCredentials() instanceof AbstractOAuth2Token)) {
			return execution.execute(request, body);
		}

		AbstractOAuth2Token token = (AbstractOAuth2Token) authentication.getCredentials();
	    request.getHeaders().setBearerAuth(token.getTokenValue());
	    return execution.execute(request, body);
	});
	return rest;
}
@Bean
fun rest(): RestTemplate {
    val rest = RestTemplate()
    rest.interceptors.add(ClientHttpRequestInterceptor { request, body, execution ->
        val authentication: Authentication? = SecurityContextHolder.getContext().authentication
        if (authentication == null) {
            return execution.execute(request, body)
        }

        if (authentication.credentials !is AbstractOAuth2Token) {
            return execution.execute(request, body)
        }

        request.headers.setBearerAuth(authentication.credentials.tokenValue)
        execution.execute(request, body)
    })
    return rest
}
OAuth 2.0 授权客户端管理器不同,如果Tokens过期,此过滤器拦截器不会尝试续订Tokens。 要获得此级别的支持,请使用 OAuth 2.0 授权客户端管理器创建拦截器。

不记名Tokens失败

持有者Tokens可能由于多种原因而无效。例如,Tokens可能不再处于活动状态。spring-doc.cadn.net.cn

在这些情况下,资源服务器会抛出InvalidBearerTokenException. 与其他异常一样,这会导致 OAuth 2.0 Bearer Token 错误响应:spring-doc.cadn.net.cn

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer error_code="invalid_token", error_description="Unsupported algorithm of none", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

此外,它还发布为AuthenticationFailureBadCredentialsEvent,您可以在应用程序中监听,如下所示:spring-doc.cadn.net.cn

@Component
public class FailureEvents {
	@EventListener
    public void onFailure(AuthenticationFailureBadCredentialsEvent badCredentials) {
		if (badCredentials.getAuthentication() instanceof BearerTokenAuthenticationToken) {
		    // ... handle
        }
    }
}
@Component
class FailureEvents {
    @EventListener
    fun onFailure(badCredentials: AuthenticationFailureBadCredentialsEvent) {
        if (badCredentials.authentication is BearerTokenAuthenticationToken) {
            // ... handle
        }
    }
}