OAuth2与Spring REST API的集成

Question

我的代码中有很少的Spring REST API受基本TLS保护。但是，我试图通过OAuth2.0 + spring-security（我之前没有做过）来保护我的API。我没有选择使用Facebook或Google OAuth API作为身份验证/授权部分，因此我创建了自己的应用程序，该应用程序将作为REST API驻留的应用程序的一部分托管。我有以下配置设置OAuth的一部分通过以下的例子在这里......

https://techannotation.wordpress.com/2014/04/29/5-minutes-with-spring-oauth-2-0/ http://www.beingjavaguys.com/2014/10/spring-security-oauth2-integration.html

<http pattern="/oauth/token" create-session="stateless" 
    authentication-manager-ref="authenticationManager" 
    xmlns="http://www.springframework.org/schema/security"> 
    <intercept-url pattern="/oauth/token" method="GET" access="IS_AUTHENTICATED_FULLY" /> 
    <anonymous enabled="false" /> 
    <http-basic entry-point-ref="clientAuthenticationEntryPoint" /> 
    <custom-filter ref="clientCredentialsTokenEndpointFilter" 
     after="BASIC_AUTH_FILTER" /> 
    <access-denied-handler ref="oauthAccessDeniedHandler" /> 
</http> 
<http pattern="/generatePDF" create-session="never" 
    entry-point-ref="oauthAuthenticationEntryPoint" 
    access-decision-manager-ref="accessDecisionManager" use-expressions="true" 
    xmlns="http://www.springframework.org/schema/security"> 
    <anonymous enabled="false" /> 
    <intercept-url pattern="/generatePDF" method="POST" access="IS_AUTHENTICATED_FULLY" /> 
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> 
    <access-denied-handler ref="oauthAccessDeniedHandler" /> 
</http> 
<bean id="oauthAuthenticationEntryPoint" 
    class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> 
</bean> 

<bean id="clientAuthenticationEntryPoint" 
    class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> 
    <property name="realmName" value="security/client" /> 
    <property name="typeName" value="Basic" /> 
</bean> 

<bean id="oauthAccessDeniedHandler" 
    class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" /> 

<bean id="clientCredentialsTokenEndpointFilter" 
    class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter"> 
    <property name="authenticationManager" ref="authenticationManager" /> 
</bean> 

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" 
    xmlns="http://www.springframework.org/schema/beans"> 
    <constructor-arg> 
     <list> 
      <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" /> 
      <bean class="org.springframework.security.access.vote.AuthenticatedVoter" /> 
      <bean class="org.springframework.security.web.access.expression.WebExpressionVoter" /> 
     </list> 
    </constructor-arg> 
</bean> 
<authentication-manager alias="authenticationManager" 
    xmlns="http://www.springframework.org/schema/security"> 
    <authentication-provider> 
     <user-service id="userDetailsService"> 
      <user name="hcacl" password="pdf4hcacl" authorities="ROLE_CLIENT" /> 
     </user-service> 
    </authentication-provider> 
</authentication-manager> 
<bean id="tokenStore" 
    class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" /> 

<bean id="tokenServices" 
    class="org.springframework.security.oauth2.provider.token.DefaultTokenServices"> 
    <property name="tokenStore" ref="tokenStore" /> 
    <property name="supportRefreshToken" value="true" /> 
    <property name="clientDetailsService" ref="clientDetails" /> 
</bean> 

<bean id="userApprovalHandler" 
    class="org.springframework.security.oauth2.provider.approval.DefaultUserApprovalHandler"> 
</bean> 

<oauth:authorization-server 
    client-details-service-ref="clientDetails" token-services-ref="tokenServices" 
    user-approval-handler-ref="userApprovalHandler"> 
    <oauth:authorization-code /> 
    <oauth:implicit /> 
    <oauth:refresh-token /> 
    <oauth:client-credentials /> 
    <oauth:password authentication-manager-ref="clientAuthenticationManager"/> 
</oauth:authorization-server> 

<oauth:resource-server id="resourceServerFilter" 
    resource-id="test" token-services-ref="tokenServices" /> 

<oauth:client-details-service id="clientDetails"> 
    <!-- Add for each client --> 
    <oauth:client client-id="hcacl" 
        authorized-grant-types="password,authorization_code,refresh_token,implicit,,client_credentials" 
        secret="1234567890" authorities="ROLE_CLIENT" scope="read,write,trust" /> 
</oauth:client-details-service> 

<oauth:expression-handler id="oauthExpressionHandler" /> 

<oauth:web-expression-handler id="oauthWebExpressionHandler" /> 

然而，当我试图通过设置的Oauth参数，测试从soapUI的我受保护的资源，我不断遇到下面的身份验证错误...

[2/26/16 9:37:11:472 EST] 000000b4 webapp  E com.ibm.ws.webcontainer.webapp.WebApp logServletError SRVE0293E: [Servlet Error]-[documentService]: org.springframework.security.authentication.InsufficientAuthenticationException: User must be authenticated with Spring Security before authorization can be completed. 
    at org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(AuthorizationEndpoint.java:138) 
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88) 
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) 
    at java.lang.reflect.Method.invoke(Method.java:613) 
    at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:215) 

在这一点上，我对我需要修复的地方感到困惑。它是soapUI中的某种设置，还是代码中的OAuth设置中的调整。

任何解决此问题的指针都非常感谢！

Answer 1

我发现毕竟我的配置是正确的和工作，但不知道我怎么能从soapUI测试我的API。 soapUI可以在资源上使用OAuth身份验证，但我无法正确设置它。我反而在我的soapUI项目中为/ oauth/token创建了另一个资源，并取回了令牌。