问题描述

我是Spring Oauth和Spring Security的新手。我正在尝试在项目中使用client_credentials流程。现在我设法使用我自己的CustomDetailsS​​ervice来从我系统中已经存在的数据库中获取client_id和密码（secret）。唯一的问题是我无法更改AuthorizationServer使用的DaoAuthenticationProvider中的密码编码器 - 它默认设置为PlaintextPasswordEncoder。我无法按照它的方式配置它，例如SHAPasswordEncoder。它总是使用明文编码器。我可能不太了解流程，因为我是Spring的新手。

I'm quite new to Spring Oauth and Spring Security. I'm trying to use the client_credentials flow in my project. For now i managed to user my own CustomDetailsService in order to fetch client_id and password (secret) from a database that already exists in my system. The only problem is that I cannot change the password encoder in DaoAuthenticationProvider that is used by AuthorizationServer - it is set by default to PlaintextPasswordEncoder. I wasn't able to configure it the way, that it would use for example SHAPasswordEncoder. It always uses the plaintext encoder. I probably don't understand the flow well enough, as I am a newbie in Spring.

这是我的一些代码（没有DaoAuthenticationProvider的工作配置）：

Here's some code of mine (with not working configuration of DaoAuthenticationProvider):

SecurityConfig.java

SecurityConfig.java

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

private static final String RESOURCE_ID = "restservice";

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/register/**");

}

@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(daoAuthenticationProvider());
}

@Bean
public DaoAuthenticationProvider daoAuthenticationProvider() {
    DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
    daoAuthenticationProvider.setUserDetailsService(userDetailsService());
    daoAuthenticationProvider.setPasswordEncoder(passwordEncoder());
    return daoAuthenticationProvider;
}

@Bean
public PasswordEncoder passwordEncoder() {
    return new ShaPasswordEncoder();
}

@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private MyCustomClientDetailsService myCustomClientDetailsService;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {
        endpoints.tokenStore(tokenStore());
    }

    @Bean
    public ResourceServerTokenServices defaultTokenServices() {
        final DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setSupportRefreshToken(true);
        defaultTokenServices.setTokenStore(tokenStore());
        return defaultTokenServices;
    }

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.withClientDetails(myCustomClientDetailsService);
    }

    @Bean
    public MyCustomClientDetailsService detailsService() {
        return new MyCustomClientDetailsService();
    }
}

@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

    ...
}
}

自定义ClientDetailsS​​ervice类：

And the custom ClientDetailsService class:

public class MyCustomClientDetailsService implements ClientDetailsService {

@Autowired
private UserService userService;

@Override
public ClientDetails loadClientByClientId(String clientId) throws ClientRegistrationException {

    User fan = userService.getFan(clientId);

    if (fan == null) {
        throw new NoSuchClientException("No client with requested id: " + clientId);
    }

    BaseClientDetails details = new BaseClientDetails(clientId, restservice, "write", "client_credentials", "USER");

    details.setClientSecret(fan.getEncodedPassword());

    return details;
}
}

从我的UserService获取的encodedPassword始终是糟糕的凭证，因为DaoAuthenticationProvider默认设置了PlaintextPasswordEncoder。

The encodedPassword that is taken from my UserService is always a bad Credential, as DaoAuthenticationProvider has a PlaintextPasswordEncoder set by default.

我在那里缺少什么？
是否可以在DaoAuthenticationProvider中设置用于检查凭据的密码编码器？或者我是否必须编写自己的AuthenticationProvider，它会按照我想要的方式进行检查？

What am i missing there?Is it possible to set the password encoder in the DaoAuthenticationProvider that is used for checking the credentials here? Or do I have to write my own AuthenticationProvider, that would check it the way i want?

推荐答案

我找到的解决方案问题是在上覆盖 configure AuthorizationServerConfigurerAdapter

The solution I found to the problem is to override configure on AuthorizationServerConfigurerAdapter

@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
    oauthServer.passwordEncoder(passwordEncoder);
}

这篇关于Spring Oauth2。密码编码器未在DaoAuthenticationProvider中设置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！