使用Spring Boot 1.3.2 (不带spring-cloud- AuthenticationSuccessHandler )和@EnableOAuth2Sso配置安全

Question

我们有一个Spring Boot 1.3.2/Webflow web应用程序，我们正在将其转换为使用SSO。我遵循了“将OAuth2应用程序从Spring Boot1.2迁移到1.3”博客中的步骤，让应用程序移交给我们的身份验证服务器进行身份验证，并让web应用程序使用令牌正确地填充其安全上下文。

唯一不起作用的部分是我们拥有的自定义身份验证成功处理程序，它在用户继续登录页面之前配置用户会话中的一些位。

目前，在扩展WebSecurityConfigurerAdapter的安全配置中，该配置如下所示

@Override
protected void configure(HttpSecurity http) throws Exception {
    // These are all the unprotected endpoints.
    http.authorizeRequests()
            .antMatchers(new String[] { "/", "/login", "/error",
                    "/loginFailed", "/static/**" })
            .permitAll();

    // Protect all the other endpoints with a login page.
    http.authorizeRequests().anyRequest()
            .hasAnyAuthority("USER", "ADMIN").and().formLogin().loginPage("/login").failureUrl("/loginFailed")
            .successHandler(customAuthenticationSuccessHandler()).and().logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
    http.exceptionHandling().accessDeniedHandler(new AccessDeniedHandler() {

        @Override
        public void handle(HttpServletRequest request, HttpServletResponse response,
                AccessDeniedException accessDeniedException) throws IOException, ServletException {
            if (accessDeniedException instanceof CsrfException) {
                response.sendRedirect(request.getContextPath() + "/logout");
            }
        }
    });
}

我可以看到处理程序在启动期间被配置，但是一旦用户成功登录，它就再也不会被调用。我在这个主题上发现的所有问题都涉及到使用OAuth2SsoConfigurerAdapter，然而，由于我们不再使用spring-cloud-security，因此这个类不可用。

更新:我发现使用BeanPostProcessor可以做到这一点：

public static class DefaultRolesPrefixPostProcessor implements BeanPostProcessor, PriorityOrdered {

        @Override
        public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
            if (bean instanceof FilterChainProxy) {

                FilterChainProxy chains = (FilterChainProxy) bean;

                for (SecurityFilterChain chain : chains.getFilterChains()) {
                    for (Filter filter : chain.getFilters()) {
                        if (filter instanceof OAuth2ClientAuthenticationProcessingFilter) {
                            OAuth2ClientAuthenticationProcessingFilter oAuth2ClientAuthenticationProcessingFilter = (OAuth2ClientAuthenticationProcessingFilter) filter;
                            oAuth2ClientAuthenticationProcessingFilter
                                    .setAuthenticationSuccessHandler(customAuthenticationSuccessHandler());
                        }
                    }
                }
            }
            return bean;
        }
    }

有没有更好的方法来配置它呢？

Answer 1

如果您遵循Dave Syers优秀的Spring boot oauth2 tutorial，那么您最终将得到一个返回ssoFilter的方法

我向此筛选器添加了一个setAuthenticationSuccessHandler

@Autowired
private CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler;


private Filter ssoFilter() {
    OAuth2ClientAuthenticationProcessingFilter facebookFilter = new OAuth2ClientAuthenticationProcessingFilter("/login/facebook");
    OAuth2RestTemplate facebookTemplate = new OAuth2RestTemplate(facebook(), oauth2ClientContext);
    facebookFilter.setRestTemplate(facebookTemplate);
    facebookFilter.setTokenServices(new UserInfoTokenServices(facebookResource().getUserInfoUri(), facebook().getClientId()));
    facebookFilter.setAuthenticationSuccessHandler(customAuthenticationSuccessHandler);
    return facebookFilter;
} 

我的CustomAuthenticationSuccessHandler只是一个扩展了AuthenticationSuccessHandler的组件

@Component
public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
                                    Authentication authentication) throws IOException, ServletException {
    //implementation
}

}