差異處

這裏顯示兩個版本的差異處。

連向這個比對檢視

java:spring:rest:auth_conflict_of_oauth2 [2016/01/26 20:27]
tony 		java:spring:rest:auth_conflict_of_oauth2 [2023/06/25 09:48]
行 1: 行 1:
-{{tag>​java spring rest}} 
-====== REST使用OAuth2認證所發生的衝突 ====== 
-===== Problem ===== 
-我們的Web App提供了Web Console與Rest API兩種介面。最近發現透過瀏覽器登入Web Console後,再去做Rest API的登入認證,會造成Web Console登出的問題。 
-===== How to resolve? ===== 
-經過Trace發現是由於在before PRE_AUTH_FILTER階段,會經過OAuth2的Resource Server Filter: 
-<code xml> 
- <http name="​api"​ pattern="/​api/​**"​ create-session="​never"​ > 
- <​intercept-url pattern="/​api/​**"​ access="​ROLE_ADMIN" ​ /> 
  
-   ​ <​http-basic entry-point-ref="​digestEntryPoint"/>  ​ 
-   ​ <​custom-filter ref="​digestFilter"​ after="​BASIC_AUTH_FILTER"​ /> 
- <​custom-filter ref="​resourceServerFilter"​ before="​PRE_AUTH_FILTER"​ /> 
- </​http>​ 
-</​code>​ 
-從OAuth2AuthenticationProcessingFilter程式碼可以得知,如果在同一個session中已經過認證,則此Filter會清空SecurityContext:​\\ 
-{{:​java:​spring:​rest:​rest_oauth2_filter.png?​600|}}\\ 
-而OAuth2AuthenticationProcessingFilter又提供了stateless設置,讓你可以在發生此問題時,不去清掉它。而在spring-security-oauth2 2.0.8版本後,設定檔是支援此屬性設置的:​ 
-<code xml> 
-<​oauth2:​resource-server id="​resourceServerFilter"​ stateless="​false"​ 
- ​token-services-ref="​tokenServices"​ entry-point ref="​oauthAuthenticationEntryPoint"/>​ 
-</​code>​ 
-如此一來,當經過此Filter時,就會自動略過往下一個Filter去了。 
-===== Reference ===== 
-  * [[https://​github.com/​spring-projects/​spring-security-oauth/​commit/​36deb5e104f57e9c0740eeb717843c7f17f0af7c|oauth2 Lib提供stateless設置]] 
-  * [[http://​mvnrepository.com/​artifact/​org.springframework.security.oauth/​spring-security-oauth2/​2.0.8.RELEASE|spring-security-oauth2 2.0.8 on Maven]] 
-  * [[http://​blog.e-zest.net/​rest-authentication-using-oauth-2-0-resource-owner-password-flow-protocol/​|REST Authentication using OAUTH 2.0 Resource Owner Password Flow protocol]] 
-  * [[http://​my.oschina.net/​guoxf1/​blog?​disp=2|Spring Java Config]] 
-  * [[http://​csns.calstatela.edu/​wiki/​content/​cysun/​notes/​spring_security_filters|Understand Spring Security Filters]] 
-  * [[https://​github.com/​spring-projects/​spring-security-oauth/​blob/​master/​spring-security-oauth2/​src/​main/​java/​org/​springframework/​security/​oauth2/​provider/​authentication/​OAuth2AuthenticationProcessingFilter.java|OAuth2AuthenticationProcessingFilter.java]] 
- 
-=====    ===== 
----- 
-\\ 
-~~DISQUS~~