差異處
這裏顯示兩個版本的差異處。
java:spring:rest:auth_conflict_of_oauth2 [2016/01/26 20:27] tony |
java:spring:rest:auth_conflict_of_oauth2 [2023/06/25 09:48] |
||
---|---|---|---|
行 1: | 行 1: | ||
- | {{tag>java spring rest}} | ||
- | ====== REST使用OAuth2認證所發生的衝突 ====== | ||
- | ===== Problem ===== | ||
- | 我們的Web App提供了Web Console與Rest API兩種介面。最近發現透過瀏覽器登入Web Console後,再去做Rest API的登入認證,會造成Web Console登出的問題。 | ||
- | ===== How to resolve? ===== | ||
- | 經過Trace發現是由於在before PRE_AUTH_FILTER階段,會經過OAuth2的Resource Server Filter: | ||
- | <code xml> | ||
- | <http name="api" pattern="/api/**" create-session="never" > | ||
- | <intercept-url pattern="/api/**" access="ROLE_ADMIN" /> | ||
- | <http-basic entry-point-ref="digestEntryPoint"/> | ||
- | <custom-filter ref="digestFilter" after="BASIC_AUTH_FILTER" /> | ||
- | <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> | ||
- | </http> | ||
- | </code> | ||
- | 從OAuth2AuthenticationProcessingFilter程式碼可以得知,如果在同一個session中已經過認證,則此Filter會清空SecurityContext:\\ | ||
- | {{:java:spring:rest:rest_oauth2_filter.png?600|}}\\ | ||
- | 而OAuth2AuthenticationProcessingFilter又提供了stateless設置,讓你可以在發生此問題時,不去清掉它。而在spring-security-oauth2 2.0.8版本後,設定檔是支援此屬性設置的: | ||
- | <code xml> | ||
- | <oauth2:resource-server id="resourceServerFilter" stateless="false" | ||
- | token-services-ref="tokenServices" entry-point ref="oauthAuthenticationEntryPoint"/> | ||
- | </code> | ||
- | 如此一來,當經過此Filter時,就會自動略過往下一個Filter去了。 | ||
- | ===== Reference ===== | ||
- | * [[https://github.com/spring-projects/spring-security-oauth/commit/36deb5e104f57e9c0740eeb717843c7f17f0af7c|oauth2 Lib提供stateless設置]] | ||
- | * [[http://mvnrepository.com/artifact/org.springframework.security.oauth/spring-security-oauth2/2.0.8.RELEASE|spring-security-oauth2 2.0.8 on Maven]] | ||
- | * [[http://blog.e-zest.net/rest-authentication-using-oauth-2-0-resource-owner-password-flow-protocol/|REST Authentication using OAUTH 2.0 Resource Owner Password Flow protocol]] | ||
- | * [[http://my.oschina.net/guoxf1/blog?disp=2|Spring Java Config]] | ||
- | * [[http://csns.calstatela.edu/wiki/content/cysun/notes/spring_security_filters|Understand Spring Security Filters]] | ||
- | * [[https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationProcessingFilter.java|OAuth2AuthenticationProcessingFilter.java]] | ||
- | |||
- | ===== ===== | ||
- | ---- | ||
- | \\ | ||
- | ~~DISQUS~~ |