文章/答案/技术大牛

发布

社区首页 >问答首页 >安全OAuth2单点关闭

问安全OAuth2单点关闭
EN

Stack Overflow用户

提问于 2018-11-26 07:25:22

回答 1查看 543关注 0票数 1

我有两个客户机(client1，client2)和一个OAuth (授权、资源)。

我想从一个客户端注销，而另一个客户端将被注销。我尝试过这个spring-boot-oauth2-single-sign-off-logout，但这只是注销--我的client1和client2还在登录！

然后，当我使用下面的代码时，我尝试撤销我的令牌：

String username = principal.getName();
Collection<OAuth2AccessToken> accessTokens = tokenStore.findTokensByClientIdAndUserName("client1", username);
accessTokens.forEach(a -> tokenServices.revokeToken(a.getValue()));

这段代码不起作用，甚至连client1都还在登录！当我看到我的redis是空的并且已经没有标记，但是我的client1仍然登录！怎么可能呢？

===========================================================================这里是我的配置：

Client - application.yml:

server:
  port: 8081
  servlet:
    context-path: /clt1

spring:
  application:
    name: client1

  thymeleaf: 
    cache: false

security:
  oauth2:
    client:
      client-id: client1 
      client-secret: secret1
      userAuthorizationUri: http://localhost:8000/oa/oauth/authorize
      access-token-uri: http://localhost:8000/oa/oauth/token
      scope: read, write
      #pre-established-redirect-uri: http://localhost:8081/clt1/callback 
      #registered-redirect-uri: http://localhost:8081/clt1/callback
      #use-current-uri: false 
    resource:
      user-info-uri: http://localhost:8000/oa/user 
      #jwt:
      #  key-uri: http://localhost:8000/oa/oauth/token_key 

logging:
  level:
    root: info

Client - SecurityConfig:

@Configuration
@EnableOAuth2Sso
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
            .csrf().disable()
            .antMatcher("/**")
            .authorizeRequests()
            .antMatchers().permitAll()
            .anyRequest().authenticated()
            .and()
            .logout().logoutSuccessUrl("http://localhost:8000/oa/revokeClient").permitAll();
    }

}

Oauth - application.yml:

server:
  port: 8000
  servlet:
    context-path: /oa

spring:
  application:
    name: security

  redis:
    host: 127.0.0.1
    port: 6379

  thymeleaf: 
    cache: false

logging:
  level:
    root: info

Oauth - AuthorizationConfig:

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private TokenStore tokenStore;

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients
            .inMemory()
            .withClient("client1")
            .secret(passwordEncoder.encode("secret1"))
            .scopes("read", "write")
            .redirectUris("http://localhost:8081/clt1/login")
            .authorizedGrantTypes("authorization_code", "refresh_token")
            .autoApprove(true)
            .and()
            .withClient("client2")
            .secret(passwordEncoder.encode("secret2"))
            .scopes("read", "write")
            .redirectUris("http://localhost:8082/clt2/login")
            .authorizedGrantTypes("authorization_code", "refresh_token")
            .autoApprove(true);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore);
    }

}

Oauth - ResourceConfig:

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/**")
            .authorizeRequests().anyRequest().authenticated();
    }

}

Oauth - SecurityConfig:

@Configuration
@EnableWebSecurity
@Order(1)//SecurityConfig >> ResourceConfig
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Autowired
    private CustomUserDetailsService customUserDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .requestMatchers()
            .antMatchers("/loginPage", "/login**", "/registerPage", "/register", "/oauth/authorize", "/revokeClient")
            .and()
            .authorizeRequests()
            .antMatchers("/registerPage", "/register").permitAll()
            .anyRequest()
            .authenticated()
            .and()
            .formLogin().loginPage("/loginPage").loginProcessingUrl("/login").permitAll();

    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(customUserDetailsService).passwordEncoder(passwordEncoder);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/css/**", "/docs/**", "/fonts/**", "/img/**", "/js/**", "/plugins/**");
    }

}

Oauth -应用程序：

@SpringBootApplication
@Configuration
public class SsoDemoOauthApplication {

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Autowired
    private RedisConnectionFactory connectionFactory;

    @Bean
    public TokenStore tokenStore() {
        return new RedisTokenStore(connectionFactory);
    }

    public static void main(String[] args) {
        SpringApplication.run(SsoDemoOauthApplication.class, args);
    }

}

redis

token

spring-security-oauth2

java

spring-boot

回答 1

Stack Overflow用户

发布于 2018-12-04 22:26:42

我承认自己不太聪明，但是把

.logout().logoutSuccessUrl("http://localhost:8000/oa/logout").permitAll();

而不是

.logout().logoutSuccessUrl("http://localhost:8000/oa/revokeClient").permitAll();

在客户端应用的SecurityConfig中？有缺点吗？

票数 0

页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持

原文链接：

https://stackoverflow.com/questions/53476408

复制

相似问题

问安全OAuth2单点关闭
EN

回答 1

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问安全OAuth2单点关闭EN

回答 1

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问安全OAuth2单点关闭
EN