基于spring-security4.2.x和security-oauth2.3.x
在使用Security配置Oauth2.0的时候需要多个authenticationManager来管理来自不同方向的认证管理,比如一个clientAuthenticationManager用来认证client_id和client_secret,配置另外一个authenticationManager来认证username和password
错误的配置方法:
<!-- authenticationManager for username and password -->
<!-- 不能用alias!! -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:user-service id="userDetailsService">
<security:user name="admin" password="111111" authorities="ROLE_USER" />
<security:user name="user" password="111111" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<!--客户端访问认证器-->
<!-- authenticationManager for client_id and client_secret -->
<security:authentication-manager id="clientAuthenticationManager">
<security:authentication-provider user-service-ref="clientDetailsUserDetailsService"/>
</security:authentication-manager>
发现这样配置之后认证不能通过,全部都是以clientAuthenticationManager
来认证管理。因为用id
命名的clientAuthenticationManager
会覆盖alias
命名的authenticationManager
,实践证明id
会覆盖alias
命名的authenticationManager
解决方案
1.对<security:authentication-manager>
标签都使用id
来指定authenticationManger的名称,这样就创建了两个不同的实例:
<security:authentication-manager id="authenticationManager" erase-credentials="true">
<security:authentication-provider>
<security:user-service id="userDetailsService">
<security:user name="admin" password="111111" authorities="ROLE_USER" />
<security:user name="user" password="111111" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<!-- authenticationManager for client_id and client_secret -->
<security:authentication-manager id="clientAuthenticationManager">
<security:authentication-provider user-service-ref="clientDetailsUserDetailsService"/>
</security:authentication-manager>
2.使用Bean方案创建:
<!-- authenticationManager for username and password -->
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<constructor-arg>
<list>
<bean class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsManager"/>
</bean>
</list>
</constructor-arg>
</bean>
<security:user-service id="userDetailsManager">
<security:user name="admin" password="111111" authorities="ROLE_USER" />
<security:user name="user" password="111111" authorities="ROLE_USER" />
</security:user-service>
<!-- authenticationManager for client_id and client_secret -->
<security:authentication-manager id="clientAuthenticationManager">
<security:authentication-provider user-service-ref="clientDetailsUserDetailsService"/>
</security:authentication-manager>