下面是针对“Spring Security OAuth过期的解决方法”的完整攻略:
Spring Security OAuth过期的解决方法
问题描述
在使用Spring Security OAuth时,有可能会遇到令牌(expired_token)过期的问题,导致无法访问受保护的资源。这时需要找到一种解决办法。
解决方法
方法一:自定义TokenService
通过自定义TokenService来调整Token的过期时间。
步骤一:自定义TokenService
public class CustomTokenService extends DefaultTokenServices {
private long customeTokenValiditySeconds = 60 * 60 * 24 * 30; // Token有效时间 30天
public void setCustomeTokenValiditySeconds(long customeTokenValiditySeconds) {
this.customeTokenValiditySeconds = customeTokenValiditySeconds;
}
@Override
public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication) throws AuthenticationException {
OAuth2AccessToken token = super.createAccessToken(authentication);
DefaultOAuth2AccessToken copy = new DefaultOAuth2AccessToken(token);
copy.setExpiration(new Date(System.currentTimeMillis() + customeTokenValiditySeconds * 1000L));
return copy;
}
}
步骤二:在配置文件中注入自定义TokenService
@Configuration
@EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private ClientDetailsService clientDetailsService;
@Value("${security.jwt.client-id}")
private String clientId;
@Value("${security.jwt.client-secret}")
private String clientSecret;
@Autowired
private TokenStore tokenStore;
@Autowired
private AccessTokenConverter accessTokenConverter;
// 把原有的DefaultTokenServices替换成自定义的CustomTokenService
@Bean
public AuthorizationServerTokenServices tokenServices() {
CustomTokenService customTokenService = new CustomTokenService();
customTokenService.setTokenStore(tokenStore);
customTokenService.setTokenEnhancer(accessTokenConverter);
customTokenService.setSupportRefreshToken(true);
customTokenService.setAccessTokenValiditySeconds(1800); // Token有效时间 30分钟
customTokenService.setRefreshTokenValiditySeconds(1800); // Refresh Token有效时间 30分钟
return customTokenService;
}
...
}
方法二:使用redis存储令牌
将令牌存储到redis中,并使用redis的过期机制来管理令牌的有效期。
步骤一:引入redis依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
步骤二:修改授权服务器配置,使用RedisTokenStore存储Token
@Configuration
@EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private ClientDetailsService clientDetailsService;
@Value("${security.jwt.client-id}")
private String clientId;
@Value("${security.jwt.client-secret}")
private String clientSecret;
@Autowired
private RedisConnectionFactory redisConnectionFactory;
// 把原有的JdbcTokenStore替换成RedisTokenStore
@Bean
public TokenStore tokenStore() {
return new RedisTokenStore(redisConnectionFactory);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
...
}
...
}
示例
示例一:使用自定义TokenService
#第一次获取token,30分钟过期
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&username=user1&password=passw0rd" \
"http://localhost:8080/oauth/token?client_id=test-client&client_secret=test-secret"
#等待30分钟后,再次使用token访问受保护的资源
curl -H "Authorization: Bearer [token]" "http://localhost:8080/api/resource"
#返回:{
# "code": 401,
# "message": "Unauthorized",
# "data": null
#}
示例二:使用redis存储token
#第一次获取token,30分钟过期
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&username=user1&password=passw0rd" \
"http://localhost:8080/oauth/token?client_id=test-client&client_secret=test-secret"
#从redis中查看token是否存在
redis-cli keys auth:token:*
#等待30分钟后,再次使用token访问受保护的资源
curl -H "Authorization: Bearer [token]" "http://localhost:8080/api/resource"
#返回:{
# "code": 401,
# "message": "Unauthorized",
# "data": null
#}
#再次从redis中查看token是否存在
redis-cli keys auth:token:*
本站文章如无特殊说明,均为本站原创,如若转载,请注明出处:Spring Security OAuth过期的解决方法 - Python技术站
微信扫一扫 
支付宝扫一扫 