一、该问题的重现步骤是什么?
重写了登录接口,可以正常返回token以及用户信息。
2. 登陆以后紧接着请求路由列表,顶部菜单,返回都是空的。
3.导致继续请求业务字典、系统字典的相关接口时认证失败,401。截图中能正常返回字典信息,是因为我将这两个接口添加到SIKP_URL中了。
二、你期待的结果是什么?实际看到的又是什么?
我期待的结果是:正常的返回路由信息三、你正在使用的是什么产品,什么版本?在什么操作系统上?
我使用的是blade-x-3.0.1.RELEASE四、请提供详细的错误堆栈信息,这很重要。
目前没有相关报错的日志。只是路由信息无承载数据。五、若有更多详细信息,请在下面提供。
你的token 接下来的接口没有解析到, 是不是你重写的登录方法, token不是jwt?
为了做安全测评中涉及到接口中敏感词的回避,我对oauth/token接口中认证部分的代码做了重写,将blade-auth/src...auth/granter/BladeTokenGranter.java做了如下修改:
/*
* Copyright (c) 2018-2028, Chill Zhuang All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* Neither the name of the dreamlu.net developer nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
* Author: Chill 庄骞 (smallchill@163.com)
*/
package org.springblade.auth.granter;
import org.springblade.core.redis.cache.BladeRedis;
import org.springblade.core.social.props.SocialProperties;
import org.springblade.system.user.feign.IUserClient;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.provider.CompositeTokenGranter;
import org.springframework.security.oauth2.provider.TokenGranter;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.stream.Collectors;
/**
* 自定义拓展TokenGranter
*
* @author Chill
*/
public class BladeTokenGranter {
/**
* 自定义tokenGranter
*/
public static TokenGranter getTokenGranter(final AuthenticationManager authenticationManager, final AuthorizationServerEndpointsConfigurer endpoints, BladeRedis bladeRedis, IUserClient userClient, SocialProperties socialProperties) {
// ---------------------修改部分开始---------------------
//默认tokenGranter集合
List<TokenGranter> tokenGranters = Collections.singletonList(endpoints.getTokenGranter());
List<TokenGranter> removeable = tokenGranters.stream().filter(tokenGranter -> tokenGranter.getClass().toString().equals("org.springframework.security.oauth2.provider.password.ResourceOwnerSecurityWordTokenGranter")).collect(Collectors.toList());
tokenGranters.removeAll(removeable);
List<TokenGranter> granters = new ArrayList<>();
//自定义密码验证
granters.add(new ResourceOwnerSecurityWordTokenGranter(authenticationManager, endpoints.getTokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory()));
//---------------------修改部分结束--------------------
// 增加验证码模式
granters.add(new CaptchaTokenGranter(authenticationManager, endpoints.getTokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory(), bladeRedis));
// 增加第三方登陆模式
granters.add(new SocialTokenGranter(endpoints.getTokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory(), userClient, socialProperties));
// 组合tokenGranter集合
return new CompositeTokenGranter(granters);
}
}
在blade-auth/src...auth/granter/增加了ResourceOwnerSecurityWordTokenGranter.java,代码如下。
package org.springblade.auth.granter;
import org.springframework.security.authentication.*;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
import org.springframework.security.oauth2.provider.*;
import org.springframework.security.oauth2.provider.password.ResourceOwnerPasswordTokenGranter;
import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
import java.util.LinkedHashMap;
import java.util.Map;
public class ResourceOwnerSecurityWordTokenGranter extends ResourceOwnerPasswordTokenGranter {
private static final String GRANT_TYPE = "secword"; //为了修改这个参数
private final AuthenticationManager authenticationManager;
public ResourceOwnerSecurityWordTokenGranter(AuthenticationManager authenticationManager,
AuthorizationServerTokenServices tokenServices, ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory) {
this(authenticationManager, tokenServices, clientDetailsService, requestFactory, GRANT_TYPE);
}
protected ResourceOwnerSecurityWordTokenGranter(AuthenticationManager authenticationManager, AuthorizationServerTokenServices tokenServices,
ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory, String grantType) {
super(authenticationManager, tokenServices, clientDetailsService, requestFactory, grantType);
this.authenticationManager = authenticationManager;
}
@Override
protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
Map<String, String> parameters = new LinkedHashMap<String, String>(tokenRequest.getRequestParameters());
String username = parameters.get("secuser");//为了修改这个参数
String password = parameters.get("secword");//为了修改这个参数
// Protect from downstream leaks of password
parameters.remove("secword");
Authentication userAuth = new UsernamePasswordAuthenticationToken(username, password);
((AbstractAuthenticationToken) userAuth).setDetails(parameters);
try {
userAuth = authenticationManager.authenticate(userAuth);
} catch (AccountStatusException ase) {
//covers expired, locked, disabled cases (mentioned in section 5.2, draft 31)
throw new InvalidGrantException(ase.getMessage());
} catch (BadCredentialsException e) {
// If the username/password are wrong the spec says we should send 400/invalid grant
throw new InvalidGrantException(e.getMessage());
}
if (userAuth == null || !userAuth.isAuthenticated()) {
throw new InvalidGrantException("Could not authenticate user: " + username);
}
OAuth2Request storedOAuth2Request = getRequestFactory().createOAuth2Request(client, tokenRequest);
return new OAuth2Authentication(storedOAuth2Request, userAuth);
}
}
扫一扫访问 Blade技术社区 移动端
加载中...
苏公网安备 32041102000998号