Coder Social home page Coder Social logo

spring-security-oauth2-learn's Introduction

spring-security-oauth2-learn

仓库说明

此项目用于学习Spring Security OAuth2,Demo使用的Api为5.2版本前的,现在提示已经废弃,ps:最初官方认为自己的授权服务器实现的太差就移除了,后来社区广泛需要授权服务器,官方又重新开发了`spring-security-oauth2-authorization-server

后续等官方授权服务器稳定后,本人会继续更新一个基于它的demo。相比此仓库的demo基于OAuth2.0实现,新的授权服务器是基于OAuth2.1协议的。

另外,本仓库均使用授权服务与资源服务分离的方式来编写demo,由于此二者放在同一服务时默认省了很多配置(资源服务器访问授权服务器进行校验token部分),对于后续应用会埋下许多坑,所以分离开来

基础演示demo功能说明

基础Demo均使用内存保存token,仅用于测试

  • authorization-code : 授权码模式

  • client-credentials : 客户端模式

  • implicit: 隐式模式(简化模式)

  • password: 密码模式

client端对接demo

  • authorization-code/authorization-code-client-resttemplate-jdbc : 使用RestTemplate和数据库实现的授权码模式手动对接客户端,token保存到数据库
  • uaa-interface-adapter-demo : 使用OAuth2提供的工具类,实现的客户端模式与密码模式的登录功能适配,也可以作为不显示使用/oauth/token端点的适配层,提升代码灵活性
  • client-credentials/client-credentials-client: 实现一个客户端,如果调用其它服务的请求头中没有登录标识,使用客户端模式获取token,调用其它服务

JWT

使用rsa非对称加密,对称加密请参考本目录之前的提交

  • jwt-authorization-server : 添加JWT实现token的授权服务器,这里开启了授权码与密码模式,支持refresh_token
  • jwt-resource-server:资源服务器,本地校验jwt token,解析出用户信息

使用Redis存储token

  • redis-token-saved-authorization-server : 使用password与授权码模式,支持刷新token的授权服务器,token保存到redis中
  • redis-token-saved-resource-server : 使用redis校验token的资源服务器

spring-security-oauth2-learn's People

Contributors

hellxz avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

machao0711 lyz4455 zllisme kenkychao lilun01 hyy0503 yinruisheng a1924x2018 fengkaiping1994 huangliangliang 292427558 leator-lin yanglongyu biantongtong scalaaaaaa amassx lp0822 hejun5448 wenxuejiang610 gougou1993 al8640 gdn-abocide xiazhijiang rkkpersonal starcloudmountain xiaodaie wangzhi0571 chenliqiang1106 zhuqingze utscgeorge springmvc2006 javaknow dongxingqiang subiao fengjidong wxx213 captainjob heffie199 lqnasa yuweni99 nanxia-xhy zengxianshu0910 hpwei yong273 2540461056 percy0601 luoxiangxing helloketty macardenas0810 axl-zhang baobaolong0201 when2016 zqn2069 wangenlu charygao csrecord fanliunian

spring-security-oauth2-learn's Issues

同学,您这个项目引入了63个开源组件,存在19个漏洞,辛苦升级一下

检测到 hellxz/spring-security-oauth2-learn 一共引入了63个开源组件,存在19个漏洞

漏洞标题:Fastjson <=1.2.68 远程代码执行漏洞
缺陷组件:com.alibaba:[email protected]
漏洞编号:
漏洞描述:Fastjson 是Java语言实现的快速JSON解析和生成器,在<=1.2.68的版本中攻击者可通过精心构造的JSON请求,远程执行恶意代码。
漏洞原因:
Fastjson采用黑白名单的方法来防御反序列化漏洞,导致当黑客不断发掘新的反序列化Gadgets类时,发现在autoType关闭的情况下仍然可能可以绕过黑白名单防御机制,造成远程命令执行漏洞。
国家漏洞库信息:https://www.cnvd.org.cn/flaw/show/CNVD-2020-30827
影响范围:(∞, 1.2.69)
最小修复版本:1.2.69
缺陷组件引入路径:com.github.hellxz:[email protected]>com.alibaba:[email protected]

另外还有19个漏洞,详细报告:https://mofeisec.com/jr?p=ib0b35

issues

请问博主的回调请求callback不用放行拦截请求的吗
以及在资源服务器中怎么拿到token在请求头中没有看到有token的标识

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.