基于 spring boot 1.5.x 的项目,使用 webmvc + security + oauth2。 集成 fastjson 前,使用缺省的 jackson,.../oauth/token 获取的响应中 token 名称是 access_token : xxxxxxx,和 spring 文档一致。 集成 fastjson 后,.../oauth/token 获取的响应中 token 名称变成 value : xxxxxxx,且其他字段名及格式均有变化,如果服务器发生异常,甚至会把 exception stack 全部返回,与 spring 文档不一致。
如何才能使spring oauth在使用 fastjson 和 jackson 时返回的 token 格式一致呢?
fastjson配置发出来, 错误的json和正确的也发出来。
# 集成 fastjson 的配置如下: @Configuration public class WebMvcConfigurer extends WebMvcConfigurerAdapter { ... /**
使用 FastJson 替换 Jackson @param converters */ @Override public void configureMessageConverters(List<HttpMessageConverter<?>> converters) { FastJsonHttpMessageConverter converter = new FastJsonHttpMessageConverter(); FastJsonConfig config = new FastJsonConfig(); config.setSerializerFeatures( SerializerFeature.DisableCircularReferenceDetect ); converter.setFastJsonConfig(config); converters.add(converter); log.info("FastJSON enabled"); } ... }# /oauth/token 获取到的报文如下(其中 value 即是 access token): { "expiration": 1513752144897, "expired": false, "expiresIn": 604799, "refreshToken": { "expiration": 1515739344897, "value": "dae50004-939c-40f2-98d8-4882374e08c7" }, "scope": [ "api" ], "tokenType": "bearer", "value": "1e2c4181-01be-4aa1-8042-c2d2f74008d0" }
# 而不集成 fastjson 时,获取到的报文如下: { "access_token": "d83156d4-cec3-4aa9-b9dc-78612ce3cd92", "token_type": "bearer", "refresh_token": "37d7638a-8ee2-4a74-8194-cf9673ab1689", "expires_in": 604799, "scope": "api" }
多谢!
这个bug我也遇到了,目前是把FastJsonHttpMessageConverter去掉了。
请问这个问题解决了吗?
You can Autowired ObjectMapper
Just like this:
@Component
public class ***AuthenticationSuccessHandler implements AuthenticationSuccessHandler {
private final ObjectMapper objectMapper;
@Autowired
public **AuthenticationSuccessHandler(
ObjectMapper objectMapper) {
this.objectMapper = objectMapper;
}
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
***
response.getWriter().write(objectMapper.writeValueAsString(oAuth2AccessToken));
}
}我也遇到了,这个问题怎么解决呢? 现在我是在每个spring boot项目的启动文件中单独设置。
貌似还没解决,就因为这个,换回去用 jackson 了
我也遇到了,目前只能把FastJsonHttpMessageConverter先去掉
可以考虑手动生成token流程,并在最后序列化的时候使用Jackson的ObjectMapper进行序列化并返回给客户端。(之前我的回复过于模糊,实在抱歉)
import java.io.IOException;
import java.util.Base64;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.collections4.MapUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.UnapprovedClientAuthenticationException;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.stereotype.Component;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;
/**
* authentication success handler.
*
* @author johnniang
*
*/
@Component
public class ***AuthenticationSuccessHandler implements AuthenticationSuccessHandler {
private Logger logger = LoggerFactory.getLogger(getClass());
private String credentialsCharset = "UTF-8";
private final ClientDetailsService clientDetailsService;
private final AuthorizationServerTokenServices authorizationServerTokenServices;
private final PasswordEncoder passwordEncode;
private final ObjectMapper objectMapper;
@Autowired
public ***AuthenticationSuccessHandler(ClientDetailsService clientDetailsService,
AuthorizationServerTokenServices authorizationServerTokenServices, PasswordEncoder passwordEncode,
ObjectMapper objectMapper) {
this.clientDetailsService = clientDetailsService;
this.authorizationServerTokenServices = authorizationServerTokenServices;
this.passwordEncode = passwordEncode;
this.objectMapper = objectMapper;
}
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
logger.info("login successfully.");
String header = request.getHeader("Authorization");
if (header == null || !header.startsWith("Basic ")) {
throw new UnapprovedClientAuthenticationException("There is not client information.");
}
String[] tokens = extractAndDecodeHeader(header, request);
assert tokens.length == 2;
String clientId = tokens[0];
String clientSecret = tokens[1];
if (logger.isDebugEnabled()) {
logger.debug("Client Id : {}", clientId);
logger.debug("Client Secret : {}", clientSecret);
}
ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);
if (clientDetails == null) {
throw new UnapprovedClientAuthenticationException("Client information was not found: " + clientId);
}
if (!passwordEncode.matches(clientSecret, clientDetails.getClientSecret())) {
throw new UnapprovedClientAuthenticationException("Client secret was not matched: " + clientId);
}
@SuppressWarnings("unchecked")
TokenRequest tokenRequest = new TokenRequest(MapUtils.EMPTY_SORTED_MAP, clientId, clientDetails.getScope(),
"custom");
// create a OAuth2Request
OAuth2Request oAuth2Request = tokenRequest.createOAuth2Request(clientDetails);
// create a OAuth2Authentication
OAuth2Authentication oAuth2Authorization = new OAuth2Authentication(oAuth2Request, authentication);
// produce a token
OAuth2AccessToken oAuth2AccessToken = authorizationServerTokenServices.createAccessToken(oAuth2Authorization);
response.setStatus(HttpStatus.OK.value());
response.setContentType("application/json;charset=UTF-8");
// write date as timestamp
objectMapper.enable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS);
response.getWriter().write(objectMapper.writeValueAsString(oAuth2AccessToken));
}
/**
* Decodes the header into a username and password.
*
* @throws BadCredentialsException
* if the Basic header is not present or is not valid Base64
*/
private String[] extractAndDecodeHeader(String header, HttpServletRequest request) throws IOException {
byte[] base64Token = header.substring(6).getBytes("UTF-8");
byte[] decoded;
try {
decoded = Base64.getDecoder().decode(base64Token);
} catch (IllegalArgumentException e) {
throw new BadCredentialsException("Failed to decode basic authentication token");
}
String token = new String(decoded, credentialsCharset);
int delim = token.indexOf(":");
if (delim == -1) {
throw new BadCredentialsException("Invalid basic authentication token");
}
return new String[] { token.substring(0, delim), token.substring(delim + 1) };
}
}/**
* OAuth2 resource server config
*
* @author johnniang
*
*/
@Component
@EnableResourceServer
public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter {
private final AuthenticationSuccessHandler authenticationSuccessHandler;
public OAuth2ResourceServerConfig(
AuthenticationSuccessHandler authenticationSuccessHandler)
this.authenticationSuccessHandler = authenticationSuccessHandler;
}
@Override
public void configure(HttpSecurity http) throws Exception {
http //
.formLogin() //
.loginProcessingUrl("/login") //
.successHandler(authenticationSuccessHandler) //
.permitAll() //
.and() //
.logout() //
***
}
}希望能够解决你们的问题
我也碰到这类问题,最后通过fastjson 自定了一个SerializeFilter进行处理DefaultOAuth2AccessToken的序列化
public class CustomSerializeFilter extends BeforeFilter implements PropertyPreFilter {
@Override
public void writeBefore(Object object) {
/**
* DefaultOAuth2AccessToken 默认格式
* {
* "access_token": "763d17ee-7847-4d8b-b3e8-207110d094c9",
* "token_type": "bearer",
* "refresh_token": "68d85c17-e817-4582-95dd-169dce4a3264",
* "expires_in": 7199,
* "scope": "read write"
* }
*/
if (object instanceof DefaultOAuth2AccessToken) {
DefaultOAuth2AccessToken accessToken = (DefaultOAuth2AccessToken) object;
writeKeyValue("access_token", accessToken.getValue());
writeKeyValue("token_type", accessToken.getTokenType());
writeKeyValue("refresh_token", accessToken.getRefreshToken().getValue());
writeKeyValue("expires_in", accessToken.getExpiresIn());
writeKeyValue("scope", String.join(" ", accessToken.getScope()));
}
}
@Override
public boolean apply(JSONSerializer serializer, Object object, String name) {
// DefaultOAuth2AccessToken、DefaultExpiringOAuth2RefreshToken
// 原先的所有属性都不进行序列化
return !(object instanceof DefaultOAuth2AccessToken
|| object instanceof DefaultExpiringOAuth2RefreshToken);
}
}FastJsonHttpMessageConverter中加入自定义的SerializeFilter 后面又发现FormOAuth2AccessTokenMessageConverter的实现,可以把这个加进去测试一下
这个就太坑了 如果这样改 后续岂不是还有很多其他错误可能发生?有一套整体的解决方案不
这个就太坑了 如果这样改 后续岂不是还有很多其他错误可能发生?有一套整体的解决方案不
已经提供了解决方案,将FormOAuth2AccessTokenMessageConverter这个加入HttpMessageConverter中即可
这个就太坑了 如果这样改 后续岂不是还有很多其他错误可能发生?有一套整体的解决方案不
已经提供了解决方案,将FormOAuth2AccessTokenMessageConverter这个加入HttpMessageConverter中即可
你好,可以详细讲一下。如何把这个FormOAuth2AccessTokenMessageConverter 加到 HttpMessageConverter中的方案吗?非常感谢
这个就太坑了 如果这样改 后续岂不是还有很多其他错误可能发生?有一套整体的解决方案不
已经提供了解决方案,将FormOAuth2AccessTokenMessageConverter这个加入HttpMessageConverter中即可
你好,可以详细讲一下。如何把这个FormOAuth2AccessTokenMessageConverter 加到 HttpMessageConverter中的方案吗?非常感谢
不好意思,当时我看错了,这段时间比较忙没看这个问题,你需要自行写个HttpMessageConverter来转换OAuth2AccessToken,fastjson本身也意识到这个问题,但是FormOAuth2AccessTokenMessageConverter这个类的writeInternal方法没有进行实现,你需要自行实现转换
public class OAuth2AccessTokenMessageConverter extends AbstractHttpMessageConverter<OAuth2AccessToken> {
private final FastJsonHttpMessageConverter delegateMessageConverter;
public OAuth2AccessTokenMessageConverter() {
super(MediaType.APPLICATION_JSON);
this.delegateMessageConverter = new FastJsonHttpMessageConverter();
}
@Override
protected boolean supports(Class<?> clazz) {
return OAuth2AccessToken.class.isAssignableFrom(clazz);
}
@Override
protected OAuth2AccessToken readInternal(Class<? extends OAuth2AccessToken> clazz, HttpInputMessage inputMessage)
throws IOException, HttpMessageNotReadableException {
throw new UnsupportedOperationException(
"This converter is only used for converting from externally aqcuired form data");
}
@Override
protected void writeInternal(OAuth2AccessToken accessToken, HttpOutputMessage outputMessage) throws IOException,
HttpMessageNotWritableException {
Map<String, Object> data = new HashMap<>(8);
data.put(OAuth2AccessToken.ACCESS_TOKEN, accessToken.getValue());
data.put(OAuth2AccessToken.TOKEN_TYPE, accessToken.getTokenType());
data.put(OAuth2AccessToken.EXPIRES_IN, accessToken.getExpiresIn());
data.put(OAuth2AccessToken.SCOPE, String.join(" ", accessToken.getScope()));
OAuth2RefreshToken refreshToken = accessToken.getRefreshToken();
if (Objects.nonNull(refreshToken)) {
data.put(OAuth2AccessToken.REFRESH_TOKEN, refreshToken.getValue());
}
delegateMessageConverter.write(data, MediaType.APPLICATION_JSON, outputMessage);
}
}加入MessageConverters
@Configuration
public class Oauth2WebMvcConfigurer implements WebMvcConfigurer {
@Override
public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
converters.add(0, new FastJsonHttpMessageConverter());
converters.add(0, new OAuth2AccessTokenMessageConverter());
}
}你可以参考OAuth2AccessToken这个序列化类OAuth2AccessTokenJackson2Serializer进行编写相应的代码
这个就太坑了 如果这样改 后续岂不是还有很多其他错误可能发生?有一套整体的解决方案不
已经提供了解决方案,将FormOAuth2AccessTokenMessageConverter这个加入HttpMessageConverter中即可
你好,可以详细讲一下。如何把这个FormOAuth2AccessTokenMessageConverter 加到 HttpMessageConverter中的方案吗?非常感谢
不好意思,当时我看错了,这段时间比较忙没看这个问题,你需要自行写个HttpMessageConverter来转换OAuth2AccessToken,fastjson本身也意识到这个问题,但是FormOAuth2AccessTokenMessageConverter这个类的writeInternal方法没有进行实现,你需要自行实现转换
public class OAuth2AccessTokenMessageConverter extends AbstractHttpMessageConverter<OAuth2AccessToken> {
private final FastJsonHttpMessageConverter delegateMessageConverter;
public OAuth2AccessTokenMessageConverter() {
super(MediaType.APPLICATION_JSON);
this.delegateMessageConverter = new FastJsonHttpMessageConverter();
}
@Override
protected boolean supports(Class<?> clazz) {
return OAuth2AccessToken.class.isAssignableFrom(clazz);
}
@Override
protected OAuth2AccessToken readInternal(Class<? extends OAuth2AccessToken> clazz, HttpInputMessage inputMessage)
throws IOException, HttpMessageNotReadableException {
throw new UnsupportedOperationException(
"This converter is only used for converting from externally aqcuired form data");
}
@Override
protected void writeInternal(OAuth2AccessToken accessToken, HttpOutputMessage outputMessage) throws IOException,
HttpMessageNotWritableException {
Map<String, Object> data = new HashMap<>(8);
data.put(OAuth2AccessToken.ACCESS_TOKEN, accessToken.getValue());
data.put(OAuth2AccessToken.TOKEN_TYPE, accessToken.getTokenType());
data.put(OAuth2AccessToken.EXPIRES_IN, accessToken.getExpiresIn());
data.put(OAuth2AccessToken.SCOPE, String.join(" ", accessToken.getScope()));
OAuth2RefreshToken refreshToken = accessToken.getRefreshToken();
if (Objects.nonNull(refreshToken)) {
data.put(OAuth2AccessToken.REFRESH_TOKEN, refreshToken.getValue());
}
delegateMessageConverter.write(data, MediaType.APPLICATION_JSON, outputMessage);
}
}加入MessageConverters
@Configuration
public class Oauth2WebMvcConfigurer implements WebMvcConfigurer {
@Override
public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
converters.add(0, new FastJsonHttpMessageConverter());
converters.add(0, new OAuth2AccessTokenMessageConverter());
}
}你可以参考OAuth2AccessToken这个序列化类OAuth2AccessTokenJackson2Serializer进行编写相应的代码
扩展下,上面问题回答针对的只是OAuth2AccessToken,如果我们的项目还有其他的http请求需要处理,则需要修改上面的转换器,只处理token的回执保持兼容,其他请求的回执仍然保持原样
public class OAuth2AccessTokenMessageConverter extends AbstractHttpMessageConverter<Object> { //这里替换成Object
@Override
protected Object readInternal(Class<? extends OAuth2AccessToken> clazz, HttpInputMessage inputMessage)
throws IOException, HttpMessageNotReadableException {
//需要写自己的转换规则
}
@Override
protected void writeInternal(Object t, HttpOutputMessage outputMessage) throws IOException, HttpMessageNotWritableException {
String jsonString = JSON.toJSONString(t);
if (t instanceof DefaultOAuth2AccessToken) {
DefaultOAuth2AccessToken oAuth2AccessToken = JSON.parseObject(jsonString, DefaultOAuth2AccessToken.class);
Map<String, Object> data = new HashMap<>(8);
data.put(OAuth2AccessToken.ACCESS_TOKEN, oAuth2AccessToken.getValue());
data.put(OAuth2AccessToken.TOKEN_TYPE, oAuth2AccessToken.getTokenType());
data.put(OAuth2AccessToken.EXPIRES_IN, oAuth2AccessToken.getExpiresIn());
data.put(OAuth2AccessToken.SCOPE, String.join(" ", oAuth2AccessToken.getScope()));
//获取refreshToken
JSONObject jsonObject = JSON.parseObject(jsonString);
String refreshTokenString = jsonObject.getString("refreshToken");
if (Objects.nonNull(refreshTokenString)) {
data.put(OAuth2AccessToken.REFRESH_TOKEN, JSONObject.parseObject(refreshTokenString).getString("value"));
}
jsonString = JSON.toJSONString(data);
}
StreamUtils.copy(jsonString, DEFAULT_CHARSET, outputMessage.getBody());
}
}这个就太坑了 如果这样改 后续岂不是还有很多其他错误可能发生?有一套整体的解决方案不
已经提供了解决方案,将FormOAuth2AccessTokenMessageConverter这个加入HttpMessageConverter中即可
你好,可以详细讲一下。如何把这个FormOAuth2AccessTokenMessageConverter 加到 HttpMessageConverter中的方案吗?非常感谢
不好意思,当时我看错了,这段时间比较忙没看这个问题,你需要自行写个HttpMessageConverter来转换OAuth2AccessToken,fastjson本身也意识到这个问题,但是FormOAuth2AccessTokenMessageConverter这个类的writeInternal方法没有进行实现,你需要自行实现转换
public class OAuth2AccessTokenMessageConverter extends AbstractHttpMessageConverter<OAuth2AccessToken> {
private final FastJsonHttpMessageConverter delegateMessageConverter;
public OAuth2AccessTokenMessageConverter() {
super(MediaType.APPLICATION_JSON);
this.delegateMessageConverter = new FastJsonHttpMessageConverter();
}
@Override
protected boolean supports(Class<?> clazz) {
return OAuth2AccessToken.class.isAssignableFrom(clazz);
}
@Override
protected OAuth2AccessToken readInternal(Class<? extends OAuth2AccessToken> clazz, HttpInputMessage inputMessage)
throws IOException, HttpMessageNotReadableException {
throw new UnsupportedOperationException(
"This converter is only used for converting from externally aqcuired form data");
}
@Override
protected void writeInternal(OAuth2AccessToken accessToken, HttpOutputMessage outputMessage) throws IOException,
HttpMessageNotWritableException {
Map<String, Object> data = new HashMap<>(8);
data.put(OAuth2AccessToken.ACCESS_TOKEN, accessToken.getValue());
data.put(OAuth2AccessToken.TOKEN_TYPE, accessToken.getTokenType());
data.put(OAuth2AccessToken.EXPIRES_IN, accessToken.getExpiresIn());
data.put(OAuth2AccessToken.SCOPE, String.join(" ", accessToken.getScope()));
OAuth2RefreshToken refreshToken = accessToken.getRefreshToken();
if (Objects.nonNull(refreshToken)) {
data.put(OAuth2AccessToken.REFRESH_TOKEN, refreshToken.getValue());
}
delegateMessageConverter.write(data, MediaType.APPLICATION_JSON, outputMessage);
}
}加入MessageConverters
@Configuration
public class Oauth2WebMvcConfigurer implements WebMvcConfigurer {
@Override
public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
converters.add(0, new FastJsonHttpMessageConverter());
converters.add(0, new OAuth2AccessTokenMessageConverter());
}
}你可以参考OAuth2AccessToken这个序列化类OAuth2AccessTokenJackson2Serializer进行编写相应的代码
扩展下,上面问题回答针对的只是OAuth2AccessToken,如果我们的项目还有其他的http请求需要处理,则需要修改上面的转换器,只处理token的回执保持兼容,其他请求的回执仍然保持原样
public class OAuth2AccessTokenMessageConverter extends AbstractHttpMessageConverter<Object> { //这里替换成Object
@Override
protected Object readInternal(Class<? extends OAuth2AccessToken> clazz, HttpInputMessage inputMessage)
throws IOException, HttpMessageNotReadableException {
//需要写自己的转换规则
}
@Override
protected void writeInternal(Object t, HttpOutputMessage outputMessage) throws IOException, HttpMessageNotWritableException {
String jsonString = JSON.toJSONString(t);
if (t instanceof DefaultOAuth2AccessToken) {
DefaultOAuth2AccessToken oAuth2AccessToken = JSON.parseObject(jsonString, DefaultOAuth2AccessToken.class);
Map<String, Object> data = new HashMap<>(8);
data.put(OAuth2AccessToken.ACCESS_TOKEN, oAuth2AccessToken.getValue());
data.put(OAuth2AccessToken.TOKEN_TYPE, oAuth2AccessToken.getTokenType());
data.put(OAuth2AccessToken.EXPIRES_IN, oAuth2AccessToken.getExpiresIn());
data.put(OAuth2AccessToken.SCOPE, String.join(" ", oAuth2AccessToken.getScope()));
//获取refreshToken
JSONObject jsonObject = JSON.parseObject(jsonString);
String refreshTokenString = jsonObject.getString("refreshToken");
if (Objects.nonNull(refreshTokenString)) {
data.put(OAuth2AccessToken.REFRESH_TOKEN, JSONObject.parseObject(refreshTokenString).getString("value"));
}
jsonString = JSON.toJSONString(data);
}
StreamUtils.copy(jsonString, DEFAULT_CHARSET, outputMessage.getBody());
}
}为啥要修改转换器,再写一个转换器就行了,你这个才要修改加上判断逻辑