将 WebSecurityConfigurerAdapter 与 Spring OAuth2 和 user-info-uri 结合使用
我创建了如下授权服务
@SpringBootApplication
@EnableAuthorizationServer
public class AuthorizationApplication {
...
}
有了这个application.properties
.
server.port=9000
security.oauth2.client.client-id=monederobingo
security.oauth2.client.client-secret=monederobingosecret
security.oauth2.client.authorized-grant-types=authorization_code,refresh_token,password,client_credentials
security.oauth2.client.scope=company,client
然后,在一个单独的 spring boot 项目中,我创建了一个资源服务器.
Then, in a separate spring boot project I have created a Resource Server.
@SpringBootApplication
@EnableResourceServer
public class App {
...
}
有了这个application.properties
.
server.port=9090
spring.application.name=app
security.oauth2.resource.user-info-uri=http://localhost:9000/user
现在,如果我使用授权服务检索到的适当令牌发送像这样的 localhost:9090/api
请求,一切正常.
Now, everything works fine if I send a request like this localhost:9090/api
with the appropriate token that was retrieved by Authorization Service.
但是,我不想在向 localhost:9090/login
发送请求时发送此令牌.
However, I don't want to send this token when sending requests to localhost:9090/login
.
为此,我在我的资源服务器 spring boot 应用程序中创建了这个类.
For this I have created this class in my Resource server spring boot app.
@Configuration
public class SpringConfig extends WebSecurityConfigurerAdapter {
@Override protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/login")
.permitAll()
.antMatchers("/api/**")
.authenticated();
}
}
现在我不需要发送任何令牌来向 /login
发送请求.
And now I don't need to send any token to send a request to /login
.
但是,当使用有效令牌向 /api
发送请求时,我现在收到以下消息.
However, I'm now geting the following message when sending request to /api
with a valid token.
{
"timestamp": 1496027102659,
"status": 403,
"error": "Forbidden",
"message": "Access Denied",
"path": "/api/v1/points_configuration/314"
}
如何在 Spring Security OAuth2 中仅为少数 URL 模式配置安全性?
How can configure security for only a few URL patterns in Spring Security OAuth2?
有关 Spring OAuth 安全性的更多信息,请关注此:使用 OAuth 保护 Spring REST Api
为了在 Spring boot 中实现 OAuth Security,你必须创建 Authorization &通过分别从 AuthorizationServerConfigurerAdapter
和 ResourceServerConfigurerAdapter
扩展它们来实现资源服务器.
In order to implement OAuth Security in Spring boot, you have to create Authorization & Resource server by extending them from AuthorizationServerConfigurerAdapter
and ResourceServerConfigurerAdapter
respectively.
@Configuration
@EnableAuthorizationServer
public class AuthorizationApplication extends AuthorizationServerConfigurerAdapter{
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints
.userDetailsService(userDetailsService)
.authenticationManager(this.authenticationManager).tokenStore(tokenStore()).approvalStoreDisabled();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(mongoClientDetailsService);
/*inMemory()
.withClient(propertyResolver.getProperty(PROP_CLIENTID))
.scopes("read", "write")
.authorities("ROLE_CLIENT")
.authorizedGrantTypes("password", "refresh_token","client_credentials")
.secret(propertyResolver.getProperty(PROP_SECRET))
.accessTokenValiditySeconds(propertyResolver.getProperty(PROP_TOKEN_VALIDITY_SECONDS, Integer.class, 18000));*/
}
//Do others stuff
}
资源服务器
您要使用 OAuth 保护的所有 Url 都应在此服务器配置中提及.它启用 Spring Security 过滤器,该过滤器使用传入的 OAuth2 令牌对请求进行身份验证.虽然大多数 WebSecurityConfigurerAdapter
扩展类用于基本安全配置,例如添加过滤器、允许不安全的 url 或实施会话策略等.
Resource Server
All the Url that you want to protect using OAuth should be mentioned in this server configuration. It enables a Spring Security filter that authenticates requests using an incoming OAuth2 token. While mostly WebSecurityConfigurerAdapter
extended class is used for basic security configuration like adding filters, allowing un-secure url or implementing session policies etc.
@Configuration
@EnableResourceServer
public class App extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers().antMatchers("/api/**").and().authorizeRequests()
.antMatchers("/api/**").authenticated();
}
//Do others stuff
}