到目前为止,我已经有了密码授予类型并且工作得很好。 最近我开始在我的项目中实现OAuth的授权码授予。我可以从服务器获取授权码。使用代码我再次能够获取访问 token 。
问题是我无法使用我的访问 token 访问资源服务器。每次我尝试访问任何资源时,我都会被重定向到 Spring 的默认 /login
页面。
下面是资源服务器:
@Configuration
@PropertySource("classpath:webservices-application.properties")
@EnableResourceServer
public class ResourceServer extends ResourceServerConfigurerAdapter{
@Value("${security.oauth2.resource.id}")
private String resourceId;
@Bean
public JdbcTokenStore getTokenStore() {
return new JdbcTokenStore(dataSource);
}
@Autowired
private DataSource dataSource;
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/oauth/**","/login","/").permitAll()
.anyRequest().authenticated();
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenStore(getTokenStore())
.resourceId(resourceId).stateless(false);
}
}
<小时/>
网络安全:
@Configuration
@EnableWebSecurity
@EnableOAuth2Sso
public class CustomWebsecurity extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/oauth/**","/login","/").permitAll()
.anyRequest().authenticated()
.and()
.formLogin();
}
}
<小时/>
授权服务器:
@Configuration
@EnableAuthorizationServer
@EnableOAuth2Sso
protected class AuthorizationApplication extends AuthorizationServerConfigurerAdapter {
@Autowired
public AuthorizationApplication (ApplicationContext applicationContext, AuthenticationManager authenticationManager) {
this.passwordEncoder = applicationContext.getBean(PasswordEncoderImpl.class);
this.authenticationManager = authenticationManager;
}
private PasswordEncoder passwordEncoder;
private AuthenticationManager authenticationManager;
@Bean
protected AuthorizationCodeServices getAuthorizationCodeServices() {
return new JdbcAuthorizationCodeServices(dataSource);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
AuthorizationCodeServices services = getAuthorizationCodeServices();
JdbcTokenStore tokenStore = getTokenStore();
endpoints
.userDetailsService(userDetailsService)
.authorizationCodeServices(services)
.authenticationManager(authenticationManager)
.tokenStore(tokenStore)
.approvalStoreDisabled();
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.allowFormAuthenticationForClients();
security.passwordEncoder(passwordEncoder);
}
}
<小时/>
该问题可能是由于 WebSecurity 类的某些配置不正确造成的。但是,我尝试了多种配置,但没有成功。
最佳答案
在 @dur 的一些指导下,我找到了解决方案。 Here's one of the culprits :
The default order of the OAuth2 resource filter has changed from 3 to SecurityProperties.ACCESS_OVERRIDE_ORDER - 1. This places it after the actuator endpoints but before the basic authentication filter chain. The default can be restored by setting security.oauth2.resource.filter-order = 3
总而言之,我做了以下更改:
在
ResourceServer
以及AuthorizationServer
上使用@EnableOauth2Client
而不是@EnableOAuth2Sso
,因为后者给了我以下错误:java.lang.IllegalArgumentException: URI must not be null
删除了
CustomWebSecurity
并在ResourceServer
本身中进行了所有安全配置。通过将以下内容放入属性文件中来更改资源过滤器的过滤顺序:
security.oauth2.resource.filter-order = 3
安全配置中的一些基本更改。
这是我的 ResourceServer
类:
@Configuration
@PropertySource("classpath:webservices-application.properties")
@EnableResourceServer
@EnableOAuth2Sso
public class ResourceServer extends ResourceServerConfigurerAdapter{
@Value("${security.oauth2.resource.id}")
private String resourceId;
@Bean
public JdbcTokenStore getTokenStore() {
return new JdbcTokenStore(dataSource);
}
@Autowired
private DataSource dataSource;
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.requestMatchers().antMatchers(
"/protected_uri_1",
"/protected_uri_2",
"/protected_uri_3")
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and().formLogin();
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenStore(getTokenStore())
.resourceId(resourceId);
}
}
关于java - 在 Spring 实现授权码授予时出现的问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/49094966/