java - 在 Spring 实现授权码授予时出现的问题

标签 java spring spring-boot spring-security oauth-2.0

到目前为止,我已经有了密码授予类型并且工作得很好。 最近我开始在我的项目中实现OAuth的授权码授予。我可以从服务器获取授权码。使用代码我再次能够获取访问 token 。

问题是我无法使用我的访问 token 访问资源服务器。每次我尝试访问任何资源时,我都会被重定向到 Spring 的默认 /login 页面。

下面是资源服务器:

@Configuration
@PropertySource("classpath:webservices-application.properties")
@EnableResourceServer
public class ResourceServer extends ResourceServerConfigurerAdapter{

    @Value("${security.oauth2.resource.id}")
    private String resourceId;

    @Bean
    public JdbcTokenStore getTokenStore() {
        return new JdbcTokenStore(dataSource);
    }

    @Autowired
    private DataSource dataSource;

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/oauth/**","/login","/").permitAll()
                .anyRequest().authenticated();
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.tokenStore(getTokenStore())
                .resourceId(resourceId).stateless(false);
    } 
}
<小时/>

网络安全:

@Configuration
@EnableWebSecurity
@EnableOAuth2Sso
public class CustomWebsecurity extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/oauth/**","/login","/").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin();
    }
}
<小时/>

授权服务器:

@Configuration
@EnableAuthorizationServer
@EnableOAuth2Sso
protected class AuthorizationApplication extends AuthorizationServerConfigurerAdapter {

    @Autowired
    public AuthorizationApplication (ApplicationContext applicationContext, AuthenticationManager authenticationManager) {
        this.passwordEncoder = applicationContext.getBean(PasswordEncoderImpl.class);
        this.authenticationManager = authenticationManager;
    }

    private PasswordEncoder passwordEncoder;

    private AuthenticationManager authenticationManager;

    @Bean
    protected AuthorizationCodeServices getAuthorizationCodeServices() {
        return new JdbcAuthorizationCodeServices(dataSource);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.jdbc(dataSource);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        AuthorizationCodeServices services = getAuthorizationCodeServices();
        JdbcTokenStore tokenStore = getTokenStore();
        endpoints
                .userDetailsService(userDetailsService)
                .authorizationCodeServices(services)
                .authenticationManager(authenticationManager)
                .tokenStore(tokenStore)
                .approvalStoreDisabled();
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.allowFormAuthenticationForClients();
        security.passwordEncoder(passwordEncoder);
    }
}
<小时/>

该问题可能是由于 WebSecurity 类的某些配置不正确造成的。但是,我尝试了多种配置,但没有成功。

最佳答案

在 @dur 的一些指导下,我找到了解决方案。 Here's one of the culprits :

The default order of the OAuth2 resource filter has changed from 3 to SecurityProperties.ACCESS_OVERRIDE_ORDER - 1. This places it after the actuator endpoints but before the basic authentication filter chain. The default can be restored by setting security.oauth2.resource.filter-order = 3

总而言之,我做了以下更改:

  1. ResourceServer 以及 AuthorizationServer 上使用 @EnableOauth2Client 而不是 @EnableOAuth2Sso,因为后者给了我以下错误:

    java.lang.IllegalArgumentException: URI must not be null

  2. 删除了 CustomWebSecurity 并在 ResourceServer 本身中进行了所有安全配置。

  3. 通过将以下内容放入属性文件中来更改资源过滤器的过滤顺序:

    security.oauth2.resource.filter-order = 3

  4. 安全配置中的一些基本更改。

<小时/>

这是我的 ResourceServer 类:

@Configuration
@PropertySource("classpath:webservices-application.properties")
@EnableResourceServer
@EnableOAuth2Sso
public class ResourceServer extends ResourceServerConfigurerAdapter{

    @Value("${security.oauth2.resource.id}")
    private String resourceId;

    @Bean
    public JdbcTokenStore getTokenStore() {
        return new JdbcTokenStore(dataSource);
    }

    @Autowired
    private DataSource dataSource;

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .requestMatchers().antMatchers(
                "/protected_uri_1",
                "/protected_uri_2",
                "/protected_uri_3")
                .and()
                .authorizeRequests()
                .anyRequest()
                .authenticated()
        .and().formLogin();
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.tokenStore(getTokenStore())
                .resourceId(resourceId);
    }

}

关于java - 在 Spring 实现授权码授予时出现的问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/49094966/

上一篇:java - Oracle SQL 序列

下一篇:java - 防止设备改变ip

相关文章:

java - GAE 中的持久 http session (浏览器/实例重新启动)- Java

java - IntComponent() 错误

java - 如何在 Spring 运行时从文本文件重新加载数据

java - Spring MVC - 多部分表单数据

mysql - Springboot : join query two Mysql DB schemas

java - 三个物体合而为一?

Java - 使用 Jbutton 监听器获取 JRadioButton cmd

java - android中如何实现快速查询响应?

java - JSTL jsp 选项组标签的 Spring 3 MVC 功能

java - Spring JavaConfig : Add mapping for custom Servlet

©2024 IT工具网  联系我们