我正在使用以下内容:
- Spring 4.2
- Spring 安全4.0.2
- Spring oauth2 2.0.7
我正在尝试配置一个处理以下内容的服务器:
- 一般 MVC 内容(有些 protected ,有些不 protected )
- 授权服务器
- 资源服务器
资源服务器配置似乎不限于/rest/**,而是覆盖所有安全配置。即对 protected 非 OAuth 资源的调用不 protected (即过滤器未捕获它们并重定向到登录)。
配置(为了简单起见,我删除了一些内容):
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources
.resourceId(RESOURCE_ID)
.tokenStore(tokenStore)
.stateless(true);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/rest/**")
.and()
.authorizeRequests()
.antMatchers("/rest/**").access("hasRole('USER') and #oauth2.hasScope('read')");
}
}
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
protected AuthenticationEntryPoint authenticationEntryPoint() {
OAuth2AuthenticationEntryPoint entryPoint = new OAuth2AuthenticationEntryPoint();
entryPoint.setRealmName("example");
return entryPoint;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.authenticationProvider(mongoClientAuthenticationProvider)
.authenticationProvider(mongoUserAuthenticationProvider)
.userDetailsService(formUserDetailsService);
}
@Bean
protected ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter() throws Exception{
ClientCredentialsTokenEndpointFilter filter = new ClientCredentialsTokenEndpointFilter();
filter.setAuthenticationManager(authenticationManagerBean());
filter.afterPropertiesSet();
return filter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/account/**", "/account")
.antMatchers("/oauth/token")
.antMatchers("/login")
.and()
.authorizeRequests()
.antMatchers("/account/**", "/account").hasRole("USER")
.antMatchers("/oauth/token").access("isFullyAuthenticated()")
.antMatchers("/login").permitAll()
.and()
.exceptionHandling()
.accessDeniedPage("/login?authentication_error=true")
.and()
.csrf()
.disable()
.logout()
.logoutUrl("/logout")
.invalidateHttpSession(true)
.and()
.formLogin()
.loginProcessingUrl("/login")
.failureUrl("/login?authentication_error=true")
.loginPage("/login")
;
http.addFilterBefore(clientCredentialsTokenEndpointFilter(), BasicAuthenticationFilter.class);
}
最佳答案
您正在使用多个 HttpSecurity 配置。 Spring需要知道顺序。使用 @Order 注释您的 SecurityConfig 类
@Configuration
@EnableWebSecurity
@Order(4)
public class SecurityConfig extends WebSecurityConfigurerAdapter{}
The annotation
@EnableResourceServercreates a WebSecurityConfigurerAdapter with a hard-coded Order (of 3). It's not possible to change the order right now owing to technical limitations in Spring, so you must avoid using order=3 in other WebSecurityConfigurerAdapters in your application (Spring Security will let you know if you forget).
引用:
http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity
关于Spring OAuth2多服务器注释配置(资源和授权),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/32206843/