我正在尝试使用spring oAuth2设置一个纯资源服务器,它将验证来自授权服务器的访问令牌。
我无法保护自己的资源。我能直接打到api。 例如:
以上两个链接都可以访问我的资源,但这些链接应该返回未经授权的错误。
资源服务器配置。
<bean id="authenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="myRealm" />
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<!-- This is not actually used, but it's required by Spring Security -->
<security:authentication-manager alias="authenticationManager" />
<oauth2:expression-handler id="oauthExpressionHandler" />
<oauth2:web-expression-handler id="oauthWebExpressionHandler" />
<security:global-method-security
pre-post-annotations="enabled" proxy-target-class="true">
<security:expression-handler ref="oauthExpressionHandler" />
</security:global-method-security>
<oauth2:resource-server id="myResource"
resource-id="myResourceId" token-services-ref="tokenServices" />
<security:http pattern="/**" create-session="never"
entry-point-ref="authenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager">
<security:anonymous enabled="false" />
<security:intercept-url pattern="/**"
access="IS_AUTHENTICATED_FULLY" method="GET" />
<security:intercept-url pattern="/**" access="SCOPE_READ"
method="HEAD" />
<security:intercept-url pattern="/**" access="SCOPE_READ"
method="OPTIONS" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE"
method="PUT" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE"
method="POST" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE"
method="DELETE" />
<security:custom-filter ref="myResource"
before="PRE_AUTH_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>
答案 0 :(得分:0)
您必须配置RemoteTokenServices bean以检查授权服务器中的令牌:
@Bean
public RemoteTokenServices LocalTokenService() {
final RemoteTokenServices tokenService = new RemoteTokenServices();
tokenService.setCheckTokenEndpointUrl("http://yourauthozationserver/oauth/check_token");
tokenService.setClientId("my-client-with-secret");
tokenService.setClientSecret("secret");
return tokenService;
}
或来自xml:
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.RemoteTokenServices"
p:checkTokenEndpointUrl="${oaas.endpoint.check_token}"
p:clientId="${oaas.client_id}"
p:clientSecret="${oaas.client_secret}" />
请注意,还应将授权服务器检查端点配置为允许来自匿名请求的令牌检查。