我使用Spring Boot 1.5.2.RELEASE实现了oAuth2授权服务器。授权服务器支持隐式流。使用下面的WebSecurityConfig,登录表单(http://localhost:8200/login)运行良好。
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JpaUserDetailsService userDetailsService;
@Bean
@Override
public UserDetailsService userDetailsServiceBean() throws Exception {
return userDetailsService;
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public AuthenticationProvider authenticationProvider() throws Exception {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setUserDetailsService(userDetailsServiceBean());
provider.setPasswordEncoder(passwordEncoder());
return provider;
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return new ProviderManager(singletonList(authenticationProvider()));
}
@Override
public void configure(WebSecurity web) {
web.ignoring()
.antMatchers("/")
.antMatchers("/docs/**")
.antMatchers("/swagger/**")
.antMatchers("/token/**")
.antMatchers("/v2/*")
.antMatchers(HttpMethod.OPTIONS, "/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().antMatchers("/login**").permitAll().anyRequest().authenticated().and()
.formLogin().loginPage("/login").permitAll().and()
.logout().permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
}
我希望资源服务器成为同一个应用程序的一部分。目的是我需要一个 / me 端点,它将为我提供用于管理用户的登录用户和端点的详细信息。但是当我在下面添加使用EnableResourceServer注释的ResourceServerConfig时,我开始收到错误"访问此资源需要完全身份验证"当我请求http://localhost:8200/login时。
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
public static final String RESOURCE_ID = "proclaim-auth";
@Autowired
private ResourceServerTokenServices tokenServices;
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources
.resourceId(RESOURCE_ID)
.tokenServices(tokenServices);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/api/ **").authenticated();
}
}
我怀疑资源服务器安全链在授权服务器安全链之前。我尝试使用注释Order来注释WebSecurityConfig,但它没有解决我的问题:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
...
}
我做错了什么?请指教。 提前谢谢!
编辑1 我将方法configure(HttpSecurity http)添加到ResourceServerConfig中,并在WebSecurityConfig上将Order annotation的值更改为-1。现在应用WebSecurityConfig中定义的安全过滤,并忽略ResourceServerConfig中定义的安全过滤。因此,当我使用有效令牌调用 / me 端点时,我会重定向到登录页面。
答案 0 :(得分:4)
The cause of the problem was wrong configuration of http security in the ResourceServerConfig class. The correct configuration is as follows:
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatchers().antMatchers("/api/**").and()
.authorizeRequests().anyRequest().authenticated();
}
The requestMatchers will ensure that only requests on paths starting with "/api/" will be processed by this security chain. All other requests will be passed to the security chain defined in the WebSecurityConfig class. I was missing this in my config so all requests were processed by the ResourceServerConfig security chain and none request reached the WebSecurityConfig security chain.