我有一个Spring Security应用程序,我希望能够验证多个令牌-我希望能够从Google或内部服务传递带有承载令牌的Authorization头,并尝试后端依次验证每项服务。
我的问题是我只看到第一个(基于较低的resource.setOrder(x) x值)。换句话说,我有2个资源服务器配置,但是它仅使用第一个而不使用第二个。
如果我将google设置为3,另一个设置为4,则可以找到google令牌验证,但是当我尝试访问/时,它被允许,并且我看到了Google过滤器的工作(BTE for Google输出),而不是我配置的第二个(BTE for App)。
我正在尝试像这样配置2个ResourceServer:
@Bean
protected ResourceServerConfiguration googleLoginResources() {
ResourceServerConfiguration resource = new ResourceServerConfiguration() {
public void setConfigurers(List<ResourceServerConfigurer> configurers) {
super.setConfigurers(configurers);
}
};
resource.setConfigurers(Collections.<ResourceServerConfigurer>singletonList(new ResourceServerConfigurerAdapter() {
ResourceServerTokenServices googleLoginTokenServices(OAuthProperties oAuthProperties, AccessTokenValidator tokenValidator) {
LOGGER.info("Configuring Google ResourceServerTokenServices");
GoogleTokenServices googleTokenServices = new GoogleTokenServices(tokenValidator);
googleTokenServices.setUserInfoUrl(oAuthProperties.getUserInfoUrl());
return googleTokenServices;
}
AccessTokenValidator googleLoginTokenValidator(OAuthProperties oAuthProperties) {
LOGGER.info("Configuring Google AccessTokenValidator");
GoogleAccessTokenValidator accessTokenValidator = new GoogleAccessTokenValidator();
accessTokenValidator.setClientId(oAuthProperties.getClientId());
accessTokenValidator.setCheckTokenUrl(oAuthProperties.getCheckTokenUrl());
return accessTokenValidator;
}
class BTEG extends BearerTokenExtractor {
@Override
protected String extractToken(HttpServletRequest request) {
LOGGER.info("BTE for Google");
return super.extractToken(request);
}
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
LOGGER.info("Configuring Google ResourceServerSecurityConfigurer");
resources.resourceId(oAuthProperties.getClientId());
ResourceServerTokenServices gts = googleLoginTokenServices(oAuthProperties, googleLoginTokenValidator(oAuthProperties));
// DelegatingTokenServices dts = new DelegatingTokenServices();
// dts.addResourceServerTokenServices(gts);
resources.tokenServices(gts);
resources.tokenExtractor(new BTEG());
}
@Override
public void configure(HttpSecurity http) throws Exception {
LOGGER.info("Configuring HTTP");
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http
.cors().and()
//.csrf().ignoringAntMatchers("/h2-console/**").and()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/login/google").permitAll()
//.antMatchers("/h2-console/**").permitAll()
.antMatchers("/login/google").hasRole("GOOGLE_USER")
//.antMatchers("/").permitAll()
;
}
}));
resource.setOrder(3);
return resource;
}
@Bean
protected ResourceServerConfiguration appLoginResources() {
ResourceServerConfiguration resource = new ResourceServerConfiguration() {
public void setConfigurers(List<ResourceServerConfigurer> configurers) {
super.setConfigurers(configurers);
}
};
resource.setConfigurers(Collections.<ResourceServerConfigurer>singletonList(new ResourceServerConfigurerAdapter() {
class BTEA extends BearerTokenExtractor {
@Override
protected String extractToken(HttpServletRequest request) {
LOGGER.info("BTE for App");
return super.extractToken(request);
}
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
LOGGER.info("Configuring App ResourceServerSecurityConfigurer");
resources.resourceId("app");
resources.tokenExtractor(new BTEA());
}
@Override
public void configure(HttpSecurity http) throws Exception {
LOGGER.info("Configuring App HTTP");
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http
//.cors().and()
.authorizeRequests()
//.antMatchers(HttpMethod.OPTIONS, "/").permitAll()
.antMatchers("/").hasRole("ASDF")
;
}
}));
resource.setOrder(4);
return resource;
}
我如何使两者(或更多,如果需要)一起使用?