Question

我已经在我的 spring 云网关应用程序中设置了 spring 安全性。当我点燃它时。它带我进入一个 HTML 页面，我必须在其中选择首选的 oauth 2.0 类型。

我的 pom spring 2.3.12 版

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-security</artifactId>
</dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-gateway</artifactId>
        </dependency>

应用程序.yml

spring:
  profiles: default
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://qa-abchc.cs195.force.com
      client:
        registration:
          sfdc:
            client-id: 3MVG9GnaLrwG9T5ZpEfaDCVDu7N4BibMIHajVSUG5F6epm
            scope: openid,email,phone,profile
            client-secret: fkdslfjklsdjflksjdflsj
            authorization-grant-type: authorization_code
            redirect-uri: http://localhost:7999/oauth2/callback/sfdc
          abc:
            client-id: OIDC_CLIENT
            scope: openid,email,phone,profile
            client-secret: dfjskldjflskfjls
            authorization-grant-type: authorization_code
            redirect-uri: http://localhost:7999/oauth2/callback/abc          
        provider:
          sfdc:
            authorization-uri: https://qa-abchc.cs195.force.com/abcidp/services/oauth2/authorize
            token-uri: https://qa-abchc.cs195.force.com/abcidp/services/oauth2/token 
          abc:
            authorization-uri: https://rrtrr.abc.com/fss/as/authorization.oauth2
            token-uri: https://rrtrr.abc.com/fss/as/token.oauth2

和

 
@Configuration
@EnableWebFluxSecurity
public class OAuth2WebSecurity {

    @Value("${spring.security.oauth2.client.provider.sfdc.issuer-uri}")
    String issuerUri;

    @Bean
    ReactiveJwtDecoder jwtDecoder() {
        return ReactiveJwtDecoders.fromOidcIssuerLocation(issuerUri);
    }

    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http,
            ReactiveClientRegistrationRepository clientRegistrationRepository) {

                http.csrf().disable().authorizeExchange().pathMatchers("/favicon.ico", "/css/**", "/webjars/**",
                "/api/v1.0/applications/**", "/api/v1.0/users/**", "/oauth2/**", "/login/**", "/oauth2/callback/ge",
                "/*").permitAll().anyExchange().authenticated().and().oauth2Login().authorizationRequestResolver(
                        authorizationRequestResolver(clientRegistrationRepository)).and().oauth2ResourceServer(
                                oauth2 -> oauth2.authenticationManagerResolver(authenticationManagerResolver));
        return http.build();

    }

    @Bean
    public ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver(
            ReactiveClientRegistrationRepository clientRegistrationRepository) {
        return new DefaultServerOAuth2AuthorizationRequestResolver(clientRegistrationRepository,
                new PathPatternParserServerWebExchangeMatcher("/login/{registrationId}"));
    }

}

当我尝试在浏览器中访问它时，它转到 http://localhost:8080/login，它返回一个 HTML 页面，我可以在其中选择 YAML 文件中提到的任何一个 OAuth。

现在如何禁用此 HTML 并使其根据上下文路径选择 OAuth？

localhost:8080/login/abc --> 进入 abc 认证服务器

localhost:8080/login/sfdc --> 进入 sfdc 认证服务器

认证后，它应该转到默认的休息控制器或一些过滤器类


@RestController
public class LoginController {

    @GetMapping("/oauth2/callback/ge")
    public String getLoginInfo(@AuthenticationPrincipal OidcUser principal) {
        System.out.println(principal.getAccessTokenHash());
        return "loginSuccess";
    }

    @GetMapping("/oauth2/callback/sfdc")
    public String getLoginSfdcInfo(@AuthenticationPrincipal OidcUser principal) {
        System.out.println(principal.getAccessTokenHash());
        return "loginSuccess";
    }

}

Answer 1

登录页面由 Spring Security 生成。您可以通过指定自己的登录页面来禁用它：

.exceptionHandling().authenticationEntryPoint(new RedirectServerAuthenticationEntryPoint("/my-custom-login-page"))

所有这些都是设置一个重定向到 /my-custom-login-page 的身份验证入口点。这可能不是您想要的，但它会禁用默认登录页面。如果在未经身份验证的用户发出请求时没有所需的页面或重定向，则不必执行重定向。例如，只要用户未通过身份验证，就会返回 401：

.exceptionHandling().authenticationEntryPoint(new HttpStatusServerEntryPoint(HttpStatus.UNAUTHORIZED))

为了更改授权端点的路径，您可以使用 ServerOAuth2AuthorizationRequestResolver 更改请求匹配：

@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http, ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver) {
    http
        // ...
        .oauth2Login().authorizationRequestResolver(authorizationRequestResolver);

    return http.build();
}

@Bean
public ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver(ReactiveClientRegistrationRepository clientRegistrationRepository) {
    return new DefaultServerOAuth2AuthorizationRequestResolver(clientRegistrationRepository,
            new PathPatternParserServerWebExchangeMatcher("/login/{registrationId}"));
}

这将允许 /login/abc 和 /login/sfdc 根据您的客户注册分别转到 abc 和 sfdc。

最后，回调由 Spring Security 处理。所以你的控制器不会被调用。您将需要定义一个身份验证成功处理程序：

.oauth2Login().authenticationSuccessHandler(new RedirectServerAuthenticationSuccessHandler("/my-login-success-page"))

您可以在文档的 OAuth2 WebFlux 部分阅读更多相关信息。

Spring security 默认登录页面

1 个答案: