Spring OAuth2多服务器注释配置(资源和授权) [英] Spring OAuth2 multi Server annotations configuration (resource & authorization)
本文介绍了Spring OAuth2多服务器注释配置(资源和授权)的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在使用以下内容:
- 春季4.2
- Spring Security 4.0.2
- Spring OAuth2 2.0.7
我正在尝试配置单个服务器来处理:
- 一般MVC内容(有些受保护,有些不受保护)
- 授权服务器
- 资源服务器
资源服务器配置似乎不限于/rest/**,而是覆盖所有安全配置。即对受保护的非OAuth资源的调用未受保护(即筛选器未捕获它们并重定向到登录)。
配置(为简单起见,我删除了一些内容):
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources
.resourceId(RESOURCE_ID)
.tokenStore(tokenStore)
.stateless(true);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/rest/**")
.and()
.authorizeRequests()
.antMatchers("/rest/**").access("hasRole('USER') and #oauth2.hasScope('read')");
}
}
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
protected AuthenticationEntryPoint authenticationEntryPoint() {
OAuth2AuthenticationEntryPoint entryPoint = new OAuth2AuthenticationEntryPoint();
entryPoint.setRealmName("example");
return entryPoint;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.authenticationProvider(mongoClientAuthenticationProvider)
.authenticationProvider(mongoUserAuthenticationProvider)
.userDetailsService(formUserDetailsService);
}
@Bean
protected ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter() throws Exception{
ClientCredentialsTokenEndpointFilter filter = new ClientCredentialsTokenEndpointFilter();
filter.setAuthenticationManager(authenticationManagerBean());
filter.afterPropertiesSet();
return filter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/account/**", "/account")
.antMatchers("/oauth/token")
.antMatchers("/login")
.and()
.authorizeRequests()
.antMatchers("/account/**", "/account").hasRole("USER")
.antMatchers("/oauth/token").access("isFullyAuthenticated()")
.antMatchers("/login").permitAll()
.and()
.exceptionHandling()
.accessDeniedPage("/login?authentication_error=true")
.and()
.csrf()
.disable()
.logout()
.logoutUrl("/logout")
.invalidateHttpSession(true)
.and()
.formLogin()
.loginProcessingUrl("/login")
.failureUrl("/login?authentication_error=true")
.loginPage("/login")
;
http.addFilterBefore(clientCredentialsTokenEndpointFilter(), BasicAuthenticationFilter.class);
}
推荐答案
您正在使用多个HttpSecurity
配置。春天需要知道顺序。使用@Order
SecurityConfig
类
@Configuration
@EnableWebSecurity
@Order(4)
public class SecurityConfig extends WebSecurityConfigurerAdapter{}
注释
@EnableResourceServer
创建具有硬编码顺序(3)的WebSecurityConfigurerAdapter。由于Spring中的技术限制,现在不可能更改顺序,因此您必须避免在应用程序的其他WebSecurityConfigurerAdapter中使用Order=3(如果您忘记了,Spring Security会通知您的)。
引用:
http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity
这篇关于Spring OAuth2多服务器注释配置(资源和授权)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文