Spring OAuth2多服务器注释配置(资源和授权) [英] Spring OAuth2 multi Server annotations configuration (resource & authorization)

问题描述

我正在使用以下内容：

• 春季4.2
• Spring Security 4.0.2
• Spring OAuth2 2.0.7

我正在尝试配置单个服务器来处理：

• 一般MVC内容(有些受保护，有些不受保护)
• 授权服务器
• 资源服务器

资源服务器配置似乎不限于/rest/**，而是覆盖所有安全配置。即对受保护的非OAuth资源的调用未受保护(即筛选器未捕获它们并重定向到登录)。

配置(为简单起见，我删除了一些内容)：

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter  {



        @Autowired
        private TokenStore tokenStore;

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) {
            resources
                .resourceId(RESOURCE_ID)
                .tokenStore(tokenStore)
                .stateless(true);
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                .requestMatchers()
                    .antMatchers("/rest/**")
                    .and()
                .authorizeRequests()
                    .antMatchers("/rest/**").access("hasRole('USER') and #oauth2.hasScope('read')");

        }

    }

@Configuration
@EnableWebSecurity
public class SecurityConfig  extends WebSecurityConfigurerAdapter {

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();

    }
   @Bean
    protected AuthenticationEntryPoint authenticationEntryPoint() {
        OAuth2AuthenticationEntryPoint entryPoint = new OAuth2AuthenticationEntryPoint();
        entryPoint.setRealmName("example");
        return entryPoint;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        auth
            .authenticationProvider(mongoClientAuthenticationProvider)
            .authenticationProvider(mongoUserAuthenticationProvider)
            .userDetailsService(formUserDetailsService);
    }

    @Bean
    protected ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter() throws Exception{
        ClientCredentialsTokenEndpointFilter filter = new ClientCredentialsTokenEndpointFilter();
        filter.setAuthenticationManager(authenticationManagerBean());
        filter.afterPropertiesSet();
        return filter;
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
        .requestMatchers()
            .antMatchers("/account/**", "/account")
            .antMatchers("/oauth/token")
            .antMatchers("/login")
            .and()
        .authorizeRequests()
            .antMatchers("/account/**", "/account").hasRole("USER")
            .antMatchers("/oauth/token").access("isFullyAuthenticated()")
            .antMatchers("/login").permitAll()
            .and()
        .exceptionHandling()
            .accessDeniedPage("/login?authentication_error=true")
            .and()
        .csrf()
            .disable()
        .logout()
            .logoutUrl("/logout")
            .invalidateHttpSession(true)
            .and()
        .formLogin()
            .loginProcessingUrl("/login")
            .failureUrl("/login?authentication_error=true")
            .loginPage("/login")
        ;

        http.addFilterBefore(clientCredentialsTokenEndpointFilter(), BasicAuthenticationFilter.class);

    }

推荐答案

您正在使用多个HttpSecurity配置。春天需要知道顺序。使用@Order

注释SecurityConfig类

@Configuration
@EnableWebSecurity
@Order(4)
public class SecurityConfig  extends WebSecurityConfigurerAdapter{}

注释@EnableResourceServer创建具有硬编码顺序(3)的WebSecurityConfigurerAdapter。由于Spring中的技术限制，现在不可能更改顺序，因此您必须避免在应用程序的其他WebSecurityConfigurerAdapter中使用Order=3(如果您忘记了，Spring Security会通知您的)。

引用：

http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity

http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/config/annotation/web/configuration/EnableResourceServer.html

这篇关于Spring OAuth2多服务器注释配置(资源和授权)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！