Spring Boot 1.3.3 @EnableResourceServer和@ EnableOAuth2Sso同时 [英] Spring Boot 1.3.3 @EnableResourceServer and @EnableOAuth2Sso at the same time
问题描述
我希望我的服务器是ResourceServer,它可以接受Bearer Access令牌
I want my server be a ResourceServer, which can accept a Bearer Access token
但是,如果这样的令牌不存在,我想使用OAuth2Server来验证我的用户.
However, If such token doesn't exist, I want to use the OAuth2Server to authenticate my user.
我尝试这样做:
@Configuration
@EnableOAuth2Sso
@EnableResourceServer
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated();
}
}
但是,在这种情况下,仅@EnableResourceServer
注释有效.它返回
However, in this case, only the @EnableResourceServer
annotation works. It returns
Full authentication is required to access this resource
不要将我重定向到登录页面
And do not redirect me to the login page
我提到@Order
很重要,如果我添加@Order(0)
批注,
我将重定向到登录页面,但是,我无法使用Http标头中的access_token访问我的资源:
I mentioned that the @Order
is important, if I add the @Order(0)
annotation,
I will be redirect to the login page, however, I cannot access my resource with the access_token in Http header:
Authorization : Bearer 142042b2-342f-4f19-8f53-bea0bae061fc
我如何实现我的目标?我希望它同时使用Access令牌和SSO.
How can I achieve my goal? I want it use Access token and SSO at the same time.
谢谢〜
推荐答案
在同一个请求上同时使用这两种配置将是不明确的.可能有一些解决方案,但是更清晰地定义单独的请求组:
Using both configuration on same request would be ambiguous. There could be some solution for that, but more clear to define separate request groups:
- OAuth2Sso :对于来自浏览器的用户,我们要将其重定向到令牌的身份验证提供程序
- ResourceServer :通常用于api请求,并带有从某个地方(最有可能来自同一身份验证提供程序)获得的令牌
- OAuth2Sso: for users coming from a browser, we want to redirect them to the authentication provider for the token
- ResourceServer: usually for api requests, coming with a token they got from somewhere (most probably from same authentication provider)
要实现此目的,请使用请求匹配器分隔配置:
For achieving this, separate the configurations with request matcher:
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Bean("resourceServerRequestMatcher")
public RequestMatcher resources() {
return new AntPathRequestMatcher("/resources/**");
}
@Override
public void configure(final HttpSecurity http) throws Exception {
http
.requestMatcher(resources()).authorizeRequests()
.anyRequest().authenticated();
}
}
并将这些从sso过滤器链中排除:
And exclude these from the sso filter chain:
@Configuration
@EnableOAuth2Sso
public class SsoSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("resourceServerRequestMatcher")
private RequestMatcher resources;
@Override
protected void configure(final HttpSecurity http) throws Exception {
RequestMatcher nonResoures = new NegatedRequestMatcher(resources);
http
.requestMatcher(nonResoures).authorizeRequests()
.anyRequest().authenticated();
}
}
并将所有资源放在/resources/**
当然,在这种情况下,两者都将使用相同的oauth2配置(accessTokenUri
,jwt.key-value
等)
Of course in this case both will use the same oauth2 configuration (accessTokenUri
, jwt.key-value
, etc.)
UPDATE1:
实际上,通过使用上述请求匹配器进行上述配置,您可以实现最初的目标:
Actually you can achieve your original goal by using this request matcher for the above configuration:
new RequestHeaderRequestMatcher("Authorization")
UPDATE2: (@ sid-morad的评论的解释)
UPDATE2: (Explanation of @sid-morad's comment)
Spring Security为每个配置创建一个过滤器链.按照配置顺序评估每个过滤器链的请求匹配器.
WebSecurityConfigurerAdapter
的默认顺序为100,而ResourceServerConfiguration
的默认顺序为3.这意味着ResourceServerConfiguration
的请求匹配器首先被评估.对于以下配置,可以覆盖此顺序:
Spring Security creates a filter chain for each configuration. The request matcher for each filter chain is evaluated in the order of the configurations.
WebSecurityConfigurerAdapter
has default order 100, and ResourceServerConfiguration
is ordered 3 by default. Which means ResourceServerConfiguration
's request matcher evaluated first. This order can be overridden for these configurations like:
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Autowired
private org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration configuration;
@PostConstruct
public void setSecurityConfigurerOrder() {
configuration.setOrder(3);
}
...
}
@Configuration
@EnableOAuth2Sso
@Order(100)
public class SsoSecurityConfiguration extends WebSecurityConfigurerAdapter {
...
}
是的,上面的示例中的SsoSecurityConfiguration
不需要请求匹配器.但很高兴知道背后的原因:)
So yes, request matcher is not needed for SsoSecurityConfiguration
in the above sample. But good to know the reasons behind :)
这篇关于Spring Boot 1.3.3 @EnableResourceServer和@ EnableOAuth2Sso同时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!