Spring Boot 1.3.3 @EnableResourceServer和@ EnableOAuth2Sso同时 [英] Spring Boot 1.3.3 @EnableResourceServer and @EnableOAuth2Sso at the same time

问题描述

我希望我的服务器是ResourceServer，它可以接受Bearer Access令牌

I want my server be a ResourceServer, which can accept a Bearer Access token

但是，如果这样的令牌不存在，我想使用OAuth2Server来验证我的用户.

However, If such token doesn't exist, I want to use the OAuth2Server to authenticate my user.

我尝试这样做:

@Configuration
@EnableOAuth2Sso
@EnableResourceServer
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated();
    }
}

但是，在这种情况下，仅@EnableResourceServer注释有效.它返回

However, in this case, only the @EnableResourceServer annotation works. It returns

Full authentication is required to access this resource

不要将我重定向到登录页面

And do not redirect me to the login page

我提到@Order很重要，如果我添加@Order(0)批注， 我将重定向到登录页面，但是，我无法使用Http标头中的access_token访问我的资源:

I mentioned that the @Order is important, if I add the @Order(0) annotation, I will be redirect to the login page, however, I cannot access my resource with the access_token in Http header:

Authorization : Bearer 142042b2-342f-4f19-8f53-bea0bae061fc

我如何实现我的目标?我希望它同时使用Access令牌和SSO.

How can I achieve my goal? I want it use Access token and SSO at the same time.

谢谢〜

推荐答案

在同一个请求上同时使用这两种配置将是不明确的.可能有一些解决方案，但是更清晰地定义单独的请求组:

Using both configuration on same request would be ambiguous. There could be some solution for that, but more clear to define separate request groups:

• OAuth2Sso :对于来自浏览器的用户，我们要将其重定向到令牌的身份验证提供程序
• ResourceServer :通常用于api请求，并带有从某个地方(最有可能来自同一身份验证提供程序)获得的令牌

• OAuth2Sso: for users coming from a browser, we want to redirect them to the authentication provider for the token
• ResourceServer: usually for api requests, coming with a token they got from somewhere (most probably from same authentication provider)

要实现此目的，请使用请求匹配器分隔配置:

For achieving this, separate the configurations with request matcher:

@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

    @Bean("resourceServerRequestMatcher")
    public RequestMatcher resources() {
        return new AntPathRequestMatcher("/resources/**");
    }

    @Override
    public void configure(final HttpSecurity http) throws Exception {
        http
            .requestMatcher(resources()).authorizeRequests()
            .anyRequest().authenticated();
    }

}

并将这些从sso过滤器链中排除:

And exclude these from the sso filter chain:

@Configuration
@EnableOAuth2Sso
public class SsoSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    @Qualifier("resourceServerRequestMatcher")
    private RequestMatcher resources;

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        RequestMatcher nonResoures = new NegatedRequestMatcher(resources);
        http
            .requestMatcher(nonResoures).authorizeRequests()
            .anyRequest().authenticated();
    }
}

并将所有资源放在/resources/**

当然，在这种情况下，两者都将使用相同的oauth2配置(accessTokenUri，jwt.key-value等)

Of course in this case both will use the same oauth2 configuration (accessTokenUri, jwt.key-value, etc.)

UPDATE1:

实际上，通过使用上述请求匹配器进行上述配置，您可以实现最初的目标:

Actually you can achieve your original goal by using this request matcher for the above configuration:

new RequestHeaderRequestMatcher("Authorization")

UPDATE2: (@ sid-morad的评论的解释)

UPDATE2: (Explanation of @sid-morad's comment)

Spring Security为每个配置创建一个过滤器链.按照配置顺序评估每个过滤器链的请求匹配器. WebSecurityConfigurerAdapter的默认顺序为100，而ResourceServerConfiguration的默认顺序为3.这意味着ResourceServerConfiguration的请求匹配器首先被评估.对于以下配置，可以覆盖此顺序:

Spring Security creates a filter chain for each configuration. The request matcher for each filter chain is evaluated in the order of the configurations. WebSecurityConfigurerAdapter has default order 100, and ResourceServerConfiguration is ordered 3 by default. Which means ResourceServerConfiguration's request matcher evaluated first. This order can be overridden for these configurations like:

@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

    @Autowired
    private org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration configuration;

    @PostConstruct
    public void setSecurityConfigurerOrder() {
        configuration.setOrder(3);
    }
...
}

 

@Configuration
@EnableOAuth2Sso
@Order(100)
public class SsoSecurityConfiguration extends WebSecurityConfigurerAdapter {
...
}

是的，上面的示例中的SsoSecurityConfiguration不需要请求匹配器.但很高兴知道背后的原因:)

So yes, request matcher is not needed for SsoSecurityConfiguration in the above sample. But good to know the reasons behind :)

这篇关于Spring Boot 1.3.3 @EnableResourceServer和@ EnableOAuth2Sso同时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！