Spring security OAuth 中的多资源服务器配置 [英] Multiple Resource server configuration in Spring security OAuth
问题描述
我正在尝试使用单个身份验证服务器从多个客户端访问多个资源服务器.
I am trying use a single Auth server to access multiple resource servers from multiple clients.
我试图从同一个身份验证服务器访问两个资源服务器,我的资源服务器配置如下.
I am trying to access two resource servers from same auth server and my configuration of resource servers goes as below.
@Bean
@Scope("prototype")
protected ResourceServerConfiguration resource1() {
ResourceServerConfiguration resource = new ResourceServerConfiguration();
resource.setConfigurers(Arrays.<ResourceServerConfigurer> asList(new ResourceServerConfigurerAdapter() {
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId(RESOURCE_ID1).tokenStore(tokenStore);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.requestMatchers().antMatchers("/greeting")
.and()
.authorizeRequests()
.antMatchers("/users").hasRole("ADMIN");
}
}
resource.setOrder(4);
return resource;
}
@Bean
@Scope("prototype")
protected ResourceServerConfiguration resource2() {
ResourceServerConfiguration resource = new ResourceServerConfiguration();
resource.setConfigurers(Arrays.<ResourceServerConfigurer> asList(new ResourceServerConfigurerAdapter() {
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId(RESOURCE_ID2).tokenStore(tokenStore);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.requestMatchers().antMatchers("/welcome")
.and()
.authorizeRequests()
.antMatchers("/users").hasRole("ADMIN");
}
}
resource.setOrder(5);
return resource;
}
由于 WebSecurityConfigurerAdapter 的默认顺序是 3,我将资源服务器的顺序分别配置为 4 和 5.
Since default order of WebSecurityConfigurerAdapter is 3,I have configured the Order of Resource servers as 4 and 5 respectively.
但是配置的 Bean 被覆盖了,我可以访问具有顺序 5 的资源/welcome",如果我尝试访问资源/greeting",则会出现以下错误,
But the configured Beans are getting overridden and I can access the resource "/welcome" which has order 5 and if I try to access the resource "/greeting",I am getting the following error,
{ "timestamp": 1444400211270, "status": 403, "error": "Forbidden", "message": "Expected CSRF token not found. Has your session expired?", "path": "/greeting"}
如果我交换资源之间的顺序,我可以访问具有最高值5的资源.
If I interchange the order between the resources,I can access the resource which has the highest value 5.
注意:我有两个客户端,一个可以访问 RESOURCE1,另一个可以访问 RESOURCE2.
Note:I have two clients so that one can access RESOURCE1 and another can access RESOURCE2.
请建议我缺少的东西.
推荐答案
来自ResourceServerConfigurer的Javadoc:
From the Javadoc of ResourceServerConfigurer:
应用程序可以提供这个接口的多个实例,并且在一般(与其他安全配置器一样),如果不止一个配置相同的属性,则最后一个获胜.配置器应用前按Order排序.
Applications may provide multiple instances of this interface, and in general (like with other Security configurers), if more than one configures the same property, then the last one wins. The configurers are sorted by
Orderbefore being applied.
所以可能在两个配置中的 /welcome 路径上放置一个 permitAll().
So maybe put a permitAll() on the /welcome path in both configuration.
这篇关于Spring security OAuth 中的多资源服务器配置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
