Oauth2Login 仅适用于特定网址 [英] Oauth2Login for only specific urls

问题描述

我正在尝试通过 Spring Security 进行 oauth2 配置设置以进行登录.但仅适用于特定网址.

I'm trying to have an oauth2 configuration setup for login through Spring Security. But only for specific urls.

我的安全配置如下所示.

My security config looks as follows.

@Override
public void configure(HttpSecurity http) throws Exception {
    http
            .antMatcher("/secured/**")
            .authorizeRequests()
            .anyRequest()
            .authenticated()
    .and()
    .oauth2Login()
    .clientRegistrationRepository(clientRegistrationRepository())
    .authorizedClientService(authorizedClientService());
}

基本上我只希望 oauth2Login 触发以/secured 开头的 url.它似乎几乎可以工作，唯一的问题是每当 Spring 尝试将我的会话重定向到 google 进行身份验证时，它会触发 404.

Basically I only want the oauth2Login to be trigger for urls that start with /secured. It seems to almost work, the only issue is whenever Spring trys to re-direct my session to google for authentication it triggers a 404.

oauth 身份验证的标准重定向应该触发到 http://localhost:8080/oauth2/authorization/google，我的应用程序试图这样做，但它是 404.

The standard redirect for an oauth authentication should fire off to http://localhost:8080/oauth2/authorization/google, which my application attempts to do, but it 404's.

我假设 http://localhost:8080/oauth2/authorization/google url 被某种类型的安全配置阻止了?但我终其一生都无法弄清楚原因.

I'm assuming the http://localhost:8080/oauth2/authorization/google url is being blocked by some type of security config? But I cannot for the life of me figure out why.

我猜我需要为任何去往/oauth2/authorization/**"的请求找到 .permitAll() 的正确组合

I'm guessing I need to find the right combination of .permitAll() for any request going to "/oauth2/authorization/**"

我已经在下面试过了.

    @Override
public void configure(HttpSecurity http) throws Exception {
    http
            .antMatcher("/secured/**")
            .authorizeRequests()
            .antMatchers("/oauth2/authorization/**")
            .permitAll()
            .anyRequest()
            .authenticated()
    .and()
    .oauth2Login()
    .clientRegistrationRepository(clientRegistrationRepository())
    .authorizedClientService(authorizedClientService());
}

但这行不通.....有人看到我的问题吗?我没有其他与这个冲突的安全配置，我有点不知所措.

But that won't work.....does anyone see my issue? I have no other security config conflicting with this one, I'm at a bit of a loss.

推荐答案

了解这里问题的第一步是了解 http.antMatcher() 和 http.authorizeRequests().

The first step to understanding the issue here is understanding the difference between http.antMatcher() and http.authorizeRequests().

我们来看下面的配置.
(我使用 lambda 样式的配置，从 Spring Security 5.2 开始可用，以使其更具可读性)

Let's look at the following configuration.
(I am using the lambda-style configuration, available as of Spring Security 5.2, to make it more readable)

@Override
public void configure(HttpSecurity http) throws Exception {
    http
            .antMatcher("/secured/**")
            .authorizeRequests(authorize -> authorize
                    .anyRequest().authenticated()
            )
            .oauth2Login(oauth2Login -> oauth2Login
                    .clientRegistrationRepository(clientRegistrationRepository())
                    .authorizedClientService(authorizedClientService())
            );
}

这里，我们指定 HTTP 安全仅在匹配 "/secured/**" 时才会被调用.

Here, we are specifying that HTTP security will only be invoked when matching "/secured/**".

换句话说，如果请求与/secured/**"匹配，则请求只会被SecurityFilterChain处理.

In other words, the request will only be processed by the SecurityFilterChain if it matches "/secured/**".

这是一个问题，因为 SecurityFilterChain 是从 /oauth2/authorization/google" 发起授权请求的原因.

This is a problem because the SecurityFilterChain is what initiates the Authorization Request from "/oauth2/authorization/google".

但是，SecurityFilterChain 未被调用，因为 "/oauth2/authorization/google" 与 "/secured/**".

However, the SecurityFilterChain is not called because "/oauth2/authorization/google" does not match "/secured/**".

请考虑以下配置.

@Override
public void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests(authorize -> authorize
                    .antMatchers("/secured/**").authenticated()
                    .anyRequest().permitAll()
            )
            .oauth2Login(oauth2Login -> oauth2Login
                    .clientRegistrationRepository(clientRegistrationRepository())
                    .authorizedClientService(authorizedClientService())
            );
}

在这里，将为所有请求调用 HTTP 安全性.

Here, the HTTP security will be invoked for all requests.

但是，只有与 "/secured/**" 匹配的请求才会要求用户进行身份验证.

However, only requests that match "/secured/**" will require the user to authenticate.

这篇关于Oauth2Login 仅适用于特定网址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！