将 WebSecurityConfigurerAdapter 与 Spring OAuth2 和 user-info-uri 结合使用 [英] Using WebSecurityConfigurerAdapter with Spring OAuth2 and user-info-uri

问题描述

我创建了如下授权服务

@SpringBootApplication
@EnableAuthorizationServer
public class AuthorizationApplication {
   ...
}

有了这个application.properties.

server.port=9000
security.oauth2.client.client-id=monederobingo
security.oauth2.client.client-secret=monederobingosecret
security.oauth2.client.authorized-grant-types=authorization_code,refresh_token,password,client_credentials
security.oauth2.client.scope=company,client

然后，在一个单独的 spring boot 项目中，我创建了一个资源服务器.

Then, in a separate spring boot project I have created a Resource Server.

@SpringBootApplication
@EnableResourceServer
public class App {
   ...
}

有了这个application.properties.

server.port=9090
spring.application.name=app
security.oauth2.resource.user-info-uri=http://localhost:9000/user

现在，如果我使用授权服务检索到的适当令牌发送像这样的 localhost:9090/api 请求，一切正常.

Now, everything works fine if I send a request like this localhost:9090/api with the appropriate token that was retrieved by Authorization Service.

但是，我不想在向 localhost:9090/login 发送请求时发送此令牌.

However, I don't want to send this token when sending requests to localhost:9090/login.

为此，我在我的资源服务器 spring boot 应用程序中创建了这个类.

For this I have created this class in my Resource server spring boot app.

@Configuration
public class SpringConfig extends WebSecurityConfigurerAdapter {
    @Override protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()
                .antMatchers("/login")
                .permitAll()
                .antMatchers("/api/**")
                .authenticated();
    }

}

现在我不需要发送任何令牌来向 /login 发送请求.

And now I don't need to send any token to send a request to /login.

但是，当使用有效令牌向 /api 发送请求时，我现在收到以下消息.

However, I'm now geting the following message when sending request to /api with a valid token.

{
  "timestamp": 1496027102659,
  "status": 403,
  "error": "Forbidden",
  "message": "Access Denied",
  "path": "/api/v1/points_configuration/314"
}

如何在 Spring Security OAuth2 中仅为少数 URL 模式配置安全性?

How can configure security for only a few URL patterns in Spring Security OAuth2?

推荐答案

有关 Spring OAuth 安全性的更多信息，请关注此:使用 OAuth 保护 Spring REST Api

为了在 Spring boot 中实现 OAuth Security，你必须创建 Authorization &通过分别从 AuthorizationServerConfigurerAdapter 和 ResourceServerConfigurerAdapter 扩展它们来实现资源服务器.

In order to implement OAuth Security in Spring boot, you have to create Authorization & Resource server by extending them from AuthorizationServerConfigurerAdapter and ResourceServerConfigurerAdapter respectively.

    @Configuration
    @EnableAuthorizationServer
    public class AuthorizationApplication extends AuthorizationServerConfigurerAdapter{

    @Autowired
    private UserDetailsService userDetailsService;
    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
                throws Exception {
            endpoints
                    .userDetailsService(userDetailsService)
                    .authenticationManager(this.authenticationManager).tokenStore(tokenStore()).approvalStoreDisabled();
        }

       @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients.withClientDetails(mongoClientDetailsService);
            /*inMemory()
                    .withClient(propertyResolver.getProperty(PROP_CLIENTID))
                    .scopes("read", "write")
                    .authorities("ROLE_CLIENT")
                    .authorizedGrantTypes("password", "refresh_token","client_credentials")
                    .secret(propertyResolver.getProperty(PROP_SECRET))
                    .accessTokenValiditySeconds(propertyResolver.getProperty(PROP_TOKEN_VALIDITY_SECONDS, Integer.class, 18000));*/
        }

//Do others stuff
    }

资源服务器

您要使用 OAuth 保护的所有 Url 都应在此服务器配置中提及.它启用 Spring Security 过滤器，该过滤器使用传入的 OAuth2 令牌对请求进行身份验证.虽然大多数 WebSecurityConfigurerAdapter 扩展类用于基本安全配置，例如添加过滤器、允许不安全的 url 或实施会话策略等.

Resource Server

All the Url that you want to protect using OAuth should be mentioned in this server configuration. It enables a Spring Security filter that authenticates requests using an incoming OAuth2 token. While mostly WebSecurityConfigurerAdapter extended class is used for basic security configuration like adding filters, allowing un-secure url or implementing session policies etc.

@Configuration
@EnableResourceServer
public class App extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
    http.requestMatchers().antMatchers("/api/**").and().authorizeRequests()
                .antMatchers("/api/**").authenticated();
}
  //Do others stuff
}

这篇关于将 WebSecurityConfigurerAdapter 与 Spring OAuth2 和 user-info-uri 结合使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！