带表单登录的 Spring Boot Security OAuth2 [英] Spring Boot Security OAuth2 with Form Login
问题描述
我正在关注 Spring Boot 入门的第五部分安全性以保护我的 RESTful 微服务.
I am following Part V of Getting Started with Spring Boot Security to secure my RESTful microservices.
我打算实现的简单流程是:-
The simple flow that I intend to implement is:-
如果未经身份验证,用户将被重定向到自定义登录页面说/登录".
If unauthenticated, the user is redirected to a custom login page at say '/login'.
用户提供其凭据.
认证成功后,用户被重定向到主页('/家').我应该能够访问我的 REST 端点(在一个Zuul 代理服务器)在请求中提供访问令牌后.
On successful authentication user is redirected to home page ('/home'). I should be able to access my REST endpoint (behind a Zuul Proxy Server) after providing the access token in the request.
上述链接中的入门指南使用基本身份验证和在 .properties 或 .yml 文件中配置的虚拟用户.
The Getting Started guide in the above mentioned link uses Basic Auth and dummy user configured in .properties or .yml file.
这是我尝试配置的方式:-
This is how I tried with my configuration:-
@Configuration
@EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("acme").secret("acmesecret")
.authorizedGrantTypes("authorization_code", "refresh_token", "password").scopes("openid")
.accessTokenValiditySeconds(3600);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("isAnonymous()").checkTokenAccess("isAnonymous()")
.allowFormAuthenticationForClients();
}
}
@Configuration
@Import({ OptoSoftSecurityServiceConfig.class })
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService; // backed by MongoDB
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().disable().formLogin();// disabled basic auth and configured to use dafault Spring Security form login.
}
}
点击授权端点 将我重定向到 'http://localhost:9999/uaa/login' 并显示错误消息如:-
Hitting the authorization endpoint redirects me to 'http://localhost:9999/uaa/login' with error message as:-
<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>
问题
如何配置授权服务器以使用 UserDetailsService而不是静态用户,并使用表单登录而不是基本身份验证.
How can I configure Authorization Server to use UserDetailsService instead of static user and use Form Login instead of Basic Auth.
如何在使用authorization_code"时配置自动审批作为资助类型?
How can I configure Auto Approval while using 'authorization_code' as the grant type?
/oauth/authorize 端点是否必须受到保护?基本认证?为什么需要完全身份验证"才能访问/oauth/authorize 端点.我相信我们不知道用户是谁在此端点之前.用户只有在他拥有后才能被识别已使用表单后的有效凭据进行身份验证登录.
Is it mandatory for /oauth/authorize endpoint to be protected by Basic Auth? Why 'Full authentication is required' to access the /oauth/authorize' endpoint. I believe we do not know who is the user before this endpoint. The user can only be identified once he has been authenticated using valid credentials which comes after form login.
推荐答案
终于搞定了.提到的博客中的 git repo 已经配置了这个东西.事实证明这很简单.
Finally got it working. The git repo in the mentioned blog already had this thing configured. Turns out it was pretty straight forward.
这对我有用(我还将自动批准配置为 true):-
This is what worked for me (I have also configured auto approval to true):-
**
* @author kumar
*
*/
@SpringBootApplication
public class AuthenticationServerApplication {
/**
* @param args
*/
public static void main(String[] args) {
SpringApplication.run(AuthenticationServerApplication.class, args);
}
@Configuration
protected static class LoginConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin().permitAll().and().authorizeRequests().anyRequest().authenticated();//.and().userDetailsService(yourCustomerUserDetailsService);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManager);
}
}
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("acme").secret("acmesecret")
.authorizedGrantTypes("authorization_code", "refresh_token", "password").scopes("openid")
.autoApprove(true);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}
}
}
application.yml:-
application.yml:-
security:
user:
password: password
server:
port: 9999
context-path: /uaa
这篇关于带表单登录的 Spring Boot Security OAuth2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
