Spring 安全性不会重定向到给定的 OAuth 身份验证 URL [英] Spring security not redirecting to given OAuth authentication URL
问题描述
我正在尝试使用 spring 安全性集成 oauth2,并添加了一些保护路径的安全规则.当我尝试访问安全 URL 时,它重定向到默认身份验证 URL,而不是从 application.yml 文件中获取.有人可以帮助我了解我缺少什么吗?
yml 文件中的 OAuth 配置
<预><代码>弹簧:安全:oauth2:客户:注册:测试提供者:客户 ID:测试客户机密:xxx客户名称:cas授权授权类型:authorization_code重定向uri:https://x.y.com/login/oauth2/code/idc提供者:测试提供者:授权uri:https://x.y.com/oauth2.0/authorize用户信息uri:https://x.y.com/oauth2.0/profile令牌uri:https://x.y.com/oauth2.0/accessToken用户名属性:id安全依赖:
实现'org.springframework.boot:spring-boot-starter-oauth2-client'实现 'org.springframework.boot:spring-boot-starter-security'实现 'org.springframework.boot:spring-boot-starter-webflux'安全过滤器中配置的规则:
@EnableWebFluxSecurity@EnableReactiveMethodSecurity公共类 SpringSecurityConfig {@豆@订单(1)public SecurityWebFilterChain openAccess(ServerHttpSecurity http) {http.securityMatcher(new PathPatternParserServerWebExchangeMatcher("/open")).authorizeExchange(exchanges -> exchange.anyExchange().permitAll()).httpBasic().禁用().formLogin().disable();返回 http.build();}@豆@订单(3)公共 SecurityWebFilterChain oauthAccess(ServerHttpSecurity http) {http.securityMatcher(new PathPatternParserServerWebExchangeMatcher("/secure")).authorizeExchange(exchanges -> exchange.anyExchange().authenticated()).oauth2Login();返回 http.build();}}当我在浏览器中输入 url http://localhost:8080/secure 时,它会重定向到 http://localhost:8080/oauth2/authorization/testProvider.它没有在 yml 文件中配置授权 URL https://xycom/oauth2.0/authorize
代码上传到github:https://github.com/rajeevprasanna/webflux-oauth-测试
Spring Security 启动授权代码流的方式是首先重定向到它自己的 OAuth2AuthorizationRequestRedirectFilter 端点.
此端点随后将在 ClientRegistration 中查找值并重定向到您配置的值.
但是,我认为您的 securityMatcher 存在问题,因为它说 Spring Security 应该只参与以 /secure 开头的请求.一旦 Spring Security 重定向到 /oauth2/authorization/testProvider,过滤器链就不会用于该请求(因为它不是以 /secure 开头).
为了解决这个问题,我认为你应该改变这个:
.securityMatcher(new PathPatternParserServerWebExchangeMatcher("/secure"))到此:
.securityMatcher(new OrServerWebExchangeMatcher(新的 PathPatternParserServerWebExchangeMatcher("/secure"),new PathPatternParserServerWebExchangeMatcher("/oauth2")))或者,Spring Security 旨在在一个 DSL 配置中为您协商授权规则.虽然有两个不同的过滤器链的合理用例,但您可能会考虑只使用一个:
@Beanpublic SecurityWebFilterChain web(ServerHttpSecurity http) {http.authorizeExchange(交换 -> 交换.pathMatchers("/open").permitAll().pathMatchers("/secure").authenticated()).oauth2Login(Customizer.withDefaults());返回 http.build();}那么,额外的安全匹配器是不必要的,因为这个 DSL 被配置为过滤所有端点.
另外,httpBasic 和 formLogin 没有被默认初始化,所以没有必要主动禁用它们.
I am trying to integrate oauth2 using spring security and added few security rules for protecting paths. When I try to access the secure URL, it is redirecting to the default authentication URL instead of taking the one from the application.yml file. can someone help me to understand what I am missing?
OAuth configuration in yml file
spring:
security:
oauth2:
client:
registration:
testProvider:
client-id: test
client-secret: xxx
clientName: cas
authorization-grant-type: authorization_code
redirect-uri: https://x.y.com/login/oauth2/code/idc
provider:
testProvider:
authorization-uri: https://x.y.com/oauth2.0/authorize
user-info-uri: https://x.y.com/oauth2.0/profile
token-uri: https://x.y.com/oauth2.0/accessToken
user-name-attribute: id
security dependencies:
implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
implementation 'org.springframework.boot:spring-boot-starter-security'
implementation 'org.springframework.boot:spring-boot-starter-webflux'
Rules in configured in security filter:
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class SpringSecurityConfig {
@Bean
@Order(1)
public SecurityWebFilterChain openAccess(ServerHttpSecurity http) {
http.securityMatcher(new PathPatternParserServerWebExchangeMatcher("/open"))
.authorizeExchange(exchanges -> exchanges.anyExchange().permitAll())
.httpBasic()
.disable()
.formLogin()
.disable();
return http.build();
}
@Bean
@Order(3)
public SecurityWebFilterChain oauthAccess(ServerHttpSecurity http) {
http
.securityMatcher(new PathPatternParserServerWebExchangeMatcher("/secure"))
.authorizeExchange(exchanges -> exchanges.anyExchange().authenticated())
.oauth2Login();
return http.build();
}
}
when i enter url http://localhost:8080/secure in browser, it is redirecting to http://localhost:8080/oauth2/authorization/testProvider . It is not taking configured authorisation URL in yml file https://x.y.com/oauth2.0/authorize
Code is uploaded into github: https://github.com/rajeevprasanna/webflux-oauth-test
The way that Spring Security starts the Authorization Code flow is by first doing a redirect to its own OAuth2AuthorizationRequestRedirectFilter endpoint.
This endpoint will then look up values in the ClientRegistration and redirect to your configured value.
However, I believe there is an issue with your securityMatcher in that it says that Spring Security should only participate in requests that start with /secure. Once Spring Security redirects to /oauth2/authorization/testProvider, the filter chain is not used for that request (since it doesn't start with /secure).
To address this, I believe you should change this:
.securityMatcher(new PathPatternParserServerWebExchangeMatcher("/secure"))
to this:
.securityMatcher(new OrServerWebExchangeMatcher(
new PathPatternParserServerWebExchangeMatcher("/secure"),
new PathPatternParserServerWebExchangeMatcher("/oauth2")
))
Alternatively, Spring Security is designed to negotiate authorization rules for you in one DSL configuration. While there are reasonable use cases for having two different filter chains, you might instead consider having just one:
@Bean
public SecurityWebFilterChain web(ServerHttpSecurity http) {
http
.authorizeExchange(exchanges -> exchanges
.pathMatchers("/open").permitAll()
.pathMatchers("/secure").authenticated()
)
.oauth2Login(Customizer.withDefaults());
return http.build();
}
Then, the extra security matcher is unnecessary since this DSL is configured to filter all endpoints.
Additionally, httpBasic and formLogin are not initialized by default, so proactively disabling them is needless.
这篇关于Spring 安全性不会重定向到给定的 OAuth 身份验证 URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
