Spring oauth2 hasRole 访问被拒绝 [英] Spring oauth2 hasRole access denied
问题描述
我对 OAuth2 真的很陌生,并试图在角色 auth.server 中构建一台服务器来授权用户和一个保留受保护资源...
I am really new to OAuth2 and trying to build one server in roles auth.server for authorizing users and one keeping a protected resource...
我在使用 ResourceServerConfigurerAdapter 时遇到了问题.似乎他忽略了从 userInfoUrl 中获取的所有角色...
I've got issues to secure with the ResourceServerConfigurerAdapter. It seems like he is ignoring all it's roles fetching form userInfoUrl...
代码如下:
身份验证服务器
@SpringBootApplication
@EnableAuthorizationServer
@EnableResourceServer
@RestController
public class Oa2AuthServerApplication {
@RequestMapping("/user")
public Principal user(Principal user) {
return user;
}
public static void main(String[] args) {
SpringApplication.run(Oa2AuthServerApplication.class, args);
}
}
__
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password("admin")
.roles("ADMIN", "USER")
.and()
.withUser("user")
.password("user")
.roles("USER");
}
}
__
@Configuration
public class OA2AuthConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("default")
.secret("kx")
.scopes("AUTH", "TRUST")
.autoApprove(true)
.authorities("ROLE_GUEST", "ROLE_USER", "ROLE_ADMIN")
.authorizedGrantTypes("authorization_code", "implicit", "refresh_token");
}
}
资源服务器
@SpringBootApplication
@RestController
@EnableResourceServer
public class Oa2ResourceServerApplication {
@RequestMapping("/")
public String greet() {
return UUID.randomUUID().toString() + "\r\n";
}
@RequestMapping("/forAdmin")
public String admin() {
return "hi admin!";
}
public static void main(String[] args) {
SpringApplication.run(Oa2ResourceServerApplication.class, args);
}
}
因此从 authserver 获取令牌 + 调用 "localhost:9091/" 和 "/forAdmin" 可以使用此令牌.
So getting token from authserver + calling "localhost:9091/" and "/forAdmin" works with this token.
但是当我这样做时:
public class WebSecurityConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/forAdmin").hasRole("USER");
}
我的访问被拒绝....
I get access denied....
可以肯定的是,角色正在到达资源服务器,我已将 geet() 从上面更改为
to be sure, the roles are reaching the resource server, i have changed the geet() from above to
@RequestMapping("/")
public String greet(Principal user) {
if (user instanceof OAuth2Authentication) {
log.info("having roles: {}", ((OAuth2Authentication) user).getAuthorities());
}
return UUID.randomUUID().toString() + "\r\n";
}
控制台显示
d.k.auth.Oa2ResourceServerApplication :具有角色:[{authority=ROLE_USER}]
d.k.auth.Oa2ResourceServerApplication : having roles: [{authority=ROLE_USER}]
因此,当Principal"是当前经过身份验证的用户时,我认为资源服务器配置器存在错误....或者我做错了什么...
So when "Principal" is the currently authenticated user, I assume there is a bug with the resourceserverer configurer....or I am doing something fatally wrong...
或两者....我不知道
or both....I don't know
有人能帮我解决这个问题吗?
does anybody can help me in this problem?
推荐答案
所以 JWT 是必要的,没有它就不行.
So JWT is necessary, without it does not work.
我用组合解决了它:
@PreAuthorize("#oauth2.hasScope('openid') and hasRole('ROLE_ADMIN')")
您可以找到受保护资源的示例 这里.
You can find a sample of a protected Resource here.
这篇关于Spring oauth2 hasRole 访问被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
