SpringBoot 1.5.x + 安全 + OAuth2 [英] SpringBoot 1.5.x + Security + OAuth2
问题描述
我有一个带有 OAuth2 安全性的 Spring Boot REST API.
I have a Spring Boot REST API with OAuth2 Security.
今天我把我的spring-boot-starter-parent版本从1.4.2升级到了1.5.2.
Today I have upgraded my version of spring-boot-starter-parent from 1.4.2 to 1.5.2.
变化完全让我困惑.
以前,我可以使用 Postman 测试我的 REST API.当我的访问令牌不正确或我没有特定资源的权限时,服务器响应如下:
Before, I could test my REST API with Postman. When my access token was incorrect or I didnt have a rights for specific resources, server response was like:
{
"error": "access_denied",
"error_description": "Access is denied"
}
现在它不断将我重定向到 /login 页面...当我登录时 - 它显示我的资源而没有任何 OAuth2 身份验证...
Now it keeps redirect me to /login page... When I log in - it show my resource without any OAuth2 authentication...
我试图禁用它,但我发现了这个神奇的属性:
I have tried to disable it and I found this magic property:
security.oauth2.resource.filter-order = 3
此行关闭重定向到登录页面.
This line turned off redirects to login page.
但是,我的问题是:
- 这两个版本在安全方面发生了什么变化?
- 这个奇怪"的行是唯一有效的修复吗?
- 这个登录页面的目的是什么,它使用什么身份验证(我在谷歌浏览器中检查了请求和响应,但我看不到任何访问令牌和 oauth2 的东西,所以它只使用用户存储库?)
我的代码中一些更重要的部分:
Some more important parts of my code:
pom.xml
<!--- .... -->
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.2.RELEASE</version>
</parent>
<properties>
<!--- .... -->
<spring-security-oauth.version>2.1.0.RELEASE</spring-security-oauth.version>
<!--- .... -->
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- Monitor features -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-actuator</artifactId>
</dependency>
<!-- Security + OAuth2 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>${spring-security-oauth.version}</version>
</dependency>
<!--- .... -->
application.properties
#other properties
security.oauth2.resource.filter-order = 3
OAuth2.java
public class OAuth2 {
@EnableAuthorizationServer
@Configuration
@ComponentScan
public static class AuthorizationServer extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManagerBean;
@Autowired
private UserDetailsService userDetailsService;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("trusted_client")
.authorizedGrantTypes("password", "refresh_token")
.scopes("read", "write");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManagerBean).userDetailsService(userDetailsService);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.allowFormAuthenticationForClients();
}
}
@EnableResourceServer
@Configuration
@ComponentScan
public static class ResourceServer extends ResourceServerConfigurerAdapter {
@Autowired
private RoleHierarchy roleHierarchy;
private SecurityExpressionHandler<FilterInvocation> webExpressionHandler() {
DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
defaultWebSecurityExpressionHandler.setRoleHierarchy(roleHierarchy);
return defaultWebSecurityExpressionHandler;
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().expressionHandler(webExpressionHandler())
.antMatchers("/api/**").hasRole("DEVELOPER");
}
}
}
Security.java
@EnableWebSecurity
@Configuration
@ComponentScan
public class Security extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Bean
public JpaAccountDetailsService userDetailsService(AccountsRepository accountsRepository) {
return new JpaAccountDetailsService(accountsRepository);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
}
推荐答案
好的,我知道了.
@Cleto Gadelha 向我指出了非常有用的信息.
@Cleto Gadelha pointed me very usefull info.
但是我认为发行说明很不清楚或遗漏了一些信息.除了 OAuth2 资源过滤器从 3 更改为 SecurityProperties.ACCESS_OVERRIDE_ORDER - 1 之外,关键信息是默认的 WebSecurityConfigurerAdapter 顺序是 100 (来源).
However I think release note is pretty unclear or miss some information. Beside that OAuth2 resource filter is changed from 3 to SecurityProperties.ACCESS_OVERRIDE_ORDER - 1, crucial information is that default WebSecurityConfigurerAdapter order is 100 (source).
因此,在 1.5.x 版本之前,OAuth2 资源服务器顺序是 3,其优先级高于,然后是 WebSecurityConfigurerAdapter.
So, before release 1.5.x OAuth2 resource server order was 3 which had higher priority then WebSecurityConfigurerAdapter.
发布 1.5.x 后 OAuth2 资源服务器顺序设置为 SecurityProperties.ACCESS_OVERRIDE_ORDER - 1(它是 Integer.MAX_VALUE - 8 我认为)现在绝对较低优先级然后基本的 WebSecurityConfigurerAdapter 顺序.
After release 1.5.x OAuth2 resource server order is set to SecurityProperties.ACCESS_OVERRIDE_ORDER - 1
(it is Integer.MAX_VALUE - 8 I think) which has now definitely lower priority then basic WebSecurityConfigurerAdapter order.
这就是为什么我从 1.4.x 迁移到 1.5.x 后会出现登录页面的原因
That's why login page appears for me after migrate from 1.4.x to 1.5.x
所以,更优雅和类似java风格的解决方案是在WebSecurityConfigurerAdapter 类上设置@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
So, more elegant and java-like style solution is to set @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) on WebSecurityConfigurerAdapter class
这篇关于SpringBoot 1.5.x + 安全 + OAuth2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
