Spring OAuth2 多服务器注解配置(资源&授权)
Spring OAuth2 multi Server annotations configuration (resource & authorization)
我正在使用以下内容:
- spring 4.2
- spring 安全 4.0.2
- spring oauth2 2.0.7
我正在尝试配置一个服务器来处理:
- 一般 MVC 内容(有些受保护,有些不受保护)
- 授权服务器
- 资源服务器
似乎资源服务器配置不限于 /rest/**,而是覆盖所有安全配置。即对受保护的非 OAuth 资源的调用未受到保护(即过滤器未捕获它们并重定向到登录)。
配置(为了简单起见,我删除了一些东西):
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources
.resourceId(RESOURCE_ID)
.tokenStore(tokenStore)
.stateless(true);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/rest/**")
.and()
.authorizeRequests()
.antMatchers("/rest/**").access("hasRole('USER') and #oauth2.hasScope('read')");
}
}
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
protected AuthenticationEntryPoint authenticationEntryPoint() {
OAuth2AuthenticationEntryPoint entryPoint = new OAuth2AuthenticationEntryPoint();
entryPoint.setRealmName("example");
return entryPoint;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.authenticationProvider(mongoClientAuthenticationProvider)
.authenticationProvider(mongoUserAuthenticationProvider)
.userDetailsService(formUserDetailsService);
}
@Bean
protected ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter() throws Exception{
ClientCredentialsTokenEndpointFilter filter = new ClientCredentialsTokenEndpointFilter();
filter.setAuthenticationManager(authenticationManagerBean());
filter.afterPropertiesSet();
return filter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/account/**", "/account")
.antMatchers("/oauth/token")
.antMatchers("/login")
.and()
.authorizeRequests()
.antMatchers("/account/**", "/account").hasRole("USER")
.antMatchers("/oauth/token").access("isFullyAuthenticated()")
.antMatchers("/login").permitAll()
.and()
.exceptionHandling()
.accessDeniedPage("/login?authentication_error=true")
.and()
.csrf()
.disable()
.logout()
.logoutUrl("/logout")
.invalidateHttpSession(true)
.and()
.formLogin()
.loginProcessingUrl("/login")
.failureUrl("/login?authentication_error=true")
.loginPage("/login")
;
http.addFilterBefore(clientCredentialsTokenEndpointFilter(), BasicAuthenticationFilter.class);
}
您正在使用多个 HttpSecurity 配置。 Spring 需要知道顺序。用 @Order
注释你的 SecurityConfig class
@Configuration
@EnableWebSecurity
@Order(4)
public class SecurityConfig extends WebSecurityConfigurerAdapter{}
The annotation @EnableResourceServer creates a WebSecurityConfigurerAdapter with a hard-coded Order (of 3). It's not possible to change the order right now owing to technical limitations in Spring, so you must avoid using order=3 in other WebSecurityConfigurerAdapters in your application (Spring Security will let you know if you forget).
参考:
http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity
解决办法是你应该使用follow lib(s)版本,否则你将面临这个issue.Hope这个help.You不能使用spring-security 4.0.2版本。
spring-security-acl-3.2.7.RELEASE.jar
spring-security-config-3.2.7.RELEASE.jar
spring-security-core-3.2.7.RELEASE.jar
spring-security-oauth2-2.0.7.RELEASE.jar
spring-security-taglibs-3.2.7.RELEASE.jar
我正在使用以下内容:
- spring 4.2
- spring 安全 4.0.2
- spring oauth2 2.0.7
我正在尝试配置一个服务器来处理:
- 一般 MVC 内容(有些受保护,有些不受保护)
- 授权服务器
- 资源服务器
似乎资源服务器配置不限于 /rest/**,而是覆盖所有安全配置。即对受保护的非 OAuth 资源的调用未受到保护(即过滤器未捕获它们并重定向到登录)。
配置(为了简单起见,我删除了一些东西):
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources
.resourceId(RESOURCE_ID)
.tokenStore(tokenStore)
.stateless(true);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/rest/**")
.and()
.authorizeRequests()
.antMatchers("/rest/**").access("hasRole('USER') and #oauth2.hasScope('read')");
}
}
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
protected AuthenticationEntryPoint authenticationEntryPoint() {
OAuth2AuthenticationEntryPoint entryPoint = new OAuth2AuthenticationEntryPoint();
entryPoint.setRealmName("example");
return entryPoint;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.authenticationProvider(mongoClientAuthenticationProvider)
.authenticationProvider(mongoUserAuthenticationProvider)
.userDetailsService(formUserDetailsService);
}
@Bean
protected ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter() throws Exception{
ClientCredentialsTokenEndpointFilter filter = new ClientCredentialsTokenEndpointFilter();
filter.setAuthenticationManager(authenticationManagerBean());
filter.afterPropertiesSet();
return filter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/account/**", "/account")
.antMatchers("/oauth/token")
.antMatchers("/login")
.and()
.authorizeRequests()
.antMatchers("/account/**", "/account").hasRole("USER")
.antMatchers("/oauth/token").access("isFullyAuthenticated()")
.antMatchers("/login").permitAll()
.and()
.exceptionHandling()
.accessDeniedPage("/login?authentication_error=true")
.and()
.csrf()
.disable()
.logout()
.logoutUrl("/logout")
.invalidateHttpSession(true)
.and()
.formLogin()
.loginProcessingUrl("/login")
.failureUrl("/login?authentication_error=true")
.loginPage("/login")
;
http.addFilterBefore(clientCredentialsTokenEndpointFilter(), BasicAuthenticationFilter.class);
}
您正在使用多个 HttpSecurity 配置。 Spring 需要知道顺序。用 @Order
SecurityConfig class
@Configuration
@EnableWebSecurity
@Order(4)
public class SecurityConfig extends WebSecurityConfigurerAdapter{}
The annotation
@EnableResourceServercreates a WebSecurityConfigurerAdapter with a hard-coded Order (of 3). It's not possible to change the order right now owing to technical limitations in Spring, so you must avoid using order=3 in other WebSecurityConfigurerAdapters in your application (Spring Security will let you know if you forget).
参考:
http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity
解决办法是你应该使用follow lib(s)版本,否则你将面临这个issue.Hope这个help.You不能使用spring-security 4.0.2版本。 spring-security-acl-3.2.7.RELEASE.jar spring-security-config-3.2.7.RELEASE.jar spring-security-core-3.2.7.RELEASE.jar spring-security-oauth2-2.0.7.RELEASE.jar spring-security-taglibs-3.2.7.RELEASE.jar