我想将OAuth2用于我的RESTSpring Boot项目。使用一些示例,我为OAuth2创建了配置:
@Configuration public class OAuth2Configuration { private static final String RESOURCE_ID = "restservice"; @Configuration @EnableResourceServer protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter { @Override public void configure(ResourceServerSecurityConfigurer resources) { // @formatter:off resources .resourceId(RESOURCE_ID); // @formatter:on } @Override public void configure(HttpSecurity http) throws Exception { // @formatter:off http .anonymous().disable() .authorizeRequests().anyRequest().authenticated(); // @formatter:on } } @Configuration @EnableAuthorizationServer protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter { private TokenStore tokenStore = new InMemoryTokenStore(); @Autowired @Qualifier("authenticationManagerBean") private AuthenticationManager authenticationManager; @Autowired private UserDetailsServiceImpl userDetailsService; @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { // @formatter:off endpoints .tokenStore(this.tokenStore) .authenticationManager(this.authenticationManager) .userDetailsService(userDetailsService); // @formatter:on } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { // @formatter:off clients .inMemory() .withClient("clientapp") .authorizedGrantTypes("password", "refresh_token", "trust") .authorities("USER") .scopes("read", "write") .resourceIds(RESOURCE_ID) .secret("clientsecret") .accessTokenValiditySeconds(1200) .refreshTokenValiditySeconds(3600); // @formatter:on } @Bean @Primary public DefaultTokenServices tokenServices() { DefaultTokenServices tokenServices = new DefaultTokenServices(); tokenServices.setSupportRefreshToken(true); tokenServices.setTokenStore(this.tokenStore); return tokenServices; } } }
这是我的SecurityConfiguration类:
@Configuration @EnableWebSecurity @Order(1) public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); http .authorizeRequests().antMatchers("/api/register").permitAll() .and() .authorizeRequests().antMatchers("/api/free").permitAll() .and() .authorizeRequests().antMatchers("/oauth/token").permitAll() .and() .authorizeRequests().antMatchers("/api/secured").hasRole("USER") .and() .authorizeRequests().anyRequest().authenticated(); } @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } }
我尝试通过2个简单的请求检查我的应用程序:
@RequestMapping(value = "/api/secured", method = RequestMethod.GET) public String checkSecured(){ return "Authorization is ok"; } @RequestMapping(value = "/api/free", method = RequestMethod.GET) public String checkFree(){ return "Free from authorization"; }
首先,我检查了两个请求:
/ api / free 返回代码200和字符串“免授权”
/ api / secured 返回{“时间戳”:1487451065106,“状态”:403,“错误”:“禁止”,“消息”:“访问被拒绝”,“路径”:“ / api / secured”}
看来它们工作正常。
然后我得到了access_token(使用我的用户数据库中的凭据)
/ oauth / token?grant_type = password&username = emaila&password = emailo
响应:
{“ access_token”:“ 3344669f-c66c-4161-9516-d7e2f31a32e8”,“ token_type”:“ bearer”,“ refresh_token”:“ c71c17e4-45ba-458c-9d98-574de33d1859”,“ expires_in”:1199,“范围” :“读写”}
然后,我尝试发送一个请求(使用获得的令牌)以请求需要身份验证的资源:
/ api / secured?access_token = 3344669f-c66c-4161-9516-d7e2f31a32e8
这是回应:
{“ timestamp”:1487451630224,“ status”:403,“ error”:“ Forbidden”,“ message”:“ Access Denied”,“ path”:“ / api / secured”}
我不明白为什么访问被拒绝。我不确定配置,似乎它们是不正确的。另外,我仍然不清楚在扩展 WebSecurityConfigurerAdapter的* 类和在另一个扩展 ResourceServerConfigurerAdapter的 类中的 configure(HttpSecurity http) 方法的关系。感谢您的任何帮助! ***
如果您使用的是Spring Boot 1.5.1或最近更新的版本,请注意,他们更改了Spring Security oauth2的过滤器顺序(Spring Boot 1.5发行说明)。
根据发行说明,尝试将以下属性添加到application.properties/yml中,然后在其他过滤器之后使用资源服务器过滤器作为回退- 这将导致在落入资源之前接受授权服务器:
security.oauth2.resource.filter-order = 3
