问题:
带有Resssource Server的Spring Boot 2.0 OAuth2授权服务器
岳英耀
我尝试使用Spring Boot 2.0.0和Spring-security-oauth2 2.3.0创建一个具有自己登录页和资源的身份验证服务器。不幸的是,资源服务器的配置似乎不起作用。具有
curl -v localhost:8080/sample
重定向302总是localhost:8080/login有或没有令牌。
我的安全配置是
@Configuration
public class SecurityConfiguration {
@Configuration
@Order(1)
@EnableWebSecurity(debug = true)
protected static class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("john").password("{noop}123").roles("User");
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/ping").permitAll()
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and()
.csrf()
.and()
.formLogin()
.usernameParameter("username")
.passwordParameter("password")
.loginPage("/login")
.permitAll()
.and()
.rememberMe()
.rememberMeParameter("remember")
.and()
.httpBasic().disable()
.logout().permitAll();
}
}
@Configuration
@EnableResourceServer
@Order(10)
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
private static final String RESOURCE_ID = "Sample";
@Override
public void configure(final ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId(RESOURCE_ID);
}
@Override
public void configure(final HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/sample**").authenticated();
}
}
@Configuration
@EnableAuthorizationServer
@Order(Ordered.HIGHEST_PRECEDENCE)
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(final AuthorizationServerSecurityConfigurer security) throws Exception {
security.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("ABC").secret("{noop}sec1").autoApprove(true)
.authorizedGrantTypes("authorization_code", "client_credentials", "password", "refresh_token")
.scopes("read", "write")
.redirectUris("http://google.com");
}
@Override
public void configure(final AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.tokenStore(new InMemoryTokenStore())
.authenticationManager(authenticationManager);
}
}
}
如何正确配置资源服务器?
下载示例项目
更新:
我用Spring Boot 1.5.10、Spring-security-oauth2 2.0.14和Spring Boot 2.0.0、Spring-security-oauth2 2.3.0测试了以下配置。
在1.5.10中工作正常,但在2.0.0中,我在处理登录时收到“有一个意外错误(type=Method Not, status=405)”。我看到安全过滤器链中缺少UsernamePasswordAuthentiationFilter。
Spring Boot 2.0.0或Spring Security 5.0.3中是否有我错过的重大变化?
@Configuration
@EnableWebMvc
@EnableAuthorizationServer
@EnableResourceServer
@EnableWebSecurity(debug = true)
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class SecurityConfiguration {
@Configuration
protected static class WebMvcConfiguration extends WebMvcConfigurerAdapter implements WebMvcConfigurer {
@Override
public void addViewControllers(final ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
registry.setOrder(Ordered.HIGHEST_PRECEDENCE);
}
}
@Configuration
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
private static final String RESOURCE_ID = "Sample";
@Override
public void configure(final ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId(RESOURCE_ID);
}
@Override
public void configure(final HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/sample**").authenticated()
;
}
}
@Configuration
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(final AuthorizationServerSecurityConfigurer security) throws Exception {
security
.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()")
;
}
@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
clients
.inMemory()
.withClient("ABC")
.secret("{noop}sec1")
.autoApprove(true)
.authorizedGrantTypes("authorization_code", "client_credentials", "password", "refresh_token")
.scopes("read", "write")
.redirectUris("http://google.com")
;
}
@Override
public void configure(final AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.tokenStore(new InMemoryTokenStore())
.authenticationManager(authenticationManager);
}
}
@Configuration
protected static class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("john")
.password("{noop}123")
.roles("User");
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/ping")
.antMatchers("/login")
.antMatchers("/oauth/**")
.and()
.authorizeRequests()
.antMatchers("/ping").permitAll()
.anyRequest().authenticated()
.and()
.csrf()
.and()
.formLogin()
.usernameParameter("username")
.passwordParameter("password")
.loginPage("/login")
.permitAll()
.and()
.rememberMe()
.rememberMeParameter("remember")
.and()
.httpBasic().disable()
.logout().permitAll();
}
}
}
共有2个答案
督烨赫
编写了一个带有授权服务器的基本Spring boot2 oAuth2资源服务器,将其放在这里以防有人正在寻找引导项目:
https://github.com/indrekru/spring-boot-2-oauth2-resource-server
丌官绍元
多亏了dur的评论,问题才得以解决。
此配置正在运行:
@Configuration
@EnableWebMvc
@EnableAuthorizationServer
@EnableResourceServer
@EnableWebSecurity(debug = true)
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class SecurityConfiguration {
@Configuration
protected static class WebMvcConfiguration implements WebMvcConfigurer {
@Override
public void addViewControllers(final ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
registry.setOrder(Ordered.HIGHEST_PRECEDENCE);
}
}
@Configuration
@Order(2)
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
private static final String RESOURCE_ID = "Sample";
@Override
public void configure(final ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId(RESOURCE_ID);
}
@Override
public void configure(final HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/sample**").authenticated()
;
}
}
@Configuration
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(final AuthorizationServerSecurityConfigurer security) throws Exception {
security
.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()")
;
}
@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
clients
.inMemory()
.withClient("ABC")
.secret("{noop}sec1")
.autoApprove(true)
.authorizedGrantTypes("authorization_code", "client_credentials", "password", "refresh_token")
.scopes("read", "write")
.redirectUris("http://google.com")
;
}
@Override
public void configure(final AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.tokenStore(new InMemoryTokenStore())
.authenticationManager(authenticationManager);
}
}
@Configuration
@Order(1)
protected static class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("john")
.password("{noop}123")
.roles("User");
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/ping")
.antMatchers("/login")
.antMatchers("/oauth/**")
.and()
.authorizeRequests()
.antMatchers("/ping").permitAll()
.anyRequest().authenticated()
.and()
.csrf()
.and()
.formLogin()
.usernameParameter("username")
.passwordParameter("password")
.loginPage("/login")
.permitAll()
.and()
.rememberMe()
.rememberMeParameter("remember")
.and()
.httpBasic().disable()
.logout().permitAll();
}
}
}
类似资料:
-
我想用Spring授权服务器项目构建一个授权服务器。现在我想使用AuthorizationGrantType.PASSWORD. 我从Spring授权服务器项目的示例中开发了一个演示项目。但是,当我尝试使用http://localhost:9000/oauth2/token?grant_type=password获取令牌时 我在这里错过了什么? 依赖项:spring boot starter we
-
让我们说,我正在开发博客平台,用户可以注册帐户,支付订阅和创建自己的博客。平台由以下微服务组成: 帐户-服务 auth-service 订阅-服务 博客-服务 API-网关 我正在考虑实现api-gw模式,其中除了api-gw之外的所有微服务都将部署到专用网络中(在那里,它们将能够通过message broker直接以同步或异步方式相互通信),并且它们将只通过api-gw公开可用。 null 我的
-
我需要了解在我的项目范围内使用autheorizaion服务器的便利性。 我们正在实现我们的服务并将其部署到客户环境中。 客户基础结构已经提供了一种身份验证机制,以便对用户进行身份验证。 此机制拦截所有通信并将用户重定向到“登录”表单。 之后,用户被重定向到我们的服务,我们必须处理和消化它,并使用JWT令牌进行响应。 这是我感到迷茫的地方: 我在想: 使用Spring oauth2 向授权服务器请
-
我有一个多租户项目,它将调用多个微服务来执行特定任务。 我希望微服务从发送的请求中了解要使用哪个DB,因为每个租户都将使用微服务,但是,租户将拥有自己的DB。我有另一个解决方案,它有一个处理API密钥管理的Web项目。 比方说,API密钥管理位于域:portal.example.com 当 tenant.example.com 在 microservice.example.com 调用微服务时,我
-
我在下面设置Spring配置: 和Maven设置如下:
-
现在,我了解了访问令牌和刷新令牌,但我不知道如何实现它。 我有一个项目,前端是棱角分明的,后端是node.js的,前面有微服务架构和网关。我可以使用像oaust2授权服务器一样的aust0,用户存储在里面? 怎么做?在aust0文档中有大量的说明,我不明白哪个适合我。 我必须通过网关拦截登录、注销和注册,并重定向到auth0,或者我必须在我的用户微服务内部完成这些操作? 在我的项目中,还有个人信息