Spring Boot和Spring Cloud Security OAUTH 2 SSO最新版本失败

时间:2017-05-24 03:08:54

标签: spring spring-boot spring-security oauth-2.0 single-sign-on

我正在尝试使用OAuth从Spring Boot 1.4.1 + Brixton.RELEASE升级Spring Boot和Spring Cloud Security示例到Spring Boot 1.5.3+ Dalston.RELEASE。然而,这是一个漫长的艰难尝试,没有任何成功。

由于某种原因,资源服务器安全过滤器链似乎没有被触发。结果打电话给" / me"或" / user"正在由默认安全过滤器链处理。我在想这是否是订单问题。但是试图明确设置安全过滤器链的顺序如下

  • Auth Server 6
  • Web Default 5
  • 资源服务器3(硬编码??)

由于默认过滤器链正在处理请求,因此它总是进入登录页面,该页面生成HTML并且SSO客户端(服务器端百万美元Web UI)失败。

源代码在

之下

授权服务器 

@SpringBootApplication
public class MyAuthServerApplication {

public static void main(String[] args) {
    SpringApplication.run(MyAuthServerApplication.class, args);
}
}

然后是授权服务器配置

@Configuration
@EnableAuthorizationServer
@Order(6)
public class AuthorizationServerConfigurer extends A 
uthorizationServerConfigurerAdapter {


@Override
public void configure(ClientDetailsServiceConfigurer clients) throws 
Exception {
    clients.inMemory()
            .withClient("myauthserver")
            .secret("verysecretpassword")
            .redirectUris("http://localhost:8080/")
            .authorizedGrantTypes("authorization_code", "refresh_token")
            .scopes("myscope")
            .autoApprove(true);
}
}

然后是资源服务器类

@Configuration
@EnableResourceServer
public class ResourceServerConfigurer extends 
ResourceServerConfigurerAdapter {

@Override
public void configure(HttpSecurity http) throws Exception {
    http.antMatcher("/user")
            .authorizeRequests()
            .anyRequest()
            .authenticated();
}
}

Web MVC配置

@Configuration
public class WebMvcConfigurer extends WebMvcConfigurerAdapter {

 @Override
 public void addViewControllers(ViewControllerRegistry registry) {
    registry.addViewController("login").setViewName("login");
 }
 }

默认的spring安全配置

@Configuration
@EnableWebSecurity
@Order(9)
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {


@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
                .antMatchers("/login").permitAll()
                .anyRequest().authenticated()
            .and().csrf()
            .and().formLogin().loginPage("/login");
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception 
{
    auth
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER")
            .and()
                .withUser("admin").password("admin").roles("USER", "ADMIN");
}
}

资源控制器

@RestController
public class ResourceController {

@RequestMapping(value = { "/user" }, produces = "application/json")
public Map<String, Object> user(OAuth2Authentication user) {
    Map<String, Object> userDetails = new HashMap<>();
    userDetails.put("user", user.getUserAuthentication().getPrincipal());
    userDetails.put("authorities",

AuthorityUtils.
 authorityListToSet(user.getUserAuthentication().getAuthorities()));
    return userDetails;
}

}

最后配置 - auth服务器的application.yml 

server:
  port: 9090
  contextPath: /auth

logging:
  level:
      org.springframework: INFO
      org.springframework.security: DEBUG

此处未显示login.html Thymeleaf模板。

OAUTH 2 SSO客户端Web应用 

@SpringBootApplication
public class MyWebsiteApplication {

public static void main(String[] args) {
    SpringApplication.run(MyWebsiteApplication.class, args);
}
}

网络安全配置

@Configuration
@EnableOAuth2Sso
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/").permitAll()   // Allow navigating to index 
 page,
            .anyRequest().authenticated();  // but secure all the other URLs
}
}

网络控制器

@Controller 公共类MyWebsiteController {

/**
 * Default index page to verify that our application works.
 */
@RequestMapping("/")
@ResponseBody
public String helloWorld() {
    return "Hello world!";
}

/**
 * Return a ModelAndView which will cause the 
'src/main/resources/templates/time.html' template to be rendered,
 * with the current time.
 */
@RequestMapping("/time")
public ModelAndView time() {
    ModelAndView mav = new ModelAndView("time");
    mav.addObject("currentTime", getCurrentTime());
    return mav;
}

private String getCurrentTime() {
    return LocalTime.now().format(DateTimeFormatter.ISO_LOCAL_TIME);
}
}

应用程序配置 - 客户端Web应用程序的application.yml 

server:
  port: 8080
  contextPath: /

security:
  oauth2:
  client:
    accessTokenUri: http://localhost:9090/auth/oauth/token
    userAuthorizationUri: http://localhost:9090/auth/oauth/authorize
    clientId: myauthserver
    clientSecret: verysecretpassword
  resource:
    userInfoUri: http://localhost:9090/auth/user

此处未显示time.html页面的Thymeleaf模板。

必须有一些微妙的小配置错误或我不知道的一些错误。任何帮助或想法高度赞赏。

1 个答案:

答案 0 :(得分:2)

解决方案

猜猜是对的,安全过滤器链的排序已经改变了。这是中国的链接 Spring 1.5.x release note

修改后的代码在这里,稍后会将其上传到Github。 auth服务器配置的所有更改。

Spring安全配置 - 删除@Order注释。

@Configuration
@EnableWebSecurity
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {


@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
                .antMatchers("/login").permitAll()
                .anyRequest().authenticated()
            .and().csrf()
            .and().formLogin().loginPage("/login");
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception 
{
    auth
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER")
            .and()
                .withUser("admin").password("admin").roles("USER", "ADMIN");
}
}

然后按如下所示更改application.yml 

server:
  port: 9090
  contextPath: /auth

logging:
  level:
    org.springframework: INFO
    org.springframework.security: DEBUG

security:
  oauth2:
    resource:
    filter-order : 3

然后在auth服务器上进行身份验证后,客户端应用程序/时间URL上会显示时间。

相关问题
最新问题