这是一个问题:我希望在使用某些第三方OAuth2授权之前保护URI。基于http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/config/annotation/web/configuration/EnableOAuth2Client.html,我有以下内容:
@Configuration
@EnableOAuth2Client
public class OAuth2Client extends OAuth2ClientConfiguration {
@Bean
public Filter filter() {
DelegatingFilterProxy f = new DelegatingFilterProxy();
f.setTargetBeanName("oauth2ClientContextFilter");
return f;
}
@Resource
@Qualifier("oauth2ClientContextFilter")
private OAuth2ClientContextFilter oauth2ClientContextFilter;
@Resource
@Qualifier("accessTokenRequest")
private AccessTokenRequest accessTokenRequest;
@Bean
public OAuth2ProtectedResourceDetails remote() {
AuthorizationCodeResourceDetails details = new AuthorizationCodeResourceDetails();
details.setUserAuthorizationUri("http://localhost2/oauth/authorize");
return details;
}
@Bean
public OAuth2RestOperations restTemplate() {
return new OAuth2RestTemplate(remote(), new DefaultOAuth2ClientContext(
accessTokenRequest));
}
}
和
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
// Empty for now...
}
最后
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
super.configure(auth);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatchers().antMatchers("/protectedUri").and()
.authorizeRequests().requestMatchers()
.hasRole("#oauth2.hasScope('read')");
}
}
但是这给了:
java.lang.IllegalStateException:至少需要一个映射 (即authorizeRequests()。anyRequest.authenticated())
我已经尝试了很多HttpSecurity构建器的组合无济于事 - 任何帮助,还是这种方法完全偏离基础?
答案 0 :(得分:1)
这种方法完全偏离基础吗?
是。空ResourceServerConfigurerAdapter无法帮助您。您应该配置受保护的路径,例如
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/protectedUri").authenticated();
}
(并省略WebSecurityConfigurerAdapter)。
顶部的客户端配置看起来也是错误的,但它与受保护资源无关(如果您想知道如何配置客户端,请启动一个新问题。)