我正在使用Spring 4.0 java配置。
我想在我的oauth端点上要求x509 auth,但是只需要为所有其他资源端点使用oauth令牌。第一个antMatchers似乎被覆盖了:
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Autowired
RequestMappingUriProvider requestMappingUriProvider;
@Autowired
private DelegatedUserManager userManager;
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
// @formatter:off
resources.resourceId(RESOURCE_ID);
// @formatter:on
}
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
// Require x509 certificate for obtaining OAuth credentials
http.requestMatchers().antMatchers("/oauth/**")
.and()
.authorizeRequests().anyRequest().hasAnyRole("USER","CLIENT")
.and()
.x509().subjectPrincipalRegex("CN=(.*?),").authenticationUserDetailsService(authenticationUserDetailsService())
.and()
//Only require a user role for interaction with all other resources
.requestMatchers().antMatchers(requestMappingUriProvider.uriPatterns())
.and()
.authorizeRequests().anyRequest().hasRole("USER");
// @formatter:on
}
@Bean
public DelegatedAuthenticationUserDetailsService authenticationUserDetailsService() {
return new DelegatedAuthenticationUserDetailsService(userManager);
}
}
spring的调试输出并未显示我在x509过滤链中检查的任何/oauth/**个端点。
答案 0 :(得分:2)
我的问题是我需要多个HttpSecurity元素。这篇文章帮助了我:Creating multiple HTTP sections in Spring Security Java Config
以下是我实施的方式:
@Configuration
@EnableResourceServer
public static class ResourceServerConfiguration {
@Configuration
@Order(1)
public static class OAuthResourceServerConfigAdapter extends ResourceServerConfigurerAdapter {
@Autowired
private DelegatedUserManager userManager;
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
// Require x509 certificate for obtaining OAuth credentials
http.requestMatchers().antMatchers("/oauth/**")
.and()
.authorizeRequests().anyRequest().hasAnyRole("USER","CLIENT")
.and()
.x509().subjectPrincipalRegex("CN=(.*?),").authenticationUserDetailsService(authenticationUserDetailsService());
// @formatter:on
}
@Bean
public DelegatedAuthenticationUserDetailsService authenticationUserDetailsService() {
return new DelegatedAuthenticationUserDetailsService(userManager);
}
}
public static class MyResourceServerConfigAdapter extends ResourceServerConfigurerAdapter {
@Autowired
RequestMappingUriProvider requestMappingUriProvider;
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
//Only require a user role for interaction with all other resources
http.requestMatchers().antMatchers(requestMappingUriProvider.uriPatterns())
.and()
.authorizeRequests().anyRequest().hasRole("USER");
// @formatter:on
}
}
}