我应该怎样做才能在方法级别使用#oauth2安全表达式,如下例所示?
@RequestMapping(value = "email", method = RequestMethod.GET)
@ResponseBody
@PreAuthorize("#oauth2.hasScope('read')")
public String email() {
return "test@email.com";
}
如果我收到该资源的请求,我会收到
[INFO] java.lang.IllegalArgumentException: Failed to evaluate expression '#oauth2.hasScope('read')'
[INFO] at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:14)
[INFO] at org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice.before(ExpressionBasedPreInvocationAdvice.java:44)
[INFO] at org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter.vote(PreInvocationAuthorizationAdviceVoter.java:57)
[INFO] at org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter.vote(PreInvocationAuthorizationAdviceVoter.java:25)
[INFO] at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:62)
[INFO] at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:232)
[INFO] at org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor.invoke(AspectJMethodSecurityInterceptor.java:43)
[INFO] at org.springframework.security.access.intercept.aspectj.aspect.AnnotationSecurityAspect.ajc$around$org_springframework_security_access_intercept_aspectj_aspect_AnnotationSecurityAspect$1$c4d57a2b(AnnotationSecurityAspect.aj:63)
[INFO] at pl.insert.controllers.ResourceController.email(ResourceController.java:22)
如果我在ResourceServerConfiguration而不是@Controllers'中指定访问权限,那么同样适用。方法
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers().antMatchers("/oauth/resources/**");
http.authorizeRequests().anyRequest().access("#oauth2.hasScope('read')");
}
}
标准安全表达式,如@PreAuthorize(" permitAll")或@PreAuthorize(" denyAll")按预期工作。所以,我可能不得不告诉我的AspectJMethodSecurityInterceptor使用OAuth2WebSecurityExpressionHandler。有任何想法吗?
答案 0 :(得分:10)
要启用#oAuth2安全表达式,只需将默认表达式处理程序设置为OAuth2MethodSecurityExpressionHandler而不是DefaultMethodSecurityExpressionHandler。因为OAuth2MethodSecurityExpressionHandler无论如何都扩展了它,所以之前的所有功能都保持不变。我的配置我使用GlobalMethodSecurityConfiguration和WebSecurityConfigurerAdapter。
src: local('Roboto Light'), local('Roboto-Light'), url("#{resource['fonts/Hgo13k-tfSpn0qi1SFdUfVtXRa8TVwTICgirnJhmVJw.woff2']}") format('woff2');
答案 1 :(得分:1)
我认为你还需要添加: @EnableGlobalMethodSecurity( prePostEnabled = true )以使其发挥作用。
答案 2 :(得分:1)
这是一个老问题,事情已经改变了。使用 Spring Security 5 应该使用:
LabelForSpring 根据从提供者收到的范围向主体添加权限,前缀为“SCOPE_”。
更多信息:https://www.baeldung.com/spring-security-openid-connect
答案 3 :(得分:0)
我遇到了同样的问题,但仅限于单元测试(@WebMvcTest)。我必须在定义测试配置的内部类中添加@EnableGlobalMethodSecurity:
@RunWith(SpringRunner.class)
@WebMvcTest(MyController.class)
public class MyControllerTest {
@TestConfiguration
@Import({JacksonCustomizations.class,SecuritySettings.class,
OAuth2ServerConfiguration.class, WebSecurityConfiguration.class,
TokenGrantersConfiguration.class})
@EnableGlobalMethodSecurity
public static class TestConfig {
}
}
更新:在Spring Boot 2.x中,您可能会得到:
java.lang.IllegalStateException:在所有全局方法配置的组合中,实际上没有激活注释支持
原因是您添加了@EnableGlobalMethodSecurity而没有实际启用任何内容。要修复它,请将注释的至少一个属性设置为true。 E.g:
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
答案 4 :(得分:0)
一个更简单的解决方案是让Spring Boot自动配置。添加以下依赖项为我解决了这个问题:
compile('org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.0.4.RELEASE')
答案 5 :(得分:0)
感谢John,添加自动配置依赖项可以解决此问题,而无需任何bean声明或方法覆盖。 org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:version
答案 6 :(得分:0)
对我来说,它是this answer
的组合// spring configuration class annotation
@EnableGlobalMethodSecurity(prePostEnabled = true)
// gradle dependencuy
compile('org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.0.4.RELEASE')