我正在关注Part V of Getting Started with Spring Boot Security以保护我的RESTful微服务。
我打算实施的简单流程是: -
如果未经身份验证,则会将用户重定向到自定义登录页面 说'/ login'。
用户提供了他的凭据。
成功验证后,用户将被重定向到主页 ('/家')。我应该能够访问我的REST端点(在...后面) Zuul Proxy Server)在请求中提供访问令牌后。
上述链接中的“入门指南”使用在.properties或.yml文件中配置的Basic Auth和虚拟用户。
这是我尝试配置的方式: -
@Configuration
@EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("acme").secret("acmesecret")
.authorizedGrantTypes("authorization_code", "refresh_token", "password").scopes("openid")
.accessTokenValiditySeconds(3600);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("isAnonymous()").checkTokenAccess("isAnonymous()")
.allowFormAuthenticationForClients();
}
}
@Configuration
@Import({ OptoSoftSecurityServiceConfig.class })
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService; // backed by MongoDB
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().disable().formLogin();// disabled basic auth and configured to use dafault Spring Security form login.
}
}
点击authorization endpoint会将我重定向到“http://localhost:9999/uaa/login”,并显示错误消息: -
<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>
问题
如何配置Authorization Server以使用UserDetailsService 而不是静态用户,并使用表单登录而不是基本身份验证。
如何在使用'authorization_code'时配置自动批准 作为拨款类型?
/ oauth / authorize端点是否必须受到保护 基本认证?为什么'需要完全身份验证'才能访问 / oauth / authorize'端点。我相信我们不知道谁是用户 在此端点之前。用户只有在拥有后才能被识别 已使用有效凭据进行身份验证,该凭据来自表单后 登录。
答案 0 :(得分:4)
终于搞定了。上述博客中的git repo已经配置了这个东西。事实证明这很直接。
这对我有用(我还将自动批准配置为true): -
**
* @author kumar
*
*/
@SpringBootApplication
public class AuthenticationServerApplication {
/**
* @param args
*/
public static void main(String[] args) {
SpringApplication.run(AuthenticationServerApplication.class, args);
}
@Configuration
protected static class LoginConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin().permitAll().and().authorizeRequests().anyRequest().authenticated();//.and().userDetailsService(yourCustomerUserDetailsService);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManager);
}
}
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("acme").secret("acmesecret")
.authorizedGrantTypes("authorization_code", "refresh_token", "password").scopes("openid")
.autoApprove(true);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}
}
}
application.yml: -
security:
user:
password: password
server:
port: 9999
context-path: /uaa