结合Spring HTTP基本身份验证和访问令牌

时间:2015-09-16 12:16:00

标签: spring spring-security-oauth2

如何组合Spring HTTP基本身份验证和访问令牌两者同时工作?在我的情况下,只有Order(1)的配置才有效。

我希望只有具有令牌的用户才能访问所有* / api ** / *,而* / web ** / *仅供登录用户访问。

WebSecurityConfig.java 

@Configuration
@EnableWebMvcSecurity
@Order(1)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/web/**", "/gopr").authenticated().and().authorizeRequests()
.and()
                .formLogin().loginPage("/login").permitAll()
                .defaultSuccessUrl("/gopr", true).permitAll().and().logout().logoutSuccessUrl("/login").permitAll();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService);
    }
}

Application.java 

@SpringBootApplication
@EnableResourceServer
@Order(2)
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);

    }

    @Configuration
    @EnableAuthorizationServer
    protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

        @Autowired
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            endpoints.authenticationManager(authenticationManager);
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            // @formatter:off
            clients.inMemory()
                .withClient("my-trusted-client")
                    .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit", "client_credentials")
                    .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
                    .scopes("read", "write", "trust")
                    .resourceIds("oauth2-resource")
                    .secret("password")
                    .accessTokenValiditySeconds(600);
        // @formatter:on
        }
    }

    @Configuration
    @EnableResourceServer
    protected static class ResourceServer extends ResourceServerConfigurerAdapter {

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests().antMatchers("/web/**", "/login", "/index", "/").permitAll()
                    .antMatchers("/api/**").authenticated();
            /* antMatchers("/web/**", "/gopr").permitAll().antMatchers("/api/**").authenticated(); */
        }
    }
}

1 个答案:

答案 0 :(得分:4)

创建安全过滤器时始终使用'requestMatchers()'。这样,当创建多个过滤器链时,将不会使用第一个过滤器链。

将您的WebSecurityConfig.java修改为:

    @Configuration
    @EnableWebMvcSecurity
    @Order(1)
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    ...
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .requestMatchers().antMatchers("/web/**", "/gopr")
                .and()
                .authorizeRequests().antMatchers("/web/**", "/gopr").authenticated().
                .and()
                    .formLogin().loginPage("/login").permitAll()
                    .defaultSuccessUrl("/gopr", true).permitAll().and().logout().logoutSuccessUrl("/login").permitAll();
        }
      ...
    }

和您的ResourceServer内部类:

    @Configuration
    @EnableResourceServer
    protected static class ResourceServer extends
            ResourceServerConfigurerAdapter {

        ...
        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                    .requestMatchers().antMatchers("/api/**").and()
                    .authorizeRequests().antMatchers("/api/**").authenticated();
        }


    }

参考:https://github.com/royclarkson/spring-rest-service-oauth/issues/11

相关问题
最新问题