Spring Oauth2独立资源服务器配置

时间:2015-10-19 20:15:55

标签: spring-security oauth-2.0

我正在尝试为oauth2配置单独的身份验证和资源服务器。 我能够成功配置authrization服务器,并能够进行身份验证和生成访问令牌。现在我想配置一个资源服务器,它可以通过api端点与auth服务器通信,以验证访问令牌。 以下是我的资源服务器配置。

@Configuration
@EnableResourceServer
@EnableWebSecurity
public class Oauth2SecurityConfiguration extends WebSecurityConfigurerAdapter      {


 @Override
 protected void configure(HttpSecurity http) throws Exception {
     System.out.println("Oauth2SecurityConfiguration before");   
     http
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/api/v1/**").authenticated();
     System.out.println("Oauth2SecurityConfiguration  after");
}

@Bean
public AccessTokenConverter accessTokenConverter() {
    return new DefaultAccessTokenConverter();
}

@Bean
public RemoteTokenServices remoteTokenServices() {
    final RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
    remoteTokenServices.setCheckTokenEndpointUrl("http://localhost:9000/authserver/oauth/check_token");
    remoteTokenServices.setClientId("clientId");
    remoteTokenServices.setClientSecret("clientSecret");
    remoteTokenServices.setAccessTokenConverter(accessTokenConverter());
    return remoteTokenServices;
}

@Override
@Bean
public AuthenticationManager authenticationManager() throws Exception {
    OAuth2AuthenticationManager authenticationManager = new OAuth2AuthenticationManager();
    authenticationManager.setTokenServices(remoteTokenServices());
    return authenticationManager;
}   
}


@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        System.out.println("http.csrf().disable()");
        http.authorizeRequests().antMatchers(HttpMethod.GET, "/api/v1/**").fullyAuthenticated();
        System.out.println("http.authorizeRequests().anyRequest().authenticated()");
    }
}


@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

 @Override
 protected MethodSecurityExpressionHandler createExpressionHandler() {
   return new OAuth2MethodSecurityExpressionHandler();
 }
}

问题: 1.为什么我在资源服务器上使用AuthenticationManager,而所有身份验证都委托给auth服务器。 (我不得不将其添加到加载应用程序上下文中)

除此之外,我面临以下问题。

  1. 即使我没有通过请求传递授权标头和访问令牌。它正在经历。

    http GET "http://localhost:8080/DataPlatform/api/v1/123sw/members"
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Date: Mon, 19 Oct 2015 19:45:14 GMT
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
{
"entities": [], 
"errors": [], 
"message": null
}

  2. 只会立即调用过滤器我没有看到后续请求的日志。它是否在某处缓存授权?

    3. 我是春天的新朋友。如果我做错了,请告诉我。我正在使用

    spring-security-oauth2 : 2.0.7.RELEASE
spring-security-core   : 4.0.1.RELEASE
java : 1.8

2 个答案:

答案 0 :(得分:0)

要点为auth-server和resource-server分别创建请求端点,它们可以分别为它们服务,每个端点都是自己的。 如图所示,“ / user / getEmployeesListRole / **”-通过身份验证服务器访问,“ / user / getEmployeesListOAuth2 / **”-通过令牌通过资源服务器访问,由aouth2-server生成

在一个spring-boot应用程序中配置spring-boot aouth2-server,resource-server,auth-server

1。入口点:

/*AuthApplication.java*/
    @SpringBootApplication
    @EnableDiscoveryClient
    @EnableGlobalMethodSecurity(prePostEnabled = true)
    public class AuthApplication {
    public static void main(String[] args) {
          SpringApplication.run(AuthApplication.class, args);
    }}
2.配置aouth2-server:
/*OAuth2AuthorizationConfig.java*/
     @Configuration
     @EnableAuthorizationServer
     public class OAuth2AuthorizationConfig extends AuthorizationServerConfigurerAdapter {

     private TokenStore tokenStore = new InMemoryTokenStore();

     @Autowired
     @Qualifier("authenticationManagerBean")
     private AuthenticationManager authenticationManager;

     @Autowired
     @Qualifier("userDetailsServiceBean")
     private  UserDetailsService userDetailsService;

     @Override
     public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
           clients.inMemory()
                  .withClient("browser")
                  .authorizedGrantTypes("password", "refresh_token")
                  .scopes("ui", "read:ui", "write:ui");
     }        



@Override
 public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
          endpoints.tokenStore(tokenStore)
                    .authenticationManager(authenticationManager)
                    .userDetailsService(userDetailsService);
     }

     @Override
     public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
           oauthServer.tokenKeyAccess("permitAll()")
                      .checkTokenAccess("isAuthenticated()")
                      .passwordEncoder(NoOpPasswordEncoder.getInstance());
     }}
2.1 aouth2-server auth-request [发布基本身份验证]:
http://localhost:5000/uaa/oauth/token?grant_type=password&scope=ui write:ui&username=user&password=123456&client_id=browser
3。配置资源服务器:
/*ResourceServer.java*/
    @Configuration
       @EnableResourceServer
       class ResourceServer extends ResourceServerConfigurerAdapter {
         //Here we specify to allow the request to the 
         // url /user/getEmployeesList with valid access token and scope read
         @Override
         public void configure(HttpSecurity http) throws Exception {
             http.requestMatchers()
                   .antMatchers("/user/getEmployeesList/**")
                   .antMatchers("/user/getEmployeesListOAuth2/**")
           .and().authorizeRequests().anyRequest().access("#oauth2.hasScope('ui')");

      }}
4。配置身份验证服务器:
/*WebSecurityConfig.java*/
    @Configuration
    @EnableWebSecurity
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
       http
            .authorizeRequests()     
            .antMatchers("/user/getEmployeesListRole/**")
               .access("hasAuthority('WRITE_DATA') && hasAuthority('READ_DATA')")           
                  .anyRequest().permitAll()         
            .and().formLogin().permitAll()
            .and().logout().permitAll()
            .and().csrf().disable();              
    }    

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        auth.inMemoryAuthentication().withUser("admin")
                                     .password("admin")                                  
                                     .authorities("WRITE_DATA", "READ_DATA");                                      
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }    

    @Override
    @Bean
    public  UserDetailsService userDetailsServiceBean() throws Exception {
        return super.userDetailsServiceBean();
    }
}

答案 1 :(得分:-1)

@EnableWebSecurity Oauth2SecurityConfiguration上的@EnableResourceServer就不够了。 您还应该将extends WebSecurityConfigurerAdapter替换为extends ResourceServerConfigurerAdapter

如果您想使用RemoteTokenServices个实例,我建议您使用

覆盖ResourceServerConfigurerAdapter public void configure(ResourceServerSecurityConfigurer resources) throws Exception 
@Override
public void configure( ResourceServerSecurityConfigurer resources ) throws Exception
{
    resources.tokenServices( serverConfig.getTokenServices() );
}
相关问题
最新问题