Question

我创建了一个带有spring boot的授权服务器，我想在资源服务器中使用资源所有者的角色。我有一个 SecurityConfig 类扩展 WebSecurityConfigurerAdapter ，我已经从mongodb检查了资源所有者的凭据以进行身份验证。为此我有一个 MongoAuthProvider 类来实现 AuthenticationProvider ，我从中返回 UsernamePasswordAuthenticationToken 的实例，其中包含用户名，密码和 ROLES < / strong>例如＆＃34; ROLE_ADMIN＆＃34; ，＆＃34; ROLE_APPUSER＆＃34;。

@SpringBootApplication @RestController @EnableResourceServer public class AuthserverApplication extends WebMvcConfigurerAdapter { public static void main(String[] args) { SpringApplication.run(AuthserverApplication.class, args); } @Configuration @EnableAuthorizationServer protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter { @Autowired private AuthenticationManager authenticationManager; @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.authenticationManager(authenticationManager); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory() .withClient("acme") .secret("acmesecret") .authorizedGrantTypes("authorization_code","implicit", "refresh_token", "password").scopes("openid"); } } @Configuration protected static class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private MongoAuthProvider mongoAuthProvider; @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(mongoAuthProvider); } @Bean public MongoAuthProvider getMongoAuthProvider(){ return new MongoAuthProvider(); } } @RequestMapping("/user") public Principal user(OAuth2Authentication user) { return user; } } class MongoAuthProvider implements AuthenticationProvider { @Autowired UserRepo userrepo; @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { String userName = authentication.getName().trim(); String password = authentication.getCredentials().toString().trim(); User user = userrepo.findByUserNameAndPassword(userName, password); if(user != null){ return new UsernamePasswordAuthenticationToken(userName, password, AuthorityUtils.createAuthorityList("ROLE_ADMIN" , "ROLE_APPUSER")); } else { return null; } } @Override public boolean supports(Class<?> authentication) { return authentication.equals(UsernamePasswordAuthenticationToken.class); } }

在auth服务器中，我还有一个用户信息休息端点：

@RequestMapping("/user") public Principal user(OAuth2Authentication user) { return user; }

我想在资源服务器中使用授权服务器数据库中资源所有者的角色。为此，我有一个 ResourceServer 类扩展 ResourceServerConfigurerAdapter ，其中我试图从auth服务器检查用户角色。资源服务器工作正常。问题是它无法从auth服务器检查角色。

@SpringBootApplication @EnableResourceServer @EnableOAuth2Sso public class AuthserverClientApplication extends WebMvcConfigurerAdapter { public static void main(String[] args) { SpringApplication.run(AuthserverClientApplication.class, args); } @Configuration protected static class ResourceServer extends ResourceServerConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("**") //.hasAuthority("ROLE_ADMIN") .hasRole("ADMIN") .anyRequest().authenticated(); } } } }

请帮助我如何使用资源服务器中授权服务器的角色进行基于角色的访问。

使用Auth Server

0 个答案: