usernamepasswordauthenticationfilter没有使用oauth2和formlogin在spring security中调用

时间:2015-12-25 19:37:06

标签: spring-security spring-boot spring-oauth2

尝试在Spring启动应用程序中创建spring security oauth2并形成登录工作。

我从中获取了线索 https://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2/sparklr

https://github.com/royclarkson/spring-rest-service-oauth/issues/11

以下是我的配置

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

 @Inject
 private AjaxAuthenticationSuccessHandler ajaxAuthenticationSuccessHandler;

 @Inject
 private AjaxAuthenticationFailureHandler ajaxAuthenticationFailureHandler;

 @Inject
 private AjaxLogoutSuccessHandler ajaxLogoutSuccessHandler;

@Inject
private UserDetailsService userDetailsService;

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}

@Inject
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth
        .userDetailsService(userDetailsService)
            .passwordEncoder(passwordEncoder());
}

@Bean
public SecurityEvaluationContextExtension securityEvaluationContextExtension() {
    return new SecurityEvaluationContextExtension();
}

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring()
        .antMatchers("/scripts/**/*.{js,html}")
        .antMatchers("/bower_components/**")
        .antMatchers("/i18n/**")
        .antMatchers("/assets/**")
        .antMatchers("/swagger-ui/index.html")
        .antMatchers("/api/register")
        .antMatchers("/api/activate")
        .antMatchers("/api/account/reset_password/init")
        .antMatchers("/api/account/reset_password/finish")
        .antMatchers("/api/home/**")
        .antMatchers("/api/product/**")
        .antMatchers("/test/**")
        .antMatchers("/devadmin/**")
        .antMatchers("/signin")
        .antMatchers("/static/api-guide.html");
}



@Override
@Order(Ordered.HIGHEST_PRECEDENCE)
    protected void configure(HttpSecurity http) throws Exception {

        http
            .csrf().disable().authorizeRequests().antMatchers("/web/**","/for","/admin","/here").authenticated()
            .and()
            .formLogin()
            .loginProcessingUrl("/web/authentication")
            .successHandler(ajaxAuthenticationSuccessHandler)
            .failureHandler(ajaxAuthenticationFailureHandler)
            .usernameParameter("j_username")
            .passwordParameter("j_password")
            .permitAll()
            .and()
            .logout()
            .logoutUrl("/web/logout")
            .logoutSuccessHandler(ajaxLogoutSuccessHandler)
            .deleteCookies("JSESSIONID")
            .permitAll()
            .and()
            .exceptionHandling()
        ;

    }


@Configuration
@EnableAuthorizationServer
@EnableConfigurationProperties(SecurityConfigurationProperties.class)
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter implements EnvironmentAware {

    private static final String ENV_OAUTH = "authentication.oauth.";
    private static final String PROP_CLIENTID = "clientid";
    private static final String PROP_SECRET = "secret";
    private static final String PROP_TOKEN_VALIDITY_SECONDS = "tokenValidityInSeconds";

    private RelaxedPropertyResolver propertyResolver;

    @Inject
    private DataSource dataSource;

    @Bean
    public TokenStore tokenStore() {
        return new JdbcTokenStore(dataSource);
    }

    @Inject
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {

        endpoints
                .tokenStore(tokenStore())
                .authenticationManager(authenticationManager);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients
            .inMemory()
            .withClient(propertyResolver.getProperty(PROP_CLIENTID))
            .scopes("read", "write")
            .authorities(AuthoritiesConstants.ADMIN, AuthoritiesConstants.USER)
            .authorizedGrantTypes("password", "refresh_token")
            .secret(propertyResolver.getProperty(PROP_SECRET))
            .accessTokenValiditySeconds(propertyResolver.getProperty(PROP_TOKEN_VALIDITY_SECONDS, Integer.class, 1800));
    }

@Override
public void setEnvironment(Environment environment) {
  this.propertyResolver = new RelaxedPropertyResolver(environment, ENV_OAUTH);
    }

    }


  @Order(2)
  @Configuration
  @EnableResourceServer
  protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
            .requestMatchers().antMatchers("/api/**")
        .and()
            .authorizeRequests().antMatchers("/api  /**").access("#oauth2.hasScope('read') and hasRole('ROLE_USER')");
        // @formatter:on
    }
  }

  }

通过上面的配置,当我尝试通过

进行身份验证时,oauth2登录正常工作

/的OAuth /令牌

但是通过

登录

/网络/认证

始终显示

405不支持请求方法'POST'

未调用usernamepasswordauthenticationfilter。

在上面的代码中注释ResourceServerConfiguration部分后,

通过

表单登录

/网络/认证

工作正常。

此外,我可以看到从日志中调用usernamepasswordauthenticationfilter。

我的问题是,即使端点配置为oauth2资源服务器和表单登录也不同,为什么oauth2会覆盖formlogin的httpsecurity,为什么在配置资源服务器时不会调用usernamepasswordauthenticationfilter?

0 个答案:

没有答案