Spring Security + Oauth2 + JSR250无法正常工作

Question

我在使用Spring Security（xml配置），Oauth2和JSR250方法注释配置安全性时遇到问题。

当我试图访问安全方法而不在我的请求中发送任何令牌时，会显示内容，就好像存在任何安全性一样。

编辑：GitHub上的示例项目（仍无效）：https://github.com/michael112/SpringOAuthTest

我的源文件：

package com.websystique.springsecurity.service;

import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.http.ResponseEntity;
import org.springframework.http.HttpStatus;

import javax.annotation.security.RolesAllowed;


@RestController
@RequestMapping("/api/test")
public class TestAPIService {

    @RequestMapping( value = "/user", method = RequestMethod.GET, produces = "application/text-plain" )
    @ResponseBody
    @RolesAllowed({"ROLE_USER"})
    public ResponseEntity<String> methodForUser() {
        return new ResponseEntity<>("Access granted to user's method!", HttpStatus.OK);
    }

    @RequestMapping( value = "/admin", method = RequestMethod.GET, produces = "application/text-plain" )
    @ResponseBody
    @RolesAllowed({"ROLE_ADMIN"})
    public ResponseEntity<String> methodForAdmin() {
        return new ResponseEntity<>("Access granted to admin's method!", HttpStatus.OK);
    }
}

配置文件：

弹簧安全oauth.xml：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans

       http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security-4.0.xsd
       http://www.springframework.org/schema/security/oauth2
       http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
       http://www.springframework.org/schema/context
       http://www.springframework.org/schema/context/spring-context-4.2.xsd">

    <security:http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager">
        <security:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" method="GET"/>

        <security:csrf disabled="true" />

        <security:anonymous enabled="false"/>
        <security:http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
        <security:custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
        <security:access-denied-handler ref="oauthAccessDeniedHandler"/>
    </security:http>

    <bean id="oauthAuthenticationEntryPoint"
          class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
        <property name="realmName" value="dstest"/>
    </bean>

    <bean id="clientAuthenticationEntryPoint"
          class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
        <property name="realmName" value="dstest/client"/>
        <property name="typeName" value="Basic"/>
    </bean>

    <bean id="oauthAccessDeniedHandler"
          class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>

    <bean id="clientCredentialsTokenEndpointFilter"
          class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
        <property name="authenticationManager" ref="clientAuthenticationManager"/>
    </bean>

    <bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
        <constructor-arg>
            <list>
                <bean class="org.springframework.security.access.annotation.Jsr250Voter"/>  
            </list>
        </constructor-arg>
    </bean>

    <bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
        <constructor-arg name="strength" value="30" />
    </bean>

    <bean id="clientDetailsUserService"
          class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
        <constructor-arg ref="clientDetails"/>
    </bean>

    <bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />

    <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
        <property name="tokenStore" ref="tokenStore"/>
        <property name="supportRefreshToken" value="true"/>
        <property name="clientDetailsService" ref="clientDetails"/>
    </bean>

    <bean id="oAuth2RequestFactory"
        class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
        <constructor-arg ref="clientDetails" />
    </bean>

    <bean id="userApprovalHandler" class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler">
        <property name="requestFactory" ref="oAuth2RequestFactory" />
        <property name="tokenStore" ref="tokenStore"/>
    </bean>

    <oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices"
                                user-approval-handler-ref="userApprovalHandler">
        <oauth:authorization-code/>
        <oauth:implicit/>
        <oauth:refresh-token/>
        <oauth:client-credentials/>
        <oauth:password/>
    </oauth:authorization-server>

    <oauth:resource-server id="resourceServerFilter"
                           resource-id="dstest"
                           token-services-ref="tokenServices"/>

    <oauth:client-details-service id="clientDetails">
        <oauth:client client-id="tokenClient"
                      authorized-grant-types="password,authorization_code,refresh_token,implicit,redirect"
                      authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT"
                      redirect-uri="/web"
                      scope="read,write,trust"
                      access-token-validity="30"
                      refresh-token-validity="7200"/>
    </oauth:client-details-service>


    <security:global-method-security jsr250-annotations="enabled" access-decision-manager-ref="accessDecisionManager" />

    <oauth:expression-handler id="oauthExpressionHandler" />
    <oauth:web-expression-handler id="oauthWebExpressionHandler"/>

    <security:authentication-manager id="clientAuthenticationManager">
        <security:authentication-provider user-service-ref="clientDetailsUserService"/>
    </security:authentication-manager>

</beans>

弹簧security.xml文件：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans

    http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-4.0.xsd">

    <security:http pattern="/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint" access-decision-manager-ref="accessDecisionManager">
        <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER"/>
        <security:access-denied-handler ref="oauthAccessDeniedHandler"/>
    </security:http>

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider user-service-ref="customUserDetailsService"/>
    </security:authentication-manager>

    <bean id="customUserDetailsService" class="com.websystique.springsecurity.service.CustomUserDetailsService" />

</beans>