您好我刚接触弹簧安全性并试图弄清楚如何配置auth服务器来发出令牌。我现在遇到的问题是我在Cors预检请求上收到401或403,并且不确定如何解决以下是基于少数教程的裸机实现
https://spring.io/blog/2015/06/08/cors-support-in-spring-framework http://www.baeldung.com/spring-security-oauth-jwt
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity
@PropertySource(value = "classpath:oauth.properties")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserRepository userRepository;
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(authenticationProvider());
}
@Override
public void configure(WebSecurity web) throws Exception {
super.configure(web);
}
@Autowired
ObjectMapper mapper;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().antMatchers(HttpMethod.OPTIONS,"/oauth/token").permitAll()
.anyRequest().authenticated();
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception{
auth.inMemoryAuthentication().
withUser("john").password("123").roles("USER").
and().
withUser("tom").password("111").roles("ADMIN");
}
@Bean
public FilterRegistrationBean corsFilter() {
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter2());
bean.setOrder(0);
return bean;
}
}
@Configuration
@EnableAuthorizationServer
public class OAuth2ServerConfig extends AuthorizationServerConfigurerAdapter{
@Autowired
private Environment env;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer){
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception{
clients.inMemory().withClient("acme").secret("acmesecret").authorizedGrantTypes("authorization_code", "refresh_token",
"password").scopes("openId");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints){
final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(),accessTokenConverter()));
endpoints.tokenStore(tokenStore())
.tokenEnhancer(tokenEnhancerChain)
.authenticationManager(authenticationManager);
}
@Bean
public JwtAccessTokenConverter accessTokenConverter(){
final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
return converter;
}
@Bean
public TokenStore tokenStore(){
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public FilterRegistrationBean corsFilter() {
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter2());
bean.setOrder(0);
return bean;
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
defaultTokenServices.setSupportRefreshToken(true);
return defaultTokenServices;
}
}
CorsFilter2是在春季4.2中引入的spring cors过滤器我正在使用它来插入正确的响应标头以发送回客户端。
答案 0 :(得分:0)
所以我想出了我的问题,我必须配置我的websecurity以忽略CoresRequest请求,所以在websecurity的配置块内我必须设置这个
web.ignoring().requestMatchers(CorsUtils::isPreFlightRequest);
它开始起作用了。