我有一个OAuth2提供程序应用程序(URL:http://localhost:8080/oauth/authorize),它将由多个资源服务器应用程序(Rest Webservices)访问。这里的想法是在Centralized OAuth2 Provider中配置所有权限,并且应该针对OAuth2 Provider验证所有资源服务器应用程序的安全性。
当我尝试访问http://localhost:8090/appA/xyz时,我收到“需要完整身份验证”消息。
您能告诉我App-A如何从集中式OAuth2提供商那里读取权限吗?
我的授权服务器配置:
@Configuration
@RestController
@EnableAuthorizationServer
public class AuthorizationServer extends AuthorizationServerConfigurerAdapter{
@RequestMapping("/user")
public Principal user(Principal user) {
return user;
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
//Start: Add App-A Protected Resources
clients.inMemory()
.withClient(“appAClientID”)
.secret(“appAClientSecret”)
.resourceIds(“APPA_RESOURCE_ID”)
.authorizedGrantTypes(“password”, “refresh_token”)
.authorities(“ROLE_CLIENT”, “ROLE_TRUSTED_CLIENT”)
.scopes(“read”, “write”)
.accessTokenValiditySeconds(600)
.refreshTokenValiditySeconds(3600);
//End: Add App-A Protected Resources
}
}
OAuth2提供程序上的我的资源服务器配置
@Configuration
@EnableResourceServer
public class SMEEShopResourceServer extends ResourceServerConfigurerAdapter{
@Override
public void configure(HttpSecurity http) throws Exception {
// TODO Auto-generated method stub
/**
* Allow only authenticated requests
* to access /user
*/
http.requestMatchers().antMatchers("/user/**")
.and().authorizeRequests().antMatchers("/user/**").authenticated();
/**
* Resource Configuration for App-A
*/
http.requestMatchers().antMatchers("/appA/xyz/**")
.and().authorizeRequests().antMatchers("/appA/xyz/**").permitALl();
http.requestMatchers().antMatchers("/appA/123/**")
.and().authorizeRequests().antMatchers("/appA/123/**").authenticated();
/**
* Add CSRF Filter
*/
http.authorizeRequests().and().csrf().csrfTokenRepository(csrfTokenRepository())
.and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
}
@Override
public void configure(ResourceServerSecurityConfigurer resources)
throws Exception {
// TODO Auto-generated method stub
String RESOURCE_ID = “APPA_RESOURCE_ID”;
resources.resourceId(RESOURCE_ID).tokenServices(getRemoteTokenService());
}
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null
&& !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
protected CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
@Override
@Primary
@Bean
public RemoteTokenServices getRemoteTokenService() {
// TODO Auto-generated method stub
RemoteTokenServices tokenService = new RemoteTokenServices();
tokenService.setCheckTokenEndpointUrl(“http://localhost:8080/oauth/check_token”);
tokenService.setClientId(“appAClientID”);
tokenService.setClientSecret(“appAClientSecret”);
return tokenService;
}
App A上的资源服务器
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
// TODO Auto-generated method stub
http.requestMatchers().antMatchers("/**").and()
.authorizeRequests().anyRequest().authenticated()
.and().csrf().csrfTokenRepository(csrfTokenRepository())
.and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
}
@Override
public void configure(ResourceServerSecurityConfigurer resources)
throws Exception {
// TODO Auto-generated method stub
String RESOURCE_ID = “APPA_RESOURCE_ID”;
resources.resourceId(RESOURCE_ID).tokenServices(getRemoteTokenService());
}
}
protected Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null
&& !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
@Override
@Primary
@Bean
public RemoteTokenServices getRemoteTokenService() {
// TODO Auto-generated method stub
RemoteTokenServices tokenService = new RemoteTokenServices();
tokenService.setCheckTokenEndpointUrl(“http://localhost:8080/oauth/check_token”);
tokenService.setClientId(“appAClientID”);
tokenService.setClientSecret(“appAClientSecret”);
return tokenService;
}
App-A的app.properties
server.port=8090
server.context-path=/appA
# ----------------------------------------
# oAUTH 2.0 PROPERTIES
# ----------------------------------------
security.oauth2.client.client-id= appAClientID
security.oauth2.client.client-secret= appAClientSecret
spring.oauth2.client.access-token-uri=http://localhost:8080/oauth/token
security.oauth2.resource.id=APPA_RESOURCE_ID
security.oauth2.resource.token-info- uri=http://localhost:8080/oauth/check_token
security.oauth2.resource.userInfoUri= http://localhost:8080/user