春天oAuth2没有保护资源

时间:2017-03-25 10:53:05

标签: java spring spring-security spring-security-oauth2 spring-oauth2

我正在尝试使用spring oAuth2设置一个纯资源服务器,它将验证来自授权服务器的访问令牌。

我无法保护自己的资源。我能直接打到api。 例如:

  • GET 本地主机:8080 /账户=的access_token 63884b81-a3d3-4eab-a92c-7eb1e2022dfd (访问令牌不正确)
    • GET localhost:8080 / accounts

以上两个链接都可以访问我的资源,但这些链接应该返回未经授权的错误。

资源服务器配置。

<bean id="authenticationEntryPoint"
    class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="myRealm" />
</bean>

<bean id="oauthAccessDeniedHandler"
    class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
            <bean class="org.springframework.security.access.vote.RoleVoter" />
            <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
        </list>
    </constructor-arg>
</bean>

<!-- This is not actually used, but it's required by Spring Security -->
<security:authentication-manager alias="authenticationManager" />

<oauth2:expression-handler id="oauthExpressionHandler" />

<oauth2:web-expression-handler id="oauthWebExpressionHandler" />

<security:global-method-security
    pre-post-annotations="enabled" proxy-target-class="true">
    <security:expression-handler ref="oauthExpressionHandler" />
</security:global-method-security>

<oauth2:resource-server id="myResource"
    resource-id="myResourceId" token-services-ref="tokenServices" />

<security:http pattern="/**" create-session="never"
    entry-point-ref="authenticationEntryPoint"
    access-decision-manager-ref="accessDecisionManager">
    <security:anonymous enabled="false" />
    <security:intercept-url pattern="/**"
        access="IS_AUTHENTICATED_FULLY" method="GET" />
    <security:intercept-url pattern="/**" access="SCOPE_READ"
        method="HEAD" />
    <security:intercept-url pattern="/**" access="SCOPE_READ"
        method="OPTIONS" />
    <security:intercept-url pattern="/**" access="SCOPE_WRITE"
        method="PUT" />
    <security:intercept-url pattern="/**" access="SCOPE_WRITE"
        method="POST" />
    <security:intercept-url pattern="/**" access="SCOPE_WRITE"
        method="DELETE" />
    <security:custom-filter ref="myResource"
        before="PRE_AUTH_FILTER" />
    <security:access-denied-handler ref="oauthAccessDeniedHandler" />
    <security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>

1 个答案:

答案 0 :(得分:0)

您必须配置RemoteTokenServices bean以检查授权服务器中的令牌:

 @Bean
       public RemoteTokenServices LocalTokenService() {
            final RemoteTokenServices tokenService = new RemoteTokenServices();
            tokenService.setCheckTokenEndpointUrl("http://yourauthozationserver/oauth/check_token");
            tokenService.setClientId("my-client-with-secret");
            tokenService.setClientSecret("secret");
            return tokenService;
        }

或来自xml:

 <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.RemoteTokenServices"
          p:checkTokenEndpointUrl="${oaas.endpoint.check_token}"
          p:clientId="${oaas.client_id}"
          p:clientSecret="${oaas.client_secret}" />

请注意,还应将授权服务器检查端点配置为允许来自匿名请求的令牌检查。