为什么这个spring oauth配置永远不会返回401未授权?

时间:2017-04-07 18:33:58

标签: java spring spring-mvc spring-security oauth

我按照教程here尝试开始使用spring Oauth。但是,没有页面返回401未经授权,即使我没有对服务器进行身份验证(教程中的配置示例可能会禁用匿名访问。与此问题相关的教程的唯一注释只有一个响应,说明授权尚未启用,但我在其中一个配置类上有@EnableAuthorizationServer

所有配置类

应用:

@SpringBootApplication
@EnableTransactionManagement
@EnableAutoConfiguration(exclude = {RepositoryRestMvcAutoConfiguration.class})
public class Application extends SpringBootServletInitializer {
    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application.sources(Application.class);
    }

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

授权服务器:

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
    private static String REALM = "EXAMPLE_REALM";

    @Autowired
    private TokenStore tokenStore;

    @Autowired
    private UserApprovalHandler handler;

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authManager;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {

        clients.inMemory()
               .withClient("trusted-client")
               .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
               .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
               .scopes("read", "write", "trust")
               .secret("secret")
               .accessTokenValiditySeconds(300)//invalid after 5 minutes.
               .refreshTokenValiditySeconds(600);//refresh after 10 minutes.
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore).userApprovalHandler(handler)
                 .authenticationManager(authManager);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.realm(REALM + "/client");
    }
}

资源服务器(请注意,为了测试目的,我将antMatchers更改为anyRequest):

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
    private static final String RESOURCE_ID = "SPRING_REST_API";

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources.resourceId(RESOURCE_ID).stateless(false);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.anonymous().disable()
            .requestMatchers().anyRequest()
            .and().authorizeRequests()
            .anyRequest().access("hasRole('ADMIN')")
            .and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
    }
}

"安全":

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private ClientDetailsService clientService;

    @Autowired
    public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("javabycode").password("123456").roles("USER")
            .and()
            .withUser("admin").password("admin123").roles("ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .anonymous().disable()
            .authorizeRequests()
            .antMatchers("/oauth/token").permitAll();
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }


    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Bean
    @Autowired
    public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore){
        TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
        handler.setTokenStore(tokenStore);
        handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientService));
        handler.setClientDetailsService(clientService);
        return handler;
    }

    @Bean
    @Autowired
    public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception {
        TokenApprovalStore store = new TokenApprovalStore();
        store.setTokenStore(tokenStore);
        return store;
    }
}

可能不相关,但也有:

@Configuration
@EnableWebMvc
@EnableWebSecurity
public class WebConfig extends WebMvcConfigurerAdapter {
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**");
    }
}

在阅读完本教程的完整源代码后,我添加了

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
    @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {
        return new OAuth2MethodSecurityExpressionHandler();
    }
}

最后,项目的build.gradle因为我在使用spring时经常遇到特定版本的依赖项问题:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath("org.springframework.boot:spring-boot-gradle-plugin:1.5.1.RELEASE")
        classpath('com.h2database:h2:1.4.193')
        classpath('org.hibernate:hibernate-core:5.0.12.Final')
        classpath('org.springframework.boot:spring-boot-starter-security:1.5.2.RELEASE')
    }
}

apply plugin: 'idea'
apply plugin: 'java'
apply plugin: 'org.springframework.boot'
apply plugin: 'war'
sourceCompatibility = 1.8
targetCompatibility = 1.8

String appVersion = "1.0.0"

war{
    baseName="cubscout-rest"
    version=appVersion
    doFirst {
        manifest {
            attributes("Implementation-Title": 'cubscout-rest', "Implementation-Version": appVersion, "Implementation-Timestamp": new Date())
        }
    }
}

repositories {
    jcenter()
}

dependencies {
    compile project(':core')

    compile 'org.springframework.boot:spring-boot-gradle-plugin:1.3.5.RELEASE'
    compile 'org.springframework.boot:spring-boot-starter-web:1.5.1.RELEASE'
    compile 'org.springframework.boot:spring-boot-starter-data-jpa:1.5.1.RELEASE'
    //compile 'org.springframework.integration:spring-integration-core:4.3.7.RELEASE'
    //compile 'org.springframework.batch:spring-batch-core:3.0.7.RELEASE'
    compile 'org.springframework.data:spring-data-jpa:1.11.0.RELEASE'
    compile 'org.springframework.data:spring-data-rest-webmvc:2.6.0.RELEASE'
    compile 'org.springframework.security:spring-security-web:4.2.1.RELEASE'
    //compile 'org.springframework.boot:spring-boot-starter-security:1.5.2.RELEASE'
    compile 'org.springframework.security.oauth:spring-security-oauth2:2.1.0.RELEASE'
    compile 'org.hibernate:hibernate-core:5.0.12.Final'
    compile 'com.h2database:h2:1.4.193'
    compile 'org.springframework.boot:spring-boot-starter-tomcat:1.5.1.RELEASE'
    testCompile 'junit:junit:4.12'
    testCompile 'org.mockito:mockito-all:1.10.19'
    providedRuntime 'org.springframework.boot:spring-boot-starter-tomcat:1.5.1.RELEASE'
}

1 个答案:

答案 0 :(得分:1)

Spring Boot的一个自动配置正在干扰。改变

@SpringBootApplication
@EnableTransactionManagement
@EnableAutoConfiguration(exclude = {RepositoryRestMvcAutoConfiguration.class})
public class Application extends SpringBootServletInitializer {


@SpringBootApplication
@EnableTransactionManagement
@EnableAutoConfiguration(exclude = {RepositoryRestMvcAutoConfiguration.class, OAuth2AutoConfiguration.class})
public class Application extends SpringBootServletInitializer {

允许我的配置正常运行。

相关问题
最新问题