我创建了一个授权服务,如下所示
function factorial(num) {
var result = 1;
for (var i = 1; i <= num; i++) {
result = result * i;
}
return result;
}
//call function e.g factorial(4).. 1*2*3*4 it will evaluate in ascending order
使用此@SpringBootApplication
@EnableAuthorizationServer
public class AuthorizationApplication {
...
}
。
application.properties
然后,在一个单独的Spring启动项目中,我创建了一个资源服务器。
server.port=9000
security.oauth2.client.client-id=monederobingo
security.oauth2.client.client-secret=monederobingosecret
security.oauth2.client.authorized-grant-types=authorization_code,refresh_token,password,client_credentials
security.oauth2.client.scope=company,client
使用此@SpringBootApplication
@EnableResourceServer
public class App {
...
}
。
application.properties
现在,如果我使用授权服务检索到的相应令牌发送此server.port=9090
spring.application.name=app
security.oauth2.resource.user-info-uri=http://localhost:9000/user
之类的请求,一切正常。
但是,在向localhost:9090/api
发送请求时,我不想发送此令牌。
为此我在资源服务器spring boot app中创建了这个类。
localhost:9090/login
现在我不需要发送任何令牌来向@Configuration
public class SpringConfig extends WebSecurityConfigurerAdapter {
@Override protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/login")
.permitAll()
.antMatchers("/api/**")
.authenticated();
}
}
发送请求。
但是,我现在在使用有效令牌向/login
发送请求时发出以下消息。
/api
如何在Spring Security OAuth2中为少数几种URL模式配置安全性?
答案 0 :(得分:7)
请关注此以获取有关Spring OAuth安全性的更多信息:Secure Spring REST Api with OAuth
为了在Spring启动时实现OAuth安全性,您必须创建授权&amp;资源服务器分别从AuthorizationServerConfigurerAdapter
和ResourceServerConfigurerAdapter
扩展它们。
@Configuration
@EnableAuthorizationServer
public class AuthorizationApplication extends AuthorizationServerConfigurerAdapter{
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints
.userDetailsService(userDetailsService)
.authenticationManager(this.authenticationManager).tokenStore(tokenStore()).approvalStoreDisabled();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(mongoClientDetailsService);
/*inMemory()
.withClient(propertyResolver.getProperty(PROP_CLIENTID))
.scopes("read", "write")
.authorities("ROLE_CLIENT")
.authorizedGrantTypes("password", "refresh_token","client_credentials")
.secret(propertyResolver.getProperty(PROP_SECRET))
.accessTokenValiditySeconds(propertyResolver.getProperty(PROP_TOKEN_VALIDITY_SECONDS, Integer.class, 18000));*/
}
//Do others stuff
}
此服务器配置中应提及您要使用OAuth保护的所有Url。它使Spring Security过滤器能够使用传入的OAuth2令牌对请求进行身份验证。虽然大多数WebSecurityConfigurerAdapter
扩展类用于基本安全配置,例如添加过滤器,允许不安全的URL或实现会话策略等。
@Configuration
@EnableResourceServer
public class App extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers().antMatchers("/api/**").and().authorizeRequests()
.antMatchers("/api/**").authenticated();
}
//Do others stuff
}