将WebSecurityConfigurerAdapter与Spring OAuth2和user-info-uri一起使用

时间:2017-05-29 03:18:09

标签: java spring-boot spring-security-oauth2 spring-oauth2

我创建了一个授权服务,如下所示

    function factorial(num) {

    var result = 1;

    for (var i = 1; i <= num; i++) {
        result = result * i;

    }

    return result;
}
//call function e.g factorial(4).. 1*2*3*4 it will evaluate in ascending order

使用此@SpringBootApplication @EnableAuthorizationServer public class AuthorizationApplication { ... }

application.properties

然后,在一个单独的Spring启动项目中,我创建了一个资源服务器。

server.port=9000
security.oauth2.client.client-id=monederobingo
security.oauth2.client.client-secret=monederobingosecret
security.oauth2.client.authorized-grant-types=authorization_code,refresh_token,password,client_credentials
security.oauth2.client.scope=company,client

使用此@SpringBootApplication @EnableResourceServer public class App { ... }

application.properties

现在,如果我使用授权服务检索到的相应令牌发送此server.port=9090 spring.application.name=app security.oauth2.resource.user-info-uri=http://localhost:9000/user 之类的请求,一切正常。

但是,在向localhost:9090/api发送请求时,我不想发送此令牌。

为此我在资源服务器spring boot app中创建了这个类。

localhost:9090/login

现在我不需要发送任何令牌来向@Configuration public class SpringConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .authorizeRequests() .antMatchers("/login") .permitAll() .antMatchers("/api/**") .authenticated(); } } 发送请求。

但是,我现在在使用有效令牌向/login发送请求时发出以下消息。

/api

如何在Spring Security OAuth2中为少数几种URL模式配置安全性?

1 个答案:

答案 0 :(得分:7)

请关注此以获取有关Spring OAuth安全性的更多信息:Secure Spring REST Api with OAuth

为了在Spring启动时实现OAuth安全性,您必须创建授权&amp;资源服务器分别从AuthorizationServerConfigurerAdapterResourceServerConfigurerAdapter扩展它们。

授权服务器

    @Configuration
    @EnableAuthorizationServer
    public class AuthorizationApplication extends AuthorizationServerConfigurerAdapter{

    @Autowired
    private UserDetailsService userDetailsService;
    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
                throws Exception {
            endpoints
                    .userDetailsService(userDetailsService)
                    .authenticationManager(this.authenticationManager).tokenStore(tokenStore()).approvalStoreDisabled();
        }

       @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients.withClientDetails(mongoClientDetailsService);
            /*inMemory()
                    .withClient(propertyResolver.getProperty(PROP_CLIENTID))
                    .scopes("read", "write")
                    .authorities("ROLE_CLIENT")
                    .authorizedGrantTypes("password", "refresh_token","client_credentials")
                    .secret(propertyResolver.getProperty(PROP_SECRET))
                    .accessTokenValiditySeconds(propertyResolver.getProperty(PROP_TOKEN_VALIDITY_SECONDS, Integer.class, 18000));*/
        }

//Do others stuff
    }

资源服务器

此服务器配置中应提及您要使用OAuth保护的所有Url。它使Spring Security过滤器能够使用传入的OAuth2令牌对请求进行身份验证。虽然大多数WebSecurityConfigurerAdapter扩展类用于基本安全配置,例如添加过滤器,允许不安全的URL或实现会话策略等。

@Configuration
@EnableResourceServer
public class App extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
    http.requestMatchers().antMatchers("/api/**").and().authorizeRequests()
                .antMatchers("/api/**").authenticated();
}
  //Do others stuff
}