授权代码授予

时间:2017-08-04 14:27:45

标签: rest authentication spring-boot authorization spring-security-oauth2

我正在开发一个监听localhost的REST API,我希望包含Spring Security。密码授予和客户端凭据授权完美无缺,我可以从/ smarthouse和/ smarthouse2检查安全数据。

虽然,当我尝试通过邮递员使用授权代码授予时,它给了我同样的错误,我已经到处查看了。我的项目在这里:https://github.com/sharjak/Smarthouse。该操作都发生在demoapplication文件夹中。

Authorization code in Postman

我的授权和资源服务器代码:

@Configuration
public class OAuth2ServerConfig {

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                    .anonymous().disable()
                    .csrf().disable()
                    .authorizeRequests()
                    .anyRequest()
                    .authenticated().and()
                    .formLogin();
            }
        }

    @Configuration
    @EnableAuthorizationServer
    protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

        @Autowired
        private TokenStore tokenStore;

        @Autowired
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {

            clients.inMemory().withClient("my-trusted-client")
                    .authorizedGrantTypes("password","authorization_code","refresh_token", "implicit")
                    .authorities("ROLE_CLIENT","ROLE_TRUSTED_CLIENT","ROLE_USER")
                    .scopes("read", "write", "trust")
                    .resourceIds("oauth2-resource")
                    .secret("secret")
                    .accessTokenValiditySeconds(6000)
                    .and()

                    .withClient("my-client")
                    .authorizedGrantTypes("authorization_code", "implicit")
                    .authorities("ROLE_CLIENT", "ROLE_USER")
                    .scopes("read","trust", "write")
                    .resourceIds("oauth2-resource")
                    .accessTokenValiditySeconds(6000)
                    .and()

                    .withClient("my-client-with-secret")
                    .authorizedGrantTypes("client_credentials","password")
                    .authorities("ROLE_CLIENT", "ROLE_USER")
                    .scopes("read", "trust", "write")
                    .resourceIds("oauth2-resource")
                    .secret("secret")
                    .accessTokenValiditySeconds(6000);
        }

        @Bean
        public TokenStore tokenStore() {
            return new InMemoryTokenStore();
        }

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            endpoints
                    .authenticationManager(authenticationManager)
                    .tokenStore(tokenStore);
        }

        @Override
        public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
            oauthServer.checkTokenAccess("permitAll()");
        }
    }
}

Websecurity服务器代码:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private ClientDetailsService clientDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
                .anonymous().disable()
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/smarthouse", "smarthouse2", "/user").permitAll()
                .and()
                .formLogin();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("admin").password("password").roles("ADMIN")
                .and()
                .withUser("sander").password("Sander123").roles("USER");
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception{
        return super.authenticationManagerBean();
    }

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Bean
    @Autowired
    public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore){
        TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
        handler.setTokenStore(tokenStore);
        handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
        handler.setClientDetailsService(clientDetailsService);
        return handler;
    }

    @Bean
    @Autowired
    public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception {
        TokenApprovalStore store = new TokenApprovalStore();
        store.setTokenStore(tokenStore);
        return store;
    }
}

当我尝试使用用户登录时的Stacktrace:

    org.springframework.security.authentication.InsufficientAuthenticationException: User must be authenticated with Spring Security before authorization can be completed.
        at org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(AuthorizationEndpoint.java:138)

我是一个初学者,但这似乎是一个小问题。任何人都可以帮助我吗?

1 个答案:

答案 0 :(得分:0)

您只需将configure方法从WebSecurityConfig更改为以下内容:

http
    .authorizeRequests()
        .antMatchers("/login", "/favicon.ico",
            "/oauth/confirm_access", "/oauth/token", "/smarthouse",
            "smarthouse2", "/user").permitAll()
        .anyRequest().authenticated().and()
    .csrf().disable();

为什么要禁用匿名访问? 另一点是,匹配器的声明顺序很重要。

我克隆了您的回购并为我工作。

相关问题
最新问题