WebSecurityConfigurerAdapter是否会覆盖EnableResourceServer？

Question

我有一个完美的弹簧启动应用程序，它使用spring oAuth2。当我在主类上使用@EnableResourceServer时效果很好。 但为我在类

下实现的服务启用CORS

   @Configuration
    public class CorsConfiguration extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.csrf().disable();
            http.cors();

        }
        @Bean
        public CorsConfigurationSource corsConfigurationSource() {
            final org.springframework.web.cors.CorsConfiguration configuration = new org.springframework.web.cors.CorsConfiguration();
            configuration.setAllowedOrigins(ImmutableList.of("*"));
            configuration.setAllowedMethods(ImmutableList.of("HEAD",
                    "GET", "POST", "PUT", "DELETE", "PATCH"));
            configuration.setAllowCredentials(true);
   configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
            final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
            source.registerCorsConfiguration("/**", configuration);
            return source;
        }
    }

添加该类之后，似乎请求不会使用oAuth令牌进行验证。即使没有oAuth令牌，任何请求都可以访问服务。

我做错了什么？ 不能同时使用两者吗？工作有什么特别的事吗？ 有没有更好的方法来启用CORS这个。 （我试过@CrossOrigin注释它没有用）

Answer 1

我不确定您为什么要使用WebSecurityConfigurerAdapter 我认为您的问题是您没有将您的电话转发给oAuth进行授权。试试这对我有用

@Configuration
public class CorsConfiguration extends ResourceServerConfigurerAdapter {


    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable().authorizeRequests().anyRequest().authenticated();
    }
    @Bean
    public CorsFilter corsFilter() {
        final org.springframework.web.cors.CorsConfiguration configuration = new org.springframework.web.cors.CorsConfiguration();
        configuration.setAllowedOrigins(ImmutableList.of("*"));
        configuration.setAllowedMethods(ImmutableList.of("HEAD",
                "GET", "POST", "PUT", "DELETE", "PATCH"));
        configuration.setAllowCredentials(true);

        configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return new CorsFilter(source);
    }
    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.resourceId("resource");
    }

}

此处resources.resourceId("resource");应该是您在oAuth服务器中使用的资源

类似这样的方法

@Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory().withClient("clinet").secret("secret").accessTokenValiditySeconds(3600).scopes("read", "write")
                .authorizedGrantTypes("password", "refresh_token").resourceIds("resource");
    }