我正在尝试保护我的休息服务,这是我的Android和iOS应用程序的后端。我希望保护此服务上的所有端点,以便只允许与我的移动应用程序通信。
我弄清楚这个流程(我不确定它是否正确):
不幸的是,我不知道如何应用这种流程。我创建了下面提到的配置,但它没有像我预期的那样工作。
所以,有两个问题:
安全配置:
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
private final String clientId = "clientid";
private final String clientSecret = "clientsecret";
private final String grantType = "password";
private final String scopeRead = "read";
private final String scopeWrite = "write";
private final String resourceIds = "resourcesId";
@Autowired
DataSource dataSource;
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer configurer) throws Exception {
configurer
.inMemory()
.withClient(clientId).secret(clientSecret)
.authorizedGrantTypes(grantType, "refresh_token", "client_credential")
.scopes(scopeRead, scopeWrite)
.resourceIds(resourceIds);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.tokenStore(tokenStore())
.authenticationManager(authenticationManager)
.allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);
}
@Bean
public TokenStore tokenStore(){
return new JdbcTokenStore(dataSource);
}
}
授权配置:
@Order(2)
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
private final String resourceIds = "resourcesId";
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources
.resourceId(resourceIds);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.and()
.authorizeRequests()
.antMatchers("/places").authenticated()
.antMatchers("/places/**").authenticated()
.antMatchers("/welcome").permitAll()
.antMatchers("/welcome/**").permitAll();
}
}
资源服务器:
tf.import_graph_def