我有两组资源API,每一组都必须针对不同的远程授权服务器进行验证。
下面是我的security-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd">
<authentication-manager>
</authentication-manager>
<oauth:resource-server id="resourceFilterA"
token-services-ref="tokenServicesA"/>
<http pattern="/v1/A/**"
request-matcher="ant"
disable-url-rewriting="true"
use-expressions="true"
entry-point-ref="entryPointA">
<intercept-url pattern="/v1/A/endpoint1"
method="GET"
access="hasAuthority('scope.A')"/>
<anonymous enabled="true"/>
<csrf disabled="true"/>
<custom-filter ref="resourceFilterA" position="PRE_AUTH_FILTER"/>
</http>
<oauth:resource-server id="resourceFilterB"
token-services-ref="tokenServicesB"/>
<http pattern="/v1/B/**"
request-matcher="ant"
disable-url-rewriting="true"
use-expressions="true"
entry-point-ref="entryPointB">
<intercept-url pattern="/v1/B/endpoint1"
method="POST"
access="hasAuthority('scope.B')"/>
<anonymous enabled="true"/>
<csrf disabled="true"/>
<custom-filter ref="resourceFilterB" position="PRE_AUTH_FILTER"/>
</http>
</b:beans>
tokenServicesA和tokenServicesB在Java配置中定义:
@Bean
public OAuth2AuthenticationEntryPoint entryPointA() {
return new OAuth2AuthenticationEntryPoint();
}
@Bean
public OAuth2AuthenticationEntryPoint entryPointB() {
return new OAuth2AuthenticationEntryPoint();
}
@Bean
public ResourceServerTokenServices tokenServicesA() {
FastRemoteTokenServices tokenServices = new FastRemoteTokenServices();
tokenServices.setUseHttps(true);
tokenServices.setStoreClaims(true);
tokenServices.setTrustedIssuerIdsRegex(
Pattern.compile(trustedIssuerA, Pattern.LITERAL).pattern());
return tokenServices;
}
@Bean
public ResourceServerTokenServices tokenServicesB() {
FastRemoteTokenServices tokenServices = new FastRemoteTokenServices();
tokenServices.setUseHttps(true);
tokenServices.setStoreClaims(true);
tokenServices.setTrustedIssuerIdsRegex(
Pattern.compile(trustedIssuerB, Pattern.LITERAL).pattern());
return tokenServices;
}
我预计其中一个过滤器会根据http块中互斥的intercept-url模式匹配请求。
但是,对于下面记录的样本请求似乎带有来自受信任颁发者A的令牌,而第一个http标记匹配并成功验证请求,仍然会针对受信任颁发者检查令牌中的受信任颁发者B regexp,失败了。
同样,带有来自受信任发行人B的令牌的请求也与受信任发行人A的正则表达式匹配,后者也失败。
estMatcher : Checking match of request : '/v1/A/endpoint1'; against '/v1/A/endpoint1'
2018-02-20 21:46:09.879 DEBUG 8439 --- [io-12525-exec-4] o.s.s.w.a.i.FilterSecurityInt
erceptor : Secure object: FilterInvocation: URL: /v1/A/endpoint1; Attribu
tes: [hasAuthority('scope.A')]
2018-02-20 21:46:09.879 DEBUG 8439 --- [io-12525-exec-4] o.s.s.w.a.i.FilterSecurityInt
erceptor : Previously Authenticated: org.springframework.security.oauth2.provider.O
Auth2Authentication@cc91d34f: Principal: apg-client; Credentials: [PROTECTED]; Authent
icated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=BearertokenValue=<TOKE
N>; Granted Authorities: scope.A
2018-02-20 21:46:10.110 DEBUG 8439 --- [io-12525-exec-4] o.s.s.access.vote.Affirmative
Based : Voter: org.springframework.security.web.access.expression.WebExpressionV
oter@a7694fd, returned: 1
2018-02-20 21:46:10.110 DEBUG 8439 --- [io-12525-exec-4] o.s.s.w.a.i.FilterSecurityInt
erceptor : Authorization successful
2018-02-20 21:46:10.110 DEBUG 8439 --- [io-12525-exec-4] o.s.s.w.a.i.FilterSecurityInt
erceptor : RunAsManager did not change Authentication object
2018-02-20 21:46:10.110 DEBUG 8439 --- [io-12525-exec-4] o.s.security.web.FilterChainP
roxy : /v1/A/endpoint1 reached end of additional filter chain; procee
ding with original chain
2018-02-20 21:46:10.111 DEBUG 8439 --- [io-12525-exec-4] p.a.OAuth2AuthenticationProce
ssingFilter : Authentication request failed: error="invalid_token", error_description=
"The issuer 'https://my.issuer.A/oauth/token' is not trusted because it does not match
the regex '<my-issuer-B-regexp>'
2018-02-20 21:46:10.112 DEBUG 8439 --- [io-12525-exec-4] w.c.HttpSessionSecurityContex
tRepository : SecurityContext is empty or contents are anonymous - context will not be
stored in HttpSession.
2018-02-20 21:46:10.113 DEBUG 8439 --- [io-12525-exec-4] s.s.o.p.e.DefaultOAuth2Except
ionRenderer : Written [error="invalid_token", error_description="The issuer 'https://m
y.issuer.A/oauth/token' is not trusted because it does not match the regex '<my-issuer
-B-regexp>' /json;charset=UTF-8" using [org.springframework.http.converter.json.Mappin
gJackson2Htt pMessageConverter@25743461]
2018-02-20 21:46:10.113 DEBUG 8439 --- [io-12525-exec-4] o.s.s.w.a.ExceptionTranslatio
nFilter : Chain processed normally
2018-02-20 21:46:10.113 DEBUG 8439 --- [io-12525-exec-4] s.s.w.c.SecurityContextPersis
tenceFilter : SecurityContextHolder now cleared, as request processing completed
2018-02-20 21:46:10.113 DEBUG 8439 --- [io-12525-exec-4] o.s.b.w.f.OrderedRequestConte
xtFilter : Cleared thread-bound request context: org.apache.catalina.connector.Requ
estFacade@74f7a53b
上述配置中的根本错误是什么?
或者,什么是多个oauth资源服务器的良好参考示例,每个服务器都由不同的FastRemoteTokenServices令牌服务保护?