spring security oauth2多个ResourceServerTokenServices

时间:2018-02-21 06:11:17

标签: spring-security spring-security-oauth2

我有两组资源API,每一组都必须针对不同的远程授权服务器进行验证。

下面是我的security-config.xml

<?xml version="1.0" encoding="UTF-8"?>

<b:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:b="http://www.springframework.org/schema/beans"
         xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="
            http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
            http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd">

    <authentication-manager>
    </authentication-manager>

    <oauth:resource-server id="resourceFilterA"
                           token-services-ref="tokenServicesA"/>

    <http pattern="/v1/A/**"
          request-matcher="ant"
          disable-url-rewriting="true"
          use-expressions="true"
          entry-point-ref="entryPointA">

      <intercept-url pattern="/v1/A/endpoint1"
                     method="GET"
                     access="hasAuthority('scope.A')"/>

      <anonymous enabled="true"/>
      <csrf disabled="true"/>

      <custom-filter ref="resourceFilterA" position="PRE_AUTH_FILTER"/>
    </http>


    <oauth:resource-server id="resourceFilterB"
                           token-services-ref="tokenServicesB"/>

    <http pattern="/v1/B/**"
          request-matcher="ant"
          disable-url-rewriting="true"
          use-expressions="true"
          entry-point-ref="entryPointB">

      <intercept-url pattern="/v1/B/endpoint1"
                     method="POST"
                     access="hasAuthority('scope.B')"/>


      <anonymous enabled="true"/>
      <csrf disabled="true"/>

      <custom-filter ref="resourceFilterB" position="PRE_AUTH_FILTER"/>
    </http>

</b:beans>

tokenServicesAtokenServicesB在Java配置中定义:

@Bean
public OAuth2AuthenticationEntryPoint entryPointA() {
    return new OAuth2AuthenticationEntryPoint();
}


@Bean
public OAuth2AuthenticationEntryPoint entryPointB() {
    return new OAuth2AuthenticationEntryPoint();
}

@Bean
public ResourceServerTokenServices tokenServicesA() {
    FastRemoteTokenServices tokenServices = new FastRemoteTokenServices();
    tokenServices.setUseHttps(true);
    tokenServices.setStoreClaims(true);
    tokenServices.setTrustedIssuerIdsRegex(
            Pattern.compile(trustedIssuerA, Pattern.LITERAL).pattern());
    return tokenServices;
}

@Bean
public ResourceServerTokenServices tokenServicesB() {
    FastRemoteTokenServices tokenServices = new FastRemoteTokenServices();
    tokenServices.setUseHttps(true);
    tokenServices.setStoreClaims(true);
    tokenServices.setTrustedIssuerIdsRegex(
            Pattern.compile(trustedIssuerB, Pattern.LITERAL).pattern());
    return tokenServices;
}

我预计其中一个过滤器会根据http块中互斥的intercept-url模式匹配请求。

但是,对于下面记录的样本请求似乎带有来自受信任颁发者A的令牌,而第一个http标记匹配并成功验证请求,仍然会针对受信任颁发者检查令牌中的受信任颁发者B regexp,失败了。

同样,带有来自受信任发行人B的令牌的请求也与受信任发行人A的正则表达式匹配,后者也失败。

estMatcher  : Checking match of request : '/v1/A/endpoint1'; against '/v1/A/endpoint1'                                                                 
2018-02-20 21:46:09.879 DEBUG 8439 --- [io-12525-exec-4] o.s.s.w.a.i.FilterSecurityInt
erceptor    : Secure object: FilterInvocation: URL: /v1/A/endpoint1; Attribu
tes: [hasAuthority('scope.A')]                
2018-02-20 21:46:09.879 DEBUG 8439 --- [io-12525-exec-4] o.s.s.w.a.i.FilterSecurityInt
erceptor    : Previously Authenticated: org.springframework.security.oauth2.provider.O
Auth2Authentication@cc91d34f: Principal: apg-client; Credentials: [PROTECTED]; Authent
icated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=BearertokenValue=<TOKE
N>; Granted Authorities: scope.A
2018-02-20 21:46:10.110 DEBUG 8439 --- [io-12525-exec-4] o.s.s.access.vote.Affirmative
Based       : Voter: org.springframework.security.web.access.expression.WebExpressionV
oter@a7694fd, returned: 1                                                            
2018-02-20 21:46:10.110 DEBUG 8439 --- [io-12525-exec-4] o.s.s.w.a.i.FilterSecurityInt
erceptor    : Authorization successful                                               
2018-02-20 21:46:10.110 DEBUG 8439 --- [io-12525-exec-4] o.s.s.w.a.i.FilterSecurityInt
erceptor    : RunAsManager did not change Authentication object                      
2018-02-20 21:46:10.110 DEBUG 8439 --- [io-12525-exec-4] o.s.security.web.FilterChainP
roxy        : /v1/A/endpoint1 reached end of additional filter chain; procee
ding with original chain                                                             
2018-02-20 21:46:10.111 DEBUG 8439 --- [io-12525-exec-4] p.a.OAuth2AuthenticationProce
ssingFilter : Authentication request failed: error="invalid_token", error_description=
"The issuer 'https://my.issuer.A/oauth/token' is not trusted because it does not match
the regex '<my-issuer-B-regexp>'
2018-02-20 21:46:10.112 DEBUG 8439 --- [io-12525-exec-4] w.c.HttpSessionSecurityContex
tRepository : SecurityContext is empty or contents are anonymous - context will not be
 stored in HttpSession.                                                              
2018-02-20 21:46:10.113 DEBUG 8439 --- [io-12525-exec-4] s.s.o.p.e.DefaultOAuth2Except
ionRenderer : Written [error="invalid_token", error_description="The issuer 'https://m
y.issuer.A/oauth/token' is not trusted because it does not match the regex '<my-issuer
-B-regexp>' /json;charset=UTF-8" using [org.springframework.http.converter.json.Mappin
gJackson2Htt pMessageConverter@25743461]                                                          
2018-02-20 21:46:10.113 DEBUG 8439 --- [io-12525-exec-4] o.s.s.w.a.ExceptionTranslatio
nFilter     : Chain processed normally                                               
2018-02-20 21:46:10.113 DEBUG 8439 --- [io-12525-exec-4] s.s.w.c.SecurityContextPersis
tenceFilter : SecurityContextHolder now cleared, as request processing completed     
2018-02-20 21:46:10.113 DEBUG 8439 --- [io-12525-exec-4] o.s.b.w.f.OrderedRequestConte
xtFilter    : Cleared thread-bound request context: org.apache.catalina.connector.Requ
estFacade@74f7a53b                                                                   

上述配置中的根本错误是什么?

或者,什么是多个oauth资源服务器的良好参考示例,每个服务器都由不同的FastRemoteTokenServices令牌服务保护?

0 个答案:

没有答案