OAuth2 JWT授权 - Spring Security XML配置问题#oauth2.hasScope

时间:2018-03-15 00:06:50

标签: spring spring-boot spring-security

我需要在Spring Security Implementation的某些部分使用XML Configuration。我现在所关心的只是JWT授权,JWT传递给我。使用Spring Security我确定用户是否有权访问REST API端点。我不能使用Java配置或@PreAuthorize注释。

作为我最初使用@PreAuthorize时的FYI或类似的方法: .antMatchers( “/学生/ **”)访问( “#oauth2.hasScope( '范围:管理员')”);

一切都很好。当我被迫转向XML配置并使用security:intercept-url方法时,出现了这个问题。

我得到的错误是:

  

“message”:“无法评估表达式   '#oauth2.hasScope(' 范围:管理员 ')'“

例外是:

  

java.lang.IllegalArgumentException:无法计算表达式   '#oauth2.hasScope(' 适用范围:联系 ')'
  在org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:30)〜[spring-security-core-5.0.3.RELEASE.jar:5.0.3.RELEASE]
  ...为了简洁,删除异常行为......   引起:   org.springframework.expression.spel.SpelEvaluationException:EL1011E:   方法调用:尝试调用方法hasScope(java.lang.String)   null上下文对象

XML配置:     

<!-- only enable this when deving -->
<!-- <security:debug /> -->  


<bean id="securityConfig"
    class="com.wmay.config.SecurityConfig">
</bean>

<bean id="resourceServerConfig"
    class="com.wmay.config.ResourceServerConfig">
</bean> 


 <bean id="methodSecurityConfig"
    class="com.wmay.config.MethodSecurityConfig">
</bean>

<security:http pattern="/**" use-expressions="true" auto-config="true">
    <security:intercept-url pattern="/students/**"
            access="#oauth2.hasScope('Scope:Admin')"/>
</security:http>

代码段:

@Override 
public void configure(HttpSecurity httpSecurity) throws Exception {     log.info("Configuring HttpSecurity");       
    httpSecurity.csrf().disable();  httpSecurity.cors().configurationSource(corsConfigurationSource());     
    //@// @formatter:off    
    httpSecurity
                .requestMatchers()
                .and().authorizeRequests()
                .antMatchers("/actuator/**").permitAll()
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll();    
    // @formatter:on 
    }

@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
    log.info(
            "Enabling OAuth2 Method Expression Handler.");
    return new OAuth2MethodSecurityExpressionHandler();
}

1 个答案:

答案 0 :(得分:0)

我明白了。我需要在XML配置文件中添加更多条目。

<bean id="oauth2AuthenticationEntryPoint" 
    class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" />
<oauth2:resource-server id="resourceServerFilter" 
        resource-id="${security.jwt.resource-ids}" token-services-ref="tokenServices"/>
<oauth2:web-expression-handler id="oauth2WebExpressionHandler" />


<security:http 
        pattern="/**"       
        entry-point-ref="oauth2AuthenticationEntryPoint"        
        authentication-manager-ref="authenticationManager"
        use-expressions="true"
        create-session="stateless">
        <security:intercept-url pattern="/students/**"
            access="#oauth2.hasScope('Scope:Admin')" />     
        <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
        <security:expression-handler ref="oauth2WebExpressionHandler" />
    </security:http>