Spring security oauth2总是返回403

时间:2018-03-20 02:27:01

标签: spring-boot spring-security oauth-2.0

我有一个Spring启动应用程序服务Rest端点,我使用Spring安全性和Oauth2进行安全保护。 我想保护我的所有端点,除了用于验证的端点,创建帐户或一些信息的东西。

安全配置如下:

@Configuration
@EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;
    @Autowired
    private MongoTokenStore tokenStore;

    @Override
    public void configure(final AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
    }

    @Override
    public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
        //clients.withClientDetails(clientDetailsService);
        clients.inMemory().withClient("app").secret("password")
                        .accessTokenValiditySeconds(30000).authorizedGrantTypes("password", "refresh_token")
                        .refreshTokenValiditySeconds(300000000)
                        .scopes("read");
    }

    @Override
    public void configure(final AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager)
                    .pathMapping("/oauth/confirm_access", "/access_confirmation");

    }

    @Bean
    public TokenStore tokenStore() {
        return this.tokenStore;
    }

}


@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Autowired
  private UserRepository userRepository;
  @Autowired
  private SecurityContextService securityContextService;
  @Autowired
  private MongoTemplate mongoTemplate;

  @Bean
  public MongoUserDetailsManager mongoUserDetailsManager() throws Exception {
    return new MongoUserDetailsManager(userRepository, securityContextService, authenticationManagerBean(), mongoTemplate);
  }

  @Override
  protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
    auth.parentAuthenticationManager(authenticationManagerBean())
        .userDetailsService(mongoUserDetailsManager());
  }

  @Override
  @Bean
  public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
  }

  @Override
  protected void configure(final HttpSecurity http) throws Exception {
    http.
        authorizeRequests()
        .antMatchers("/login", "/oauth/authorize", "/oauth/token", "/server/version", "/clients/register").permitAll()
        .and().csrf().disable()
        .authorizeRequests()
        .anyRequest()
        .authenticated()
        .and()
        .formLogin()
        .disable();
  }

}

我可以访问令牌端点以获取我的access_token,但我想使用此access_token访问其他安全端点(通过向头部添加Authorization:Bearer {access_toke}),我总是获得HTTP 403。

我错过了什么吗?如果我添加授权标题,我不应该被授权?

我的控制器仅使用@RestController,@ CrossOrigin进行注释 和@RequestMapping(" / url")

1 个答案:

答案 0 :(得分:-1)

在Spring中,有两种类型的安全配置(就urls安全而言)。

<强> 1。基本安全配置

此课程应实施WebSecurityConfigurerAdapter。它将处理所有那些没有“Bearer”令牌类型的请求(不应该受到oauth保护的URL)。

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Autowired
  private UserRepository userRepository;
  @Autowired
  private SecurityContextService securityContextService;
  @Autowired
  private MongoTemplate mongoTemplate;

  @Bean
  public MongoUserDetailsManager mongoUserDetailsManager() throws Exception {
    return new MongoUserDetailsManager(userRepository, securityContextService, authenticationManagerBean(), mongoTemplate);
  }

  @Override
  protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
    auth.parentAuthenticationManager(authenticationManagerBean())
        .userDetailsService(mongoUserDetailsManager());
  }

  @Override
  @Bean
  public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
  }

  @Override
  protected void configure(final HttpSecurity http) throws Exception {
    http.
        authorizeRequests()
        .antMatchers("/login", "/oauth/authorize", "/oauth/token", "/server/version", "/clients/register").permitAll()
        .and().csrf().disable()
        .authorizeRequests()
        .anyRequest()
        .authenticated()
        .and()
        .formLogin()
        .disable();
  }

}

<强> 2。资源服务器配置(特定于OAuth)

此类负责处理所有带有Bearer类型的授权标头的请求。它应该从ResourceServerConfigurerAdapter类扩展。在这里,您应该提到所有那些您希望受到oauth保护的安全配置的网址。

@Configuration
@EnableResourceServer
public class OAuthResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {    
        http.requestMatchers().antMatchers("/resources-to-be-protected/**").and().authorizeRequests()
                .antMatchers("/resources-to-be-protected/**").access("#oauth2.isClient()");

}
}
相关问题
最新问题