我正在尝试编写一个允许通过JDBC或Google / Facebook进行身份验证的Web应用程序;使用Spring Security5.0.x。我有有效的Google客户ID和密码。 OAuth2网络流将我正确地带到Google进行帐户选择和同意,但是对redirect_uri的回调失败并显示404。我看不到我在做什么错。
@Configuration
@EnableScheduling
@EnableWebSecurity
public class WebSecurityConfig
extends WebSecurityConfigurerAdapter
{
private static final Logger _logger = LogManager.getLogger (WebSecurityConfig.class);
private static String
SuccessUrl = "/api/auth/login-success",
FailureUrl = "/api/auth/login-failure",
LogoutUrl = "/api/auth/logout-done";
private static String
PGoogleId = "oauth2.google.id",
PGoogleSecret = "oauth2.google.secret",
PFacebookId = "oauth2.facebook.id",
PFacebookSecret = "oauth2.google.secret";
private final List<ClientRegistration> _regns;
@Autowired
private AuthSuccessHandler _success;
@Autowired
private AuthFailureHandler _failure;
@Autowired
private DataSource _source;
@Autowired
private MezoUserManager _userManager;
/**
* Sole Constructor
*/
public WebSecurityConfig ()
{
_regns = new ArrayList<> ();
}
@Autowired
public void setPropertiesFactory (
PropertiesFactoryBean factory)
throws IOException, AddressException
{
Properties p = factory.getObject ();
extractIdSecret (CommonOAuth2Provider.GOOGLE.getBuilder ("google"), PGoogleId, PGoogleSecret, p);
extractIdSecret (CommonOAuth2Provider.FACEBOOK.getBuilder ("facebook"), PFacebookId, PFacebookSecret, p);
}
private void extractIdSecret (
ClientRegistration.Builder builder,
String idKey,
String secretKey,
Properties properties)
{
String id = properties.getProperty (idKey);
String secret = properties.getProperty (secretKey);
if (StringUtils.isBlank (id) || StringUtils.isBlank (secret))
return;
_regns.add (builder.clientId (id).clientSecret (secret).build ());
}
@Override
protected void configure (
HttpSecurity http)
throws Exception
{
_success.setUrl (SuccessUrl);
_failure.setUrl (FailureUrl);
JdbcTokenRepositoryImpl repo = new JdbcTokenRepositoryImpl ();
repo.setDataSource (_source);
http
.authorizeRequests ()
.antMatchers ("/api/profile/**").authenticated ()
.antMatchers ("/api/users/**").hasAuthority (Authority.ROLE_ADMIN.name ())
.antMatchers ("/api/**").permitAll ()
.and ()
.exceptionHandling ()
.authenticationEntryPoint (new Http403ForbiddenEntryPoint())
.and ()
.formLogin ()
.loginProcessingUrl ("/login")
.loginPage ("/")
.successHandler (_success)
.failureHandler (_failure)
.and ()
.logout ()
.logoutUrl ("/logout")
.logoutSuccessUrl (LogoutUrl)
.and ()
.rememberMe ()
.tokenRepository (repo)
.tokenValiditySeconds (1209600)
.rememberMeParameter ("remember-me")
.and ()
.csrf ().disable ();
if (!_regns.isEmpty ())
{
http.oauth2Login ()
.clientRegistrationRepository (new InMemoryClientRegistrationRepository (_regns));
_logger.debug ("OAuth2 entabled");
}
}
@Override
protected void configure (
AuthenticationManagerBuilder builder)
throws Exception
{
DaoAuthenticationProvider provider = new DaoAuthenticationProvider ();
provider.setUserDetailsService (_userManager);
provider.setPasswordEncoder (encoder ());
builder.authenticationProvider (provider);
builder.userDetailsService (_userManager);
}
@Bean
public BCryptPasswordEncoder encoder ()
{
return new BCryptPasswordEncoder ();
}
}
来自Google的回调将转到正确的位置
http://localhost:8080/mezo/login/oauth2/code/google?state= .....
但是我的webapp抱怨:
HTTP状态404-/ mezo / login
谁能看到我在配置中错过的东西?为什么Spring Security没有自动为回调uri设置过滤器?
请注意,当前使用JDBC登录使用此配置。
答案 0 :(得分:0)
此修复是为了让antMatchers()更加宽松。特别是扩展:
.antMatchers ("/api/**").permitAll ()
具有:
.antMatchers ("/api/**", "/login/**").permitAll ()