我的应用程序类上有@ EnableOAuth2Sso,一个具有@EnableWebSecurity的WebSecurityConfigurererAdapter和一个具有@EnableResourceServer的ResourceServerConfigurerAdapter。
应用程序:
@SpringBootApplication
@EnableCaching
@EnableOAuth2Sso
public class Application extends SpringBootServletInitializer {
@Override
protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
return application.sources(Application.class);
}
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
WebSecurityConfigurererAdapter:
@Configuration
@EnableWebSecurity(debug = false)
@Order(1)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
CustomUserDetailsService userDetailsService;
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/css/**", "/favicon.ico", "/webjars/**", "/error");
}
@Bean
@Override
public UserDetailsService userDetailsService() {
return userDetailsService;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(
new OrRequestMatcher(
new AntPathRequestMatcher("/"), // index page for public access
new AntPathRequestMatcher("/cfhealth"), // public cloudfoundry health endpoint
new AntPathRequestMatcher("/error"),
new AntPathRequestMatcher("/perf/**")
))
.authorizeRequests().anyRequest().permitAll();
}
}
ResourceServerConfigurerAdapter:
@Configuration
@EnableResourceServer
public class ResourceServerOktaConfig extends ResourceServerConfigurerAdapter {
@Bean
public RequestContextListener requestContextListener() {
return new RequestContextListener();
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatcher(new RequestHeaderRequestMatcher("Authorization"))
.authorizeRequests().anyRequest().fullyAuthenticated();
}
}
我现在的期望是考虑到我的自定义用户详细信息服务,但没有考虑。
有一种方法可以通过覆盖转换器并将其设置在用户令牌转换器上来注入自定义用户详细信息服务,但这会覆盖默认配置并创建相当复杂的代码,如下所示:
@Configuration
@EnableResourceServer
public class ResourceServerPingConfig extends ResourceServerConfigurerAdapter {
@Autowired
PingFederateAccessTokenConverter converter;
@Autowired
CustomUserDetailsService customUserDetailsService;
@Override
public void configure(ResourceServerSecurityConfigurer config) {
config.tokenServices(tokenServices()).resourceId("swissre");
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
return defaultTokenServices;
}
@Bean
public TokenStore tokenStore() {
DefaultUserAuthenticationConverter userAuthConverter = new DefaultUserAuthenticationConverter();
userAuthConverter.setUserDetailsService(customUserDetailsService);
DefaultAccessTokenConverter accessTokenConverter =
(DefaultAccessTokenConverter) converter.getAccessTokenConverter();
accessTokenConverter.setUserTokenConverter(userAuthConverter);
return new JwtTokenStore(converter);
}
@Bean
public RequestContextListener requestContextListener() {
return new RequestContextListener();
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatcher(new RequestHeaderRequestMatcher("Authorization"))
.authorizeRequests().anyRequest().fullyAuthenticated();
}
}
现在我的问题是:有人指出我这边可能有错误的想法,或者只是在使用资源服务器配置时注入用户详细信息服务的更好,更简单的方法?
添加:
我意识到,我应该添加OAuth2配置:
security:
oauth2:
client:
client-id: xxxxx
client-secret: yyyy
access-token-uri: https://dev-aaaaaa.oktapreview.com/oauth2/default/v1/token
user-authorization-uri: https://dev-aaaaaa.oktapreview.com/oauth2/default/v1/authorize
scope: openid profile email
resource:
user-info-uri: https://dev-aaaaaa.oktapreview.com/oauth2/default/v1/userinfo
token-info-uri: https://dev-aaaaaa.oktapreview.com/oauth2/default/v1/introspect
prefer-token-info: false