我正在创建一个Spring Boot应用程序并实现oauth JDBC令牌存储。我已经在同一应用程序中实现了授权服务器和资源服务器。令牌已生成,并使用授权服务器代码保存在数据库中,但是当我尝试访问资源服务器时,却收到401未经授权的错误代码。
Access Token generation:
{
"access_token": "9fb18582-1096-4c7e-b06c-b571c6d4dfde",
"token_type": "bearer",
"refresh_token": "cb7b5d6f-f765-4e99-9282-a8a2a31cb39b",
"expires_in": 3123,
"scope": "read write"
}
访问资源服务器:
{
"timestamp": "2019-04-24T16:12:18.326+0000",
"status": 401,
"error": "Unauthorized",
"message": "Unauthorized",
"path": "/secured/company/"
}
我在访问资源URL时已在标头中传递了授权承载9fb18582-1096-4c7e-b06c-b571c6d4dfde。下面是它的源代码:
@Configuration
@EnableAuthorizationServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Import(ServerSecurityConfig.class)
public class AuthServerOAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
@Qualifier("dataSource")
private DataSource dataSource;
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private PasswordEncoder oauthClientPasswordEncoder;
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Bean
public OAuth2AccessDeniedHandler oauthAccessDeniedHandler() {
return new OAuth2AccessDeniedHandler();
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()")
.passwordEncoder(oauthClientPasswordEncoder);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager)
.userDetailsService(userDetailsService);
}
}
@Configuration
@EnableWebSecurity
@Order(1)
@Import(Encoders.class)
public class ServerSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private PasswordEncoder userPasswordEncoder;
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(userPasswordEncoder);
}
}
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
private static final String RESOURCE_ID = "resource-server-rest-api";
private static final String SECURED_READ_SCOPE = "#oauth2.hasScope('read')";
private static final String SECURED_WRITE_SCOPE = "#oauth2.hasScope('write')";
private static final String SECURED_PATTERN = "/secured/**";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID).stateless(false);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers().antMatchers(SECURED_PATTERN).and().authorizeRequests()
.antMatchers(HttpMethod.GET, SECURED_PATTERN).access(SECURED_WRITE_SCOPE).anyRequest()
.access(SECURED_READ_SCOPE);
}
}
在控制器类下面:
@RestController
@RequestMapping("/secured")
public class CompanyController {
@RequestMapping(value="/company",method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseStatus(value = HttpStatus.OK)
@PreAuthorize("hasAuthority('COMPANY_READ')")
public @ResponseBody
String getAll() {
return "Hello World!";
}
}
我的申请是指https://dzone.com/articles/secure-spring-rest-with-spring-security-and-oauth2。有人可以建议遇到资源服务器时出了什么问题吗?