我正在尝试使用Spring Security oauth2通过@PreAuthorize(“ hasAuthority('perm2')”)之类的注释或WebSecurityConfigurerAdapter中的安全性配置来进行权限访问控制。但是,当我尝试访问时,总是会被禁止使用403由具有“ perm2”权限的用户登录后,由@PreAuthorize(“ hasAuthority('perm2')”)注释的api。我在ClientDetailsUserDetailsService中设置了断点,但加载的UserDetails不包含任何权限。此外,我发现我可以从AuthoritiesExtractor中提取包含“ perm2”的授权。
一种方法是重写UserDetailService,以便我可以通过AuthoritiesExtractor将权限设置为UserDetails。但是我的问题是:
这是最佳做法吗?还是我只是想念其他东西?
下面是我尝试过的代码,其次是baeldung tutorial
我的authserver代码在这里
@SpringBootApplication
@EnableResourceServer
@RestController
public class App extends SpringBootServletInitializer {
@GetMapping("/user/me")
public Principal user(Principal principal) {
return principal;
}
public static void main(String[] args) {
SpringApplication.run(App.class, args);
}
@Configuration
@EnableAuthorizationServer
public static class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private BCryptPasswordEncoder passwordEncoder;
@Override
public void configure(
AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("SampleClientId")
.secret(passwordEncoder.encode("secret"))
.authorizedGrantTypes("authorization_code")
.scopes("user_info")
.autoApprove(true)
.redirectUris("http://localhost:8082/ui/login", "http://localhost:8083/ui2/login");
}
}
@Configuration
@Order(1)
public static class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
.antMatchers("/login", "/oauth/authorize")
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin().permitAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("john")
.password(passwordEncoder().encode("123"))
.roles("USER").authorities("perm1").and()
.withUser("tom")
.password(passwordEncoder().encode("123"))
.roles("USER")
.authorities("perm1", "perm2");
}
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
我的客户端配置在这里:
@Configuration
@EnableOAuth2Sso
@SpringBootApplication
@EnableGlobalMethodSecurity(securedEnabled = true,prePostEnabled =true)
public class App extends WebSecurityConfigurerAdapter {
@Bean
AuthoritiesExtractor authoritiesExtractor(){
return new FixedAuthoritiesExtractor();
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/**")
.authorizeRequests()
.antMatchers("/", "/login**")
.permitAll()
.anyRequest()
.hasAuthority("perm1").anyRequest()
.authenticated();
}
public static void main(String[] args) {
SpringApplication.run(App.class, args);
}
}
这是我的控制器:
@Controller
public class MyController {
@GetMapping("/securedPage")
@PreAuthorize("hasAuthority('perm2')")
public String securedPage() {
return "securedPage";
}
@GetMapping("/testPerm")
@PreAuthorize("hasAuthority('perm3')")
public @ResponseBody
String testPerm() {
return "This could not be happened!";
}
}
我期望的是:
当我用john登录时,访问SecurePage时被禁止。
但是当我用tom登录时,我可以访问securePage。
事实是无论我登录谁,我都会在下面进入禁止页面
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Fri May 24 11:29:09 CST 2019
There was an unexpected error (type=Forbidden, status=403).
Forbidden