我已经在我的 spring 云网关应用程序中设置了 spring 安全性。当我点燃它时。它带我进入一个 HTML 页面,我必须在其中选择首选的 oauth 2.0 类型。
我的 pom spring 2.3.12 版
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-gateway</artifactId>
</dependency>
应用程序.yml
spring:
profiles: default
security:
oauth2:
resourceserver:
jwt:
issuer-uri: https://qa-abchc.cs195.force.com
client:
registration:
sfdc:
client-id: 3MVG9GnaLrwG9T5ZpEfaDCVDu7N4BibMIHajVSUG5F6epm
scope: openid,email,phone,profile
client-secret: fkdslfjklsdjflksjdflsj
authorization-grant-type: authorization_code
redirect-uri: http://localhost:7999/oauth2/callback/sfdc
abc:
client-id: OIDC_CLIENT
scope: openid,email,phone,profile
client-secret: dfjskldjflskfjls
authorization-grant-type: authorization_code
redirect-uri: http://localhost:7999/oauth2/callback/abc
provider:
sfdc:
authorization-uri: https://qa-abchc.cs195.force.com/abcidp/services/oauth2/authorize
token-uri: https://qa-abchc.cs195.force.com/abcidp/services/oauth2/token
abc:
authorization-uri: https://rrtrr.abc.com/fss/as/authorization.oauth2
token-uri: https://rrtrr.abc.com/fss/as/token.oauth2
和
@Configuration
@EnableWebFluxSecurity
public class OAuth2WebSecurity {
@Value("${spring.security.oauth2.client.provider.sfdc.issuer-uri}")
String issuerUri;
@Bean
ReactiveJwtDecoder jwtDecoder() {
return ReactiveJwtDecoders.fromOidcIssuerLocation(issuerUri);
}
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http,
ReactiveClientRegistrationRepository clientRegistrationRepository) {
http.csrf().disable().authorizeExchange().pathMatchers("/favicon.ico", "/css/**", "/webjars/**",
"/api/v1.0/applications/**", "/api/v1.0/users/**", "/oauth2/**", "/login/**", "/oauth2/callback/ge",
"/*").permitAll().anyExchange().authenticated().and().oauth2Login().authorizationRequestResolver(
authorizationRequestResolver(clientRegistrationRepository)).and().oauth2ResourceServer(
oauth2 -> oauth2.authenticationManagerResolver(authenticationManagerResolver));
return http.build();
}
@Bean
public ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver(
ReactiveClientRegistrationRepository clientRegistrationRepository) {
return new DefaultServerOAuth2AuthorizationRequestResolver(clientRegistrationRepository,
new PathPatternParserServerWebExchangeMatcher("/login/{registrationId}"));
}
}
当我尝试在浏览器中访问它时,它转到 http://localhost:8080/login,它返回一个 HTML 页面,我可以在其中选择 YAML 文件中提到的任何一个 OAuth。
现在如何禁用此 HTML 并使其根据上下文路径选择 OAuth?
localhost:8080/login/abc --> 进入 abc 认证服务器
localhost:8080/login/sfdc --> 进入 sfdc 认证服务器
认证后,它应该转到默认的休息控制器或一些过滤器类
@RestController
public class LoginController {
@GetMapping("/oauth2/callback/ge")
public String getLoginInfo(@AuthenticationPrincipal OidcUser principal) {
System.out.println(principal.getAccessTokenHash());
return "loginSuccess";
}
@GetMapping("/oauth2/callback/sfdc")
public String getLoginSfdcInfo(@AuthenticationPrincipal OidcUser principal) {
System.out.println(principal.getAccessTokenHash());
return "loginSuccess";
}
}
答案 0 :(得分:1)
登录页面由 Spring Security 生成。您可以通过指定自己的登录页面来禁用它:
.exceptionHandling().authenticationEntryPoint(new RedirectServerAuthenticationEntryPoint("/my-custom-login-page"))
所有这些都是设置一个重定向到 /my-custom-login-page 的身份验证入口点。这可能不是您想要的,但它会禁用默认登录页面。如果在未经身份验证的用户发出请求时没有所需的页面或重定向,则不必执行重定向。例如,只要用户未通过身份验证,就会返回 401:
.exceptionHandling().authenticationEntryPoint(new HttpStatusServerEntryPoint(HttpStatus.UNAUTHORIZED))
为了更改授权端点的路径,您可以使用 ServerOAuth2AuthorizationRequestResolver
更改请求匹配:
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http, ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver) {
http
// ...
.oauth2Login().authorizationRequestResolver(authorizationRequestResolver);
return http.build();
}
@Bean
public ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver(ReactiveClientRegistrationRepository clientRegistrationRepository) {
return new DefaultServerOAuth2AuthorizationRequestResolver(clientRegistrationRepository,
new PathPatternParserServerWebExchangeMatcher("/login/{registrationId}"));
}
这将允许 /login/abc
和 /login/sfdc
根据您的客户注册分别转到 abc
和 sfdc
。
最后,回调由 Spring Security 处理。所以你的控制器不会被调用。您将需要定义一个身份验证成功处理程序:
.oauth2Login().authenticationSuccessHandler(new RedirectServerAuthenticationSuccessHandler("/my-login-success-page"))
您可以在文档的 OAuth2 WebFlux 部分阅读更多相关信息。