在Spring Security Oauth2中使用RemoteTokenServices配置资源服务器
[英]Configuring resource server with RemoteTokenServices in Spring Security Oauth2
问题描述
I'm trying to implement a authorization server and a resource server using spring security oauth2. 
我正在尝试使用spring security oauth2实现授权服务器和资源服务器。 So far i've managed to setup the authorization server and since i dont want to share a jdbc token store i'm trying to use the remoteTokenService to validate my tokens @ resource server. 到目前为止,我已设法设置授权服务器,因为我不想共享一个jdbc令牌存储,我正在尝试使用remoteTokenService来验证我的令牌@资源服务器。 But i'm getting a 401 error every time i try to access a resource REST method. 但是每当我尝试访问资源REST方法时,我都会收到401错误。
I'm using xml configuration to setup spring security due to the nature of the project. 由于项目的性质,我正在使用xml配置来设置spring安全性。 I've tried with a another sample project using Javaconfig and its working fine. 我已尝试使用Javaconfig的另一个示例项目,并且其工作正常。
Here are my configuration in the resource server. 这是我在资源服务器中的配置。
web.xml web.xml中
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0" metadata-complete="true">
<display-name>rest-project</display-name>
<description>rest project Implementation</description>
<!--
- Location of the XML file that defines the root application context.
- Applied by ContextLoaderListener.
-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/*.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!--
- Servlet that dispatches request to registered handlers (Controller implementations).
-->
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/mvc-core-config.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
here is my security-config.xml 这是我的security-config.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd">
<http pattern="/cards/**" use-expressions="true" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint">
<anonymous enabled="false"/>
<intercept-url pattern="/cards/**" access="isAuthenticated()" requires-channel="https"/>
<access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>
<oauth2:resource-server id="resourceServerFilter" resource-id="connector-bus" token-services-ref="tokenServices"/>
<beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.RemoteTokenServices">
<beans:property name="checkTokenEndpointUrl" value="https://localhost:8443/auth-server/api/oauth/check_token"/>
<beans:property name="clientId" value="123456" />
<beans:property name="clientSecret" value="456"/>
</beans:bean>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
<beans:bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"/>
<beans:bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
</beans:beans>
Please point out what i'm missing here. 请指出我在这里缺少的东西。
Thanks in advance. 提前致谢。
4 个解决方案
解决方案1
5 2016-11-16 07:13:41
For some reason i couldn't get the xml configuration working to validate access tokens remotely. 出于某种原因,我无法使xml配置工作以远程验证访问令牌。 But I was able to setup oauth2 resource server using java config and it fixed the issue. 但我能够使用java配置设置oauth2资源服务器,它解决了这个问题。 Please find the code below. 请在下面找到代码。
@Configuration
@EnableWebSecurity
@EnableResourceServer
public class Oauth2ResesourceServerConfiguration extends ResourceServerConfigurerAdapter{
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(HttpMethod.GET,"/api/**").access("#oauth2.hasScope('read')");
}
@Primary
@Bean
public RemoteTokenServices tokenService() {
RemoteTokenServices tokenService = new RemoteTokenServices();
tokenService.setCheckTokenEndpointUrl(
"https://localhost:8443/auth-server/oauth/check_token");
tokenService.setClientId("client-id");
tokenService.setClientSecret("client-secret");
return tokenService;
}
}
解决方案2
0 2017-09-14 07:47:32
/oauth/check_token must configure permission separately, it is 'denyAll' by default. /oauth/check_token必须单独配置权限,默认为'denyAll'。 If you add logging.level.org.springframework.security=DEBUG in properties, you can found the following logging lines: 如果在属性中添加logging.level.org.springframework.security=DEBUG ,则可以找到以下日志记录行:
2017-09-14 14:52:01.379 INFO 15591 --- [ main] b.a.s.AuthenticationManagerConfiguration :
Using default security password: f1f7e508-4a30-4aad-914f-d0e90da6079a
2017-09-14 14:52:01.775 DEBUG 15591 --- [ main] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'fullyAuthenticated', for Ant [pattern='/oauth/token']
2017-09-14 14:52:01.872 DEBUG 15591 --- [ main] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'denyAll()', for Ant [pattern='/oauth/token_key']
2017-09-14 14:52:01.879 DEBUG 15591 --- [ main] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'denyAll()', for Ant [pattern='/oauth/check_token']
I don't know how to permit it in xml, but by javaconfig as follow 我不知道如何在xml中允许它,但是通过javaconfig如下
@Configuration
@EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.checkTokenAccess("isAuthenticated()");
// security.checkTokenAccess("permitAll");
}
}
I found How to enable /oauth/check_token with Spring Security Oauth2 using XML . 我找到了如何使用XML使用Spring Security Oauth2启用/ oauth / check_token 。 Maybe help. 也许有帮助。
解决方案3
0 2017-12-26 18:19:28
除了在https://stackoverflow.com/a/40626102/3044680中说明你的tokenService方法@Primary ,从springboot 1.5开始,将security.oauth2.resource.filter-order = 3添加到application.properties
解决方案4
-1 2017-08-24 17:04:53
You may be able to get this working simply through property config. 您可以通过属性配置简化这项工作。 Try putting this in your application.yml, along with your HttpSecurity config for the /cards/ URI. 尝试将它放在application.yml中,以及/ cards / URI的HttpSecurity配置。
security:
oauth2:
resource:
token-info-uri: https://[your token validation endpoint]
preferTokenInfo: true
Having @EnableWebSecurity and @EnableResourceServer is duplicative. @EnableWebSecurity和@EnableResourceServer是重复的。 You do not need @EnableWebSecurity. 您不需要@EnableWebSecurity。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.