[英]Spring Boot - OAuth2 - All requests are being forbidden
I have a spring boot application which enables REST with OAuth (both Application & Resource server). 我有一个弹簧启动应用程序,该应用程序可通过OAuth(应用程序和资源服务器)启用REST。
MyApplication.java MyApplication.java
@SpringBootApplication
@EnableResourceServer
public class MyApplication {
public static void main(String[] args) {
SpringApplication.run(MyApplication.class, args);
}
}
OAuthConfig.java OAuthConfig.java
@Configuration
@EnableAuthorizationServer
public class OAuthConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
private TokenStore tokenStore = new InMemoryTokenStore();
@Autowired
private AuthenticationManager authenticationManager;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer configurer) throws Exception {
configurer.authenticationManager(authenticationManager);
configurer.userDetailsService(userDetailsService);
configurer.tokenStore(tokenStore);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients
.inMemory()
.withClient("app")
.secret("secret")
.accessTokenValiditySeconds(120)
.refreshTokenValiditySeconds(600)
.scopes("read", "write")
.authorizedGrantTypes("password", "refresh_token")
.resourceIds("resources");
}
}
SimpleCorsFilter.java SimpleCorsFilter.java
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {
public SimpleCorsFilter() {
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
HttpServletRequest request = (HttpServletRequest) req;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "x-requested-with, authorization, content-type");
if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
chain.doFilter(req, res);
}
}
@Override
public void init(FilterConfig filterConfig) {
}
@Override
public void destroy() {
}
}
WebSecurityConfig.java WebSecurityConfig.java
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/signup");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
}
}
TestController.java TestController.java
@RestController
public class TestController {
@Autowired
private PanelService testService;
@PostMapping("/test")
public Panel getTest() throws Exception {
return testService.get();
}
}
I am successfully able to generate the token and also able to get a new token by calling the refresh_token using the above setup. 我可以成功生成令牌,也可以通过使用上述设置调用refresh_token获得新令牌。 The problem is that, my rest calls are also returning data irrespective of ouath token being passed or not.
问题在于,无论是否传递了令牌令牌,我的rest调用也都将返回数据。
/test
always returns data with or without the token. /test
始终返回带有或不带有令牌的数据。
I also tried different options in HTTP security. 我还尝试了HTTP安全性中的其他选项。 The below one always throws Forbidden even though I use a valid token.
即使我使用有效的令牌,下面的命令也会始终抛出“禁止”。
http.csrf().disable();
.authorizeRequests()
.antMatchers("/signup").permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.httpBasic();
What am I doing wrong? 我究竟做错了什么?
I am answering my own question to help all those who are facing a similar problem. 我正在回答自己的问题,以帮助所有面临类似问题的人。
Set the following property in application.properties file 在application.properties文件中设置以下属性
security.oauth2.resource.filter-order=3
SpringBoot 1.5.x + Security + OAuth2 SpringBoot 1.5.x +安全性+ OAuth2
Setting Spring boot actuator with oAuth2 in the Authorisation server 在授权服务器中使用oAuth2设置Spring Boot执行器
Authentication is not working in spring boot 1.5.2 and Oauth2 验证在Spring Boot 1.5.2和Oauth2中不起作用
Also in WebSecurityConfigurerAdapter add the following lines in configuring HttpSecurity (I am not sure how this piece of code made it work - I am still investigating) 同样在WebSecurityConfigurerAdapter中,在配置HttpSecurity时添加以下几行(我不确定这段代码是如何工作的-我仍在调查中)
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
...
}
The above code is referenced in the below two examples (refer the GitHub code) 上面的代码在下面的两个示例中引用(请参阅GitHub代码)
https://medium.com/@nydiarra/secure-a-spring-boot-rest-api-with-json-web-token-reference-to-angular-integration-e57a25806c50 https://medium.com/@nydiarra/secure-a-spring-boot-rest-api-with-json-web-token-reference-to-angular-integration-e57a25806c50
http://www.svlada.com/jwt-token-authentication-with-spring-boot/ http://www.svlada.com/jwt-token-authentication-with-spring-boot/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.