堆栈内存溢出
  简体   繁体   English

如何在Spring Boot Security OAuth2应用程序中仅对某些类启用OAuth2?

[英]How do I enable OAuth2 for only certain classes in my Spring Boot Security OAuth2 app?

 原文  2018-05-19 01:54:34       java/ spring/ spring-boot/ spring-security/ spring-security-oauth2

问题描述

I followed this guide to add OAuth2 我按照本指南添加了OAuth2

https://spring.io/guides/tutorials/bookmarks/#_securing_a_rest_service https://spring.io/guides/tutorials/bookmarks/#_securing_a_rest_service

But now it's requiring authentication for every single page! 但是现在,它需要对每个页面进行身份验证! 

$ curl -s http://localhost:8080/login 
{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}

I only want to use OAuth2 on the API in one specific class. 我只想在一个特定的类中对API使用OAuth2。 I tried reading the reference for Spring Boot 我尝试阅读Spring Boot的参考

https://docs.spring.io/spring-boot/docs/1.5.14.BUILD-SNAPSHOT/reference/htmlsingle/#boot-features-security https://docs.spring.io/spring-boot/docs/1.5.14.BUILD-SNAPSHOT/reference/htmlsingle/#boot-features-security

But it wasn't helpful at all! 但这根本没有帮助! It gave 0 examples. 它给出了0个例子。

To customize it you normally use external properties and beans of type WebSecurityConfigurerAdapter (eg to add form-based login). 要自定义它,通常使用外部属性和WebSecurityConfigurerAdapter类型的bean(例如,添加基于表单的登录名)。
All of the above can be switched on and off or modified using external properties (security.*). 可以使用外部属性(安全性*)打开或关闭以上所有内容或对其进行修改。 To override the access rules without changing any other auto-configured features add a @Bean of type WebSecurityConfigurerAdapter with @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) and configure it to meet your needs. 要覆盖访问规则而不更改任何其他自动配置的功能,请添加具有@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)类型的WebSecurityConfigurerAdapter类型的@Bean并对其进行配置以满足您的需求。

How do you customize it?! 如何自定义它? Which properties?! 哪些属性? How do you configure to meet your needs?! 如何配置以满足您的需求?

I tried setting application.properties 我尝试设置application.properties 

security.basic.enabled = false
security.ignored = /login

But it still requires OAuth2 authentication. 但是它仍然需要OAuth2身份验证。 I want to only enable OAuth2 for the class IShortUrlApiInteface and disable it for all other @Controllers . 我只想为类IShortUrlApiInteface启用OAuth2,并为所有其他@Controllers禁用它。

2 个解决方案

解决方案1
 1 已采纳  2018-05-28 12:35:35

Create a new class, extend ResourceServerConfigurerAdapter , and override method configure(HttpSecurity) . 创建一个类,扩展ResourceServerConfigurerAdapter ,并重写configure(HttpSecurity)方法。 

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    String [] ignoredPaths = new String[]{
            "/robots.txt", "/error", "/login", "/doLogut", "/home", "/pageNotFound", 
            "/css/**", "/js/**", "/fonts/**", "/img/**", ...
    };

    @Override
    public void configure(HttpSecurity http) throws Exception{

        http.authorizeRequests()
            .antMatchers(ignoredPaths).permitAll()
            .anyRequest().authenticated()
        .and()
            .httpBasic();   
    }

解决方案2
 -1  2018-05-28 10:43:57

In your case, you need to set the permission for login URI. 对于您的情况,您需要设置登录URI的权限。 If you are in micro service architecture, you need create resource configuration in every project/service. 如果您使用微服务架构,则需要在每个项目/服务中创建资源配置。

  • security.oauth2.resource.user-info-uri defines authorization service URI security.oauth2.resource.user-info-uri定义授权服务URI
  • clientId defines ur actual client id clientId定义您的实际客户ID

  • In oauth For every resource server need to create unique resource-id Below is the example for resource server. 在oauth中,需要为每个资源服务器创建唯一的resource-id。下面是资源服务器的示例。

    @Configuration @EnableResourceServer @Configuration @EnableResourceServer
    public class ResourceConfig extends ResourceServerConfigurerAdapter { @Value("${security.oauth2.resource.user-info-uri}") private String userInfoUri; 公共类ResourceConfig扩展了ResourceServerConfigurerAdapter {@Value(“ $ {security.oauth2.resource.user-info-uri}”)私有字符串userInfoUri; 

     @Value("${client-id}") private String clientId; @Override public void configure(final ResourceServerSecurityConfigurer resources) throws Exception { resources.resourceId("ig-user"); } @Override public void configure(final HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/api/v1/user/activate/**").permitAll()// .antMatchers("/api/v1/user/access/check/**").permitAll()// .antMatchers("/api/v1/profile/exists/**").permitAll()// .antMatchers("/api/v1/user/sign-up/**").permitAll()// .antMatchers("/download/**").permitAll()// .anyRequest().authenticated(); } @Primary @Bean public UserInfoTokenServices tokenService() { final UserInfoTokenServices tokenService = new UserInfoTokenServices(userInfoUri, clientId); return tokenService; }

    } }

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在 Spring 启动、JPA、Spring 中将表单登录扩展到 Google 登录 (OAuth2) - How I can extend my form login to Google Sign in (OAuth2) in Spring Boot, JPA, Spring Security 如何在 Spring Boot 和 Spring Security 中配置单页 Google 和 Azure OAuth2 登录? - How do I configure a single page Google and Azure OAuth2 login in Spring Boot and Spring Security? 如何在Spring Boot中更改OAuth2的过滤器级别? - How do I change the filter levels for OAuth2 in Spring Boot? Spring Boot 1.5禁用OAuth2安全性 - Spring boot 1.5 disable oauth2 security Spring Boot Security oauth2预检问题 - spring boot security oauth2 preflight issue Spring boot 2.0.3 + 安全 + Oauth2 自动配置 - Spring boot 2.0.3 + Security + Oauth2 autoconfigure Spring Boot OAuth2带有自定义安全过滤器 - Spring Boot OAuth2 with custom security filter Spring Boot + OAuth2安全和请求过滤器 - Spring boot + OAuth2 security & request filter 您如何在代理后面使用 spring-security OAuth2,但仅对 OAuth 组件使用 ForwardedHeaderTransformer - How do you use spring-security OAuth2 behind a proxy, but only use ForwardedHeaderTransformer for the OAuth components 如何为ADFS配置Spring Boot安全性OAuth2? - How to configure spring boot security OAuth2 for ADFS?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM