[英]Spring Oauth2 + User Registration
我再次遇到Spring Oauth2的问题。 我知道这个主题不容易建议或检查代码,因为我们有太多的配置。 我的项目有3个不同的服务器,认证服务器,资源服务器和前端服务器。 我想将register.html放入用户在前端项目中的注册(在Angularjs文件下)但是当我向相关url( http:// localhost:7080 / app / #register)发出请求时,它会重定向到登录页面( http:// localhost:9080 / auth-service / login )只有一秒钟我可以看到我的register.html内容,但之后它将进入登录页面。 问题是,我应该把这个register.html放在哪里,它应该在前端项目或认证服务器下?
我的身份验证服务器和前端服务器代码是;
@Configuration
public class AuthServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.parentAuthenticationManager(authenticationManager);
auth.authenticationProvider(userAuthProviderService());
}
private CsrfMatcher csrfRequestMatcher = new CsrfMatcher();
@Override
protected void configure(final HttpSecurity http) throws Exception {
/*http.csrf().disable();*/
http.csrf().requireCsrfProtectionMatcher(csrfRequestMatcher);
http
.formLogin().loginPage("/login").defaultSuccessUrl("/")
/*.failureUrl("")*/.successHandler(new AuthSuccessHandler()).permitAll()
.and()
.requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access","/register")
.and()
.authorizeRequests().anyRequest().authenticated();
}
@Bean
public UserAuthProviderService userAuthProviderService(){
return new UserAuthProviderService();
}
private class CsrfMatcher implements RequestMatcher {
@Override
public boolean matches(HttpServletRequest request) {
return false;
}
}
}
@Configuration
@EnableAutoConfiguration
@RestController
@EnableZuulProxy
@EnableOAuth2Sso
@EnableOAuth2Client
public class UIServiceMain {
public static void main(String[] args) {
SpringApplication.run(UIServiceMain.class, args);
}
@Configuration
protected static class SecurityConfiguration extends OAuth2SsoConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.logout().and()
.antMatcher("/**").authorizeRequests()
.antMatchers("/index.html", "/home.html", "/", "/login","/register.html").permitAll().anyRequest()
.authenticated().and().csrf().disable();
http.headers().frameOptions().disable(); //FOR EMBED MAP
}
//unused
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null
&& !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
//unused
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
}
}
在您的UI服务器中尝试创建启用了/register.hml的websecurity,类似这样
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/register.html")
.and()
.authorizeRequests()
.anyRequest().authenticated();
}
}
编辑:或者在当前配置中删除.antMatcher("/**").authorizeRequests()
和add and() .authorizeRequests().anyRequest().authenticated()
所以最后它可能是这样的:
@Override
public void configure(HttpSecurity http) throws Exception {
http.logout().and()
.antMatchers("/index.html", "/home.html", "/", "/login","/register.html").permitAll().anyRequest()
.authenticated()
.and().csrf().disable();
http.headers().frameOptions().disable() //FOR EMBED MAP
.and()
.authorizeRequests()
.anyRequest().authenticated();
}
几件事:
我想不出一个很好的理由不把你的* .html放在前端服务器以外的任何地方。
此外,通常,您应该允许公开访问您的静态UI组件,例如@bilak提到:
.antMatchers("/index.html", "/home.html", "/", "/login","/register.html").permitAll()
如果您能够看到register.html
页面(假设未经身份验证的用户),那么它已经公开了
也许,有一个关于register.html
的load事件的web服务调用是Spring安全性背后的触发auth流的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.