繁体   English   中英

Spring Boot-OAuth2-禁止所有请求

[英]Spring Boot - OAuth2 - All requests are being forbidden

我有一个弹簧启动应用程序,该应用程序可通过OAuth(应用程序和资源服务器)启用REST。

MyApplication.java

@SpringBootApplication
@EnableResourceServer
public class MyApplication {
    public static void main(String[] args) {
        SpringApplication.run(MyApplication.class, args);
    }
}

OAuthConfig.java

@Configuration
@EnableAuthorizationServer
public class OAuthConfig extends AuthorizationServerConfigurerAdapter {
    @Autowired
    private UserDetailsService userDetailsService;
    private TokenStore tokenStore = new InMemoryTokenStore();
    @Autowired
    private AuthenticationManager authenticationManager;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer configurer) throws Exception {
        configurer.authenticationManager(authenticationManager);
        configurer.userDetailsService(userDetailsService);
        configurer.tokenStore(tokenStore);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients
        .inMemory()
        .withClient("app")
        .secret("secret")
        .accessTokenValiditySeconds(120)
        .refreshTokenValiditySeconds(600)
        .scopes("read", "write")
        .authorizedGrantTypes("password", "refresh_token")
        .resourceIds("resources");
    }
}

SimpleCorsFilter.java

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {
    public SimpleCorsFilter() {
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) res;
        HttpServletRequest request = (HttpServletRequest) req;
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "x-requested-with, authorization, content-type");

        if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
            response.setStatus(HttpServletResponse.SC_OK);
        } else {
            chain.doFilter(req, res);
        }
    }

    @Override
    public void init(FilterConfig filterConfig) {
    }

    @Override
    public void destroy() {
    }
}

WebSecurityConfig.java

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(WebSecurity web) throws Exception {
        web
        .ignoring()
        .antMatchers("/signup");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
    }
}

TestController.java

@RestController
public class TestController {
    @Autowired
    private PanelService testService;

    @PostMapping("/test")
    public Panel getTest() throws Exception {
        return testService.get();
    }
}

我可以成功生成令牌,也可以通过使用上述设置调用refresh_token获得新令牌。 问题在于,无论是否传递了令牌令牌,我的rest调用也都将返回数据。 /test始终返回带有或不带有令牌的数据。

我还尝试了HTTP安全性中的其他选项。 即使我使用有效的令牌,下面的命令也会始终抛出“禁止”。

http.csrf().disable();
.authorizeRequests()
.antMatchers("/signup").permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.httpBasic();

我究竟做错了什么?

我正在回答自己的问题,以帮助所有面临类似问题的人。

在application.properties文件中设置以下属性

security.oauth2.resource.filter-order=3

同样在WebSecurityConfigurerAdapter中,在配置HttpSecurity时添加以下几行(我不确定这段代码是如何工作的-我仍在调查中)

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .sessionManagement()
    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    ...
}

上面的代码在下面的两个示例中引用(请参阅GitHub代码)

https://medium.com/@nydiarra/secure-a-spring-boot-rest-api-with-json-web-token-reference-to-angular-integration-e57a25806c50

http://www.svlada.com/jwt-token-authentication-with-spring-boot/

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM