[英]Issues while implementing the authorization code grant in spring
到目前为止,我已经拥有密码授予类型,并且可以很好地工作。 最近,我开始在我的项目中实现OAuth的授权代码授予。 我可以从服务器获取授权码。 使用代码,我再次能够获得访问令牌。
问题是我无法使用访问令牌访问资源服务器。 我重新导向到Spring的默认/login
页面,每次我尝试访问任何资源。
以下是资源服务器 :
@Configuration
@PropertySource("classpath:webservices-application.properties")
@EnableResourceServer
public class ResourceServer extends ResourceServerConfigurerAdapter{
@Value("${security.oauth2.resource.id}")
private String resourceId;
@Bean
public JdbcTokenStore getTokenStore() {
return new JdbcTokenStore(dataSource);
}
@Autowired
private DataSource dataSource;
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/oauth/**","/login","/").permitAll()
.anyRequest().authenticated();
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenStore(getTokenStore())
.resourceId(resourceId).stateless(false);
}
}
网络安全:
@Configuration
@EnableWebSecurity
@EnableOAuth2Sso
public class CustomWebsecurity extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/oauth/**","/login","/").permitAll()
.anyRequest().authenticated()
.and()
.formLogin();
}
}
AuthorizationServer:
@Configuration
@EnableAuthorizationServer
@EnableOAuth2Sso
protected class AuthorizationApplication extends AuthorizationServerConfigurerAdapter {
@Autowired
public AuthorizationApplication (ApplicationContext applicationContext, AuthenticationManager authenticationManager) {
this.passwordEncoder = applicationContext.getBean(PasswordEncoderImpl.class);
this.authenticationManager = authenticationManager;
}
private PasswordEncoder passwordEncoder;
private AuthenticationManager authenticationManager;
@Bean
protected AuthorizationCodeServices getAuthorizationCodeServices() {
return new JdbcAuthorizationCodeServices(dataSource);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
AuthorizationCodeServices services = getAuthorizationCodeServices();
JdbcTokenStore tokenStore = getTokenStore();
endpoints
.userDetailsService(userDetailsService)
.authorizationCodeServices(services)
.authenticationManager(authenticationManager)
.tokenStore(tokenStore)
.approvalStoreDisabled();
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.allowFormAuthenticationForClients();
security.passwordEncoder(passwordEncoder);
}
}
该问题可能是由于WebSecurity类的某些错误配置所致。 但是,我尝试了多种配置,但是没有运气。
从@dur一些指导,我是能够达到的解决方案。 这是罪魁祸首之一 :
在OAuth2用户资源滤波器的默认顺序从3改为SecurityProperties.ACCESS_OVERRIDE_ORDER - 1,这地方就在执行端点后,但在基本认证过滤器链之前。 可以通过设置security.oauth2.resource.filter-order = 3来恢复默认值
总而言之,我进行了以下更改:
使用@EnableOauth2Client
代替@EnableOAuth2Sso
在ResourceServer
还有AuthorizationServer
,因为后者是给我下面的错误:
java.lang.IllegalArgumentException: URI must not be null
删除CustomWebSecurity
并没有在所有的安全配置ResourceServer
本身。
通过将下面的属性更改资源滤波器的滤波顺序文件:
security.oauth2.resource.filter-order = 3
在安全配置一些基本的变化。
这里是我的ResourceServer
类现在:
@Configuration
@PropertySource("classpath:webservices-application.properties")
@EnableResourceServer
@EnableOAuth2Sso
public class ResourceServer extends ResourceServerConfigurerAdapter{
@Value("${security.oauth2.resource.id}")
private String resourceId;
@Bean
public JdbcTokenStore getTokenStore() {
return new JdbcTokenStore(dataSource);
}
@Autowired
private DataSource dataSource;
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.requestMatchers().antMatchers(
"/protected_uri_1",
"/protected_uri_2",
"/protected_uri_3")
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and().formLogin();
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenStore(getTokenStore())
.resourceId(resourceId);
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.