[英]Spring Boot Security OAuth2 Authentication server and business server splitting
[英]How to add users to OAuth2 Auth server in spring boot/spring security
我正在使用 Spring Boot 和 AngularJS 构建一个 reddit 克隆。目前我有一个 rest 的帖子和评论存储库,用户登录时可以访问这些存储库。
安全配置文件
package com.example.MundaneHeroes.Configuration;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception
{
http.antMatcher("/**").authorizeRequests().antMatchers("/", "/login**", "/account/**").permitAll().anyRequest().authenticated().and().oauth2Login();
}
}
application.yml文件
server:
port: 8082
servlet:
session:
cookie:
name: UISESSION
spring:
h2:
console:
enabled: true
settings:
web-allow-others: true
datasource:
url: jdbc:h2:mem:testdb
driver-class-name: org.h2.Driver
password:
username: sa
security:
oauth2:
client:
registration:
custom-client:
client-id: R2dpxQ3vPrtfgF72
client-secret: fDw7Mpkk5czHNuSRtmhGmAGL42CaxQB9
client-name: Auth Server
scope: user_info
provider: custom-provider
redirect-uri-template: http://localhost:8082/login/oauth2/code/
client-authentication-method: basic
authorization-grant-type: authorization_code
provider:
custom-provider:
token-uri: http://localhost:8081/auth/oauth/token
authorization-uri: http://localhost:8081/auth/oauth/authorize
user-info-uri: http://localhost:8081/auth/user/me
user-name-attribute: name
我主要是按照这里的教程创建授权服务器
我的问题是我无法将用户添加到此授权服务器
我添加了一个用户实体和一个 JPA 用户存储库,并添加了代码来配置额外的接受教程中 1 之外的其他用户。 我已经覆盖了用户详细信息,所以我相信这是一个好的开始。
@Value("${user.oauth.user.username}")
private String username;
@Value("${user.oauth.user.password}")
private String password;
@Autowired
private UserService userDetailsService;
@Override
@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception
{
auth.inMemoryAuthentication().withUser(username).password(passwordEncoder().encode(password)).roles("ADMIN");
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
//auth to userService and password encoder
}
但是我不知道如何从客户创建新帐户的 /account/ 页面接受数据。
这是帐户的 html 代码。html
<!DOCTYPE html>
<html lang="en" ng-app="userApp">
<head>
<meta charset="UTF-8">
<title>Title</title>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.8.0/angular.min.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.8.0/angular-route.js"></script>
<script src="account.js"></script>
<script src="bower_components/angular/angular.js"></script>
<link rel="stylesheet" href="../app.css" />
</head>
<body ng-controller="UserController">
Username <input ng-model="username"/><br>
Password <input ng-model="password"/><br>
Email <input ng-model="email"/><br>
<input type="button" value="Send" ng-click="postuser(username, password, email)" />
<p>StatusCode: {{statusval}}</p>
<p>Status: {{status}}</p>
<p>Response {{headers}}</p>
</body>
</html>
和 account.js
'use strict';
var userApp = angular.module('userApp', []);
userApp.controller('UserController', function UserController($scope, $http) {
$scope.username = null;
$scope.password = null;
$scope.email = null;
$scope.postuser = function(username, password, email){
var data = {
username: username,
password: password,
email: email
};
$http.post("http://localhost:8081/auth/users", JSON.stringify(data)).then (function (response){
if (response.data)
$scope.msg = "Post Data Submitted Successfully!";
}, function (response) {
$scope.msg = JSON.stringify(data)
$scope.statusval = response.status;
$scope.statustext = response.statusText;
$scope.headers = response.xhrStatus;
})
};
})
我一直在尝试修改原始代码中的 http 安全表达式
@Override
protected void configure(HttpSecurity http) throws Exception
{
//http.authorizeRequests().antMatchers("/h2-console/**").permitAll();
http.requestMatchers().antMatchers("/login", "/oauth/authorize").and().authorizeRequests().anyRequest().authenticated().and().formLogin().permitAll();
// http.requestMatchers().antMatchers("/login", "/oauth/authorize").and().authorizeRequests().antMatchers("/login").authenticated().and().formLogin().permitAll().and().authorizeRequests().antMatchers("/h2-console/**").anonymous();
//http.authorizeRequests().antMatchers("/h2-console/**").anonymous();
// http.requestMatchers().antMatchers("/login", "/oauth/authorize").and().authorizeRequests().anyRequest().
// http.requestMatchers().antMatchers("/login", "/oauth/authorize");
//http.authorizeRequests().anyRequest().authenticated().and().formLogin().permitAll();
//http.antMatcher("/**").requestMatchers("/h2-console/**")
// http.requestMatchers().antMatchers("/login", "/oauth/authorize");
// http.authorizeRequests().antMatchers("/h2-console/**").permitAll();
// .requestMatchers().antMatchers("/login", "/oauth/authorize");
// http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/h2-console/**").permitAll();
//to run h2 might use profiles later
http.csrf().disable();
http.headers().frameOptions().disable();
}
注释掉的都是我试过的
我在接受 POST 请求的 Auth 服务器中有一个 controller。 当我注释掉正常的 httpSecurity 表达式并添加代码以禁用 csrf 保护和禁用标头时,我可以创建帐户。 (显然这不是一个好的解决方案)
在这一点上我有点卡住了,我还怀疑这根本不是将数据发送到安全服务器的正确方法。 但是,我一直无法在网上找到任何指南
那么,任何人都可以帮助或指出我正确的方向吗?
我想出了这行代码来让一切正常
http
.csrf().disable()
.headers().frameOptions().disable()
.and()
.requestMatchers()
.antMatchers("/login")
.and()
.authorizeRequests()
.antMatchers("/login").authenticated()
.and().formLogin().permitAll()
.and()
.requestMatchers()
.antMatchers("/oauth/authorize")
.and()
.authorizeRequests()
.antMatchers("/oauth/authorize").authenticated()
.and().formLogin().permitAll()
.and().requestMatchers()
.antMatchers("/h2-console/**")
.and().authorizeRequests()
.antMatchers("/h2-console/**").permitAll()
.and().requestMatchers()
.antMatchers("/users")
.and()
.authorizeRequests().antMatchers("/users").permitAll()
.and()
.requestMatchers().antMatchers("/user/currentUser")
.and()
.authorizeRequests().antMatchers("/user/currentUser").permitAll();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.