如何為未經授權的用戶配置Spring Security + oAuth2
[英]How to configure Spring security + oAuth2 for unauthorized users
問題描述
我有我的Spring后端配置
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
MongoDBAuthenticationProviderService authenticationProvider;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http
.authorizeRequests()
.antMatchers("/loadingObjectController/**").permitAll()
.anyRequest().authenticated();
http
.formLogin().permitAll().loginPage("/login").usernameParameter("username").passwordParameter("password")
.and()
.logout().permitAll()
.and()
.exceptionHandling().accessDeniedPage("/403");
}
}
和
@Configuration
@EnableAuthorizationServer
public class AuthenticationConfig extends AuthorizationServerConfigurerAdapter {
@Value("${oauth.client-id}") private String client_id;
@Value("${oauth.client-secret}") private String client_secret;
@Value("${oauth.authorized-grant-types}") private String grant_types;
@Value("${oauth.access-token-validity-seconds}") private Integer validity_seconds;
@Value("${oauth.scope}") private String scope;
@Autowired
private AuthenticationManager auth;
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)throws Exception {
endpoints
.authenticationManager(auth).tokenStore(tokenStore())
.allowedTokenEndpointRequestMethods(HttpMethod.POST, HttpMethod.GET, HttpMethod.OPTIONS);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer
.checkTokenAccess("permitAll()")
.allowFormAuthenticationForClients();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient(client_id)
.secret(client_secret)
.authorizedGrantTypes(grant_types.split(","))
.accessTokenValiditySeconds(validity_seconds)
.scopes(scope.split(",")).autoApprove(true);
}
}
我有帶有登錄表單和索引頁面的Ember.js前端。 身份驗證工作正常。 但是然后我嘗試將GET請求從索引頁發送到我有401(未授權)的spring控制器。
灰燼請求代碼:
actions: {
sendReq() {
$.ajax({
url: 'http://192.168.13.108:8080/getCoordinates?bbox=%b&zoom=%z&filter=',
success: console.log("Ok")
});
}
}
還有我的Spring Controller:
@RestController
@RequestMapping("/loadingObjectController")
public class LoadingObjectController {
@Autowired
private CoordinatesRepository coordinatesRepository;
@ResponseBody
@RequestMapping(value = "/getCoordinates", method = RequestMethod.GET)
public MappingJacksonValue getCoordinates(@RequestParam(value = "bbox") String bbox, @RequestParam(value = "callback") String callback,
@RequestParam(value = "zoom") byte zoom, @RequestParam(value = "filter") String filterRequest) {
System.out.println("bbox = " + bbox);
System.out.println("zoom = " + zoom);
System.out.println("filterRequest = " + filterRequest);
Map responseObject = new HashMap<>();
MappingJacksonValue mappingJacksonValue = new MappingJacksonValue(responseObject);
mappingJacksonValue.setJsonpFunction(callback);
return mappingJacksonValue;
}
如何配置請求到他的Spring Security?
1 個解決方案
解決方案1
0 2016-04-07 09:36:08
我剛剛為Resource添加了新配置,並添加了匿名權限。
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
MongoDBAuthenticationProviderService authenticationProvider;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http
.anonymous()
.and()
.authorizeRequests().antMatchers("/loadingObjects").permitAll()
.and()
.formLogin().permitAll().loginPage("/login").usernameParameter("username").passwordParameter("password")
.and()
.logout().permitAll()
.and()
.authorizeRequests().anyRequest().fullyAuthenticated()
.and()
.httpBasic().disable()
.exceptionHandling().accessDeniedPage("/403")
.and()
.headers()
.contentTypeOptions()
.disable();
}
}
和
@EnableResourceServer
@Configuration
public class ResourseConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.anonymous()
.and()
.authorizeRequests().antMatchers("/loadingObjects/**").permitAll()
.and()
.formLogin().permitAll().loginPage("/login").usernameParameter("username").passwordParameter("password")
.and()
.logout().permitAll()
.and()
.authorizeRequests().anyRequest().fullyAuthenticated()
.and()
.httpBasic().disable()
.exceptionHandling().accessDeniedPage("/403")
.and()
.headers().contentTypeOptions()
.disable();
}
}
Java Spring Security:401 令牌 OAuth2 端點未經授權
[英]Java Spring Security: 401 Unauthorized for token OAuth2 end point
如何在 Spring Boot 和 Spring Security 中配置單頁 Google 和 Azure OAuth2 登錄?
[英]How do I configure a single page Google and Azure OAuth2 login in Spring Boot and Spring Security?
spring boot/spring security中如何將用戶添加到OAuth2 Auth服務器
[英]How to add users to OAuth2 Auth server in spring boot/spring security
在 Spring OAuth2 中配置安全性:身份驗證請求的訪問被拒絕
[英]Configure security in Spring OAuth2: Access is denied for authentication request
如何在Java中使用Spring Security OAuth2在資源服務器中動態配置Httpsecurity?
[英]How to dynamically configure Httpsecurity in the Resource server using Spring security OAuth2 in Java?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
如何為ADFS配置Spring Boot安全性OAuth2?
正確配置Spring Security OAuth2
Java Spring Security:401 令牌 OAuth2 端點未經授權
如何在 Spring Boot 和 Spring Security 中配置單頁 Google 和 Azure OAuth2 登錄?
spring boot/spring security中如何將用戶添加到OAuth2 Auth服務器
如何使用Spring配置Oauth2授權服務器?
如何為多租戶配置 Spring Oauth2
在 Spring OAuth2 中配置安全性:身份驗證請求的訪問被拒絕
Spring Security OAuth2:如何處理異常?
如何在Java中使用Spring Security OAuth2在資源服務器中動態配置Httpsecurity?
相關標簽