[英]Spring Oauth2 + User Registration
我再次遇到Spring Oauth2的問題。 我知道這個主題不容易建議或檢查代碼,因為我們有太多的配置。 我的項目有3個不同的服務器,認證服務器,資源服務器和前端服務器。 我想將register.html放入用戶在前端項目中的注冊(在Angularjs文件下)但是當我向相關url( http:// localhost:7080 / app / #register)發出請求時,它會重定向到登錄頁面( http:// localhost:9080 / auth-service / login )只有一秒鍾我可以看到我的register.html內容,但之后它將進入登錄頁面。 問題是,我應該把這個register.html放在哪里,它應該在前端項目或認證服務器下?
我的身份驗證服務器和前端服務器代碼是;
@Configuration
public class AuthServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.parentAuthenticationManager(authenticationManager);
auth.authenticationProvider(userAuthProviderService());
}
private CsrfMatcher csrfRequestMatcher = new CsrfMatcher();
@Override
protected void configure(final HttpSecurity http) throws Exception {
/*http.csrf().disable();*/
http.csrf().requireCsrfProtectionMatcher(csrfRequestMatcher);
http
.formLogin().loginPage("/login").defaultSuccessUrl("/")
/*.failureUrl("")*/.successHandler(new AuthSuccessHandler()).permitAll()
.and()
.requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access","/register")
.and()
.authorizeRequests().anyRequest().authenticated();
}
@Bean
public UserAuthProviderService userAuthProviderService(){
return new UserAuthProviderService();
}
private class CsrfMatcher implements RequestMatcher {
@Override
public boolean matches(HttpServletRequest request) {
return false;
}
}
}
@Configuration
@EnableAutoConfiguration
@RestController
@EnableZuulProxy
@EnableOAuth2Sso
@EnableOAuth2Client
public class UIServiceMain {
public static void main(String[] args) {
SpringApplication.run(UIServiceMain.class, args);
}
@Configuration
protected static class SecurityConfiguration extends OAuth2SsoConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.logout().and()
.antMatcher("/**").authorizeRequests()
.antMatchers("/index.html", "/home.html", "/", "/login","/register.html").permitAll().anyRequest()
.authenticated().and().csrf().disable();
http.headers().frameOptions().disable(); //FOR EMBED MAP
}
//unused
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null
&& !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
//unused
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
}
}
在您的UI服務器中嘗試創建啟用了/register.hml的websecurity,類似這樣
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/register.html")
.and()
.authorizeRequests()
.anyRequest().authenticated();
}
}
編輯:或者在當前配置中刪除.antMatcher("/**").authorizeRequests()
和add and() .authorizeRequests().anyRequest().authenticated()
所以最后它可能是這樣的:
@Override
public void configure(HttpSecurity http) throws Exception {
http.logout().and()
.antMatchers("/index.html", "/home.html", "/", "/login","/register.html").permitAll().anyRequest()
.authenticated()
.and().csrf().disable();
http.headers().frameOptions().disable() //FOR EMBED MAP
.and()
.authorizeRequests()
.anyRequest().authenticated();
}
幾件事:
我想不出一個很好的理由不把你的* .html放在前端服務器以外的任何地方。
此外,通常,您應該允許公開訪問您的靜態UI組件,例如@bilak提到:
.antMatchers("/index.html", "/home.html", "/", "/login","/register.html").permitAll()
如果您能夠看到register.html
頁面(假設未經身份驗證的用戶),那么它已經公開了
也許,有一個關於register.html
的load事件的web服務調用是Spring安全性背后的觸發auth流的。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.