堆棧內存溢出
  簡體   English   中英

在Spring Security Oauth2中使用RemoteTokenServices配置資源服務器

[英]Configuring resource server with RemoteTokenServices in Spring Security Oauth2

 原文  2016-11-15 10:30:58       java/ xml/ spring/ spring-security/ spring-security-oauth2

問題描述

我正在嘗試使用spring security oauth2實現授權服務器和資源服務器。 到目前為止,我已設法設置授權服務器,因為我不想共享一個jdbc令牌存儲,我正在嘗試使用remoteTokenService來驗證我的令牌@資源服務器。 但是每當我嘗試訪問資源REST方法時,我都會收到401錯誤。

由於項目的性質,我正在使用xml配置來設置spring安全性。 我已嘗試使用Javaconfig的另一個示例項目,並且其工作正常。

這是我在資源服務器中的配置。

web.xml中 

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="http://java.sun.com/xml/ns/javaee"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0" metadata-complete="true">

    <display-name>rest-project</display-name>
    <description>rest project Implementation</description>

    <!--
        - Location of the XML file that defines the root application context.
        - Applied by ContextLoaderListener.
    -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:spring/*.xml</param-value>
    </context-param>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>


    <!--
    - Servlet that dispatches request to registered handlers (Controller implementations).
    -->
    <servlet>
        <servlet-name>dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:spring/mvc-core-config.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

</web-app>

這是我的security-config.xml 

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:context="http://www.springframework.org/schema/context"
             xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
             xmlns:p="http://www.springframework.org/schema/p"
             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
                        http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd">



    <http pattern="/cards/**" use-expressions="true" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint">
        <anonymous enabled="false"/>
        <intercept-url pattern="/cards/**" access="isAuthenticated()" requires-channel="https"/>
        <access-denied-handler ref="oauthAccessDeniedHandler"/>
    </http>

    <oauth2:resource-server id="resourceServerFilter" resource-id="connector-bus" token-services-ref="tokenServices"/>

    <beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.RemoteTokenServices">
        <beans:property name="checkTokenEndpointUrl" value="https://localhost:8443/auth-server/api/oauth/check_token"/>
        <beans:property name="clientId" value="123456" />
        <beans:property name="clientSecret" value="456"/>
    </beans:bean>


    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
                </user-service>
        </authentication-provider>
    </authentication-manager>


    <beans:bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"/>

    <beans:bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
</beans:beans>

請指出我在這里缺少的東西。

提前致謝。

4 個解決方案

解決方案1
 5  2016-11-16 07:13:41

出於某種原因,我無法使xml配置工作以遠程驗證訪問令牌。 但我能夠使用java配置設置oauth2資源服務器,它解決了這個問題。 請在下面找到代碼。 

@Configuration
@EnableWebSecurity
@EnableResourceServer
public class Oauth2ResesourceServerConfiguration  extends ResourceServerConfigurerAdapter{


    @Override
    public void configure(HttpSecurity http) throws Exception {
         http.authorizeRequests()
                .antMatchers(HttpMethod.GET,"/api/**").access("#oauth2.hasScope('read')");
    }

    @Primary
    @Bean
    public RemoteTokenServices tokenService() {
        RemoteTokenServices tokenService = new RemoteTokenServices();
        tokenService.setCheckTokenEndpointUrl(
                "https://localhost:8443/auth-server/oauth/check_token");
        tokenService.setClientId("client-id");
        tokenService.setClientSecret("client-secret");
        return tokenService;
    }



}

解決方案2
 0  2017-09-14 07:47:32

/oauth/check_token必須單獨配置權限,默認為'denyAll'。 如果在屬性中添加logging.level.org.springframework.security=DEBUG ,則可以找到以下日志記錄行: 

2017-09-14 14:52:01.379  INFO 15591 --- [           main] b.a.s.AuthenticationManagerConfiguration : 
Using default security password: f1f7e508-4a30-4aad-914f-d0e90da6079a
2017-09-14 14:52:01.775 DEBUG 15591 --- [           main] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'fullyAuthenticated', for Ant [pattern='/oauth/token']
2017-09-14 14:52:01.872 DEBUG 15591 --- [           main] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'denyAll()', for Ant [pattern='/oauth/token_key']
2017-09-14 14:52:01.879 DEBUG 15591 --- [           main] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'denyAll()', for Ant [pattern='/oauth/check_token']

我不知道如何在xml中允許它,但是通過javaconfig如下 

@Configuration
@EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.checkTokenAccess("isAuthenticated()");
        // security.checkTokenAccess("permitAll");
    }
}

我找到了如何使用XML使用Spring Security Oauth2啟用/ oauth / check_token 也許有幫助。

解決方案3
 0  2017-12-26 18:19:28

除了在https://stackoverflow.com/a/40626102/3044680中說明你的tokenService方法@Primary ,從springboot 1.5開始,將security.oauth2.resource.filter-order = 3添加到application.properties

解決方案4
 -1  2017-08-24 17:04:53

您可以通過屬性配置簡化這項工作。 嘗試將它放在application.yml中,以及/ cards / URI的HttpSecurity配置。 

security:
  oauth2:
    resource:
      token-info-uri: https://[your token validation endpoint]
      preferTokenInfo: true

@EnableWebSecurity和@EnableResourceServer是重復的。 您不需要@EnableWebSecurity。

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 Spring security - oauth2 資源服務器測試 Spring Security OAuth2純資源服務器 ExtractAuthentication上的Spring Oauth2 RemoteTokenServices錯誤 我是否需要具有Spring Security OAuth2的資源服務器? Oauth2資源服務器與Spring Security配置重疊 Spring Boot Oauth2-授權與資源服務器之間的安全性不兼容 Spring Security OAuth2使用主機和端口將資源服務器連接到授權服務器URL Spring OAuth2資源服務器的Java配置 設置基於Spring安全性的OAuth2服務器 如何在Java中使用Spring Security OAuth2在資源服務器中動態配置Httpsecurity?
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM