[英]Spring Boot - OAuth2 - All requests are being forbidden
我有一個彈簧啟動應用程序,該應用程序可通過OAuth(應用程序和資源服務器)啟用REST。
MyApplication.java
@SpringBootApplication
@EnableResourceServer
public class MyApplication {
public static void main(String[] args) {
SpringApplication.run(MyApplication.class, args);
}
}
OAuthConfig.java
@Configuration
@EnableAuthorizationServer
public class OAuthConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
private TokenStore tokenStore = new InMemoryTokenStore();
@Autowired
private AuthenticationManager authenticationManager;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer configurer) throws Exception {
configurer.authenticationManager(authenticationManager);
configurer.userDetailsService(userDetailsService);
configurer.tokenStore(tokenStore);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients
.inMemory()
.withClient("app")
.secret("secret")
.accessTokenValiditySeconds(120)
.refreshTokenValiditySeconds(600)
.scopes("read", "write")
.authorizedGrantTypes("password", "refresh_token")
.resourceIds("resources");
}
}
SimpleCorsFilter.java
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {
public SimpleCorsFilter() {
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
HttpServletRequest request = (HttpServletRequest) req;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "x-requested-with, authorization, content-type");
if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
chain.doFilter(req, res);
}
}
@Override
public void init(FilterConfig filterConfig) {
}
@Override
public void destroy() {
}
}
WebSecurityConfig.java
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/signup");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
}
}
TestController.java
@RestController
public class TestController {
@Autowired
private PanelService testService;
@PostMapping("/test")
public Panel getTest() throws Exception {
return testService.get();
}
}
我可以成功生成令牌,也可以通過使用上述設置調用refresh_token獲得新令牌。 問題在於,無論是否傳遞了令牌令牌,我的rest調用也都將返回數據。 /test
始終返回帶有或不帶有令牌的數據。
我還嘗試了HTTP安全性中的其他選項。 即使我使用有效的令牌,下面的命令也會始終拋出“禁止”。
http.csrf().disable();
.authorizeRequests()
.antMatchers("/signup").permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.httpBasic();
我究竟做錯了什么?
我正在回答自己的問題,以幫助所有面臨類似問題的人。
在application.properties文件中設置以下屬性
security.oauth2.resource.filter-order=3
同樣在WebSecurityConfigurerAdapter中,在配置HttpSecurity時添加以下幾行(我不確定這段代碼是如何工作的-我仍在調查中)
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
...
}
上面的代碼在下面的兩個示例中引用(請參閱GitHub代碼)
http://www.svlada.com/jwt-token-authentication-with-spring-boot/
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.