堆棧內存溢出
  簡體   English   中英

spring boot/spring security中如何將用戶添加到OAuth2 Auth服務器

[英]How to add users to OAuth2 Auth server in spring boot/spring security

 原文  2020-07-17 19:22:41       java/ spring/ spring-boot/ spring-security/ oauth-2.0

問題描述

我正在使用 Spring Boot 和 AngularJS 構建一個 reddit 克隆。目前我有一個 rest 的帖子和評論存儲庫,用戶登錄時可以訪問這些存儲庫。

安全配置文件

package com.example.MundaneHeroes.Configuration;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;



@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception
    {
        http.antMatcher("/**").authorizeRequests().antMatchers("/", "/login**", "/account/**").permitAll().anyRequest().authenticated().and().oauth2Login();

    }
}

application.yml文件

server:
  port: 8082
  servlet:
    session:
      cookie:
        name: UISESSION
spring:
  h2:
    console:
      enabled: true
      settings:
        web-allow-others: true
  datasource:
    url: jdbc:h2:mem:testdb
    driver-class-name: org.h2.Driver
    password:
    username: sa

  security:
    oauth2:
      client:
        registration:
          custom-client:
            client-id: R2dpxQ3vPrtfgF72
            client-secret: fDw7Mpkk5czHNuSRtmhGmAGL42CaxQB9
            client-name: Auth Server
            scope: user_info
            provider: custom-provider
            redirect-uri-template: http://localhost:8082/login/oauth2/code/
            client-authentication-method: basic
            authorization-grant-type: authorization_code
        provider:
          custom-provider:
            token-uri: http://localhost:8081/auth/oauth/token
            authorization-uri: http://localhost:8081/auth/oauth/authorize
            user-info-uri: http://localhost:8081/auth/user/me
            user-name-attribute: name

我主要是按照這里的教程創建授權服務器

教程

我的問題是我無法將用戶添加到此授權服務器

我添加了一個用戶實體和一個 JPA 用戶存儲庫,並添加了代碼來配置額外的接受教程中 1 之外的其他用戶。 我已經覆蓋了用戶詳細信息,所以我相信這是一個好的開始。


@Value("${user.oauth.user.username}")
    private String username;

    @Value("${user.oauth.user.password}")
    private String password;

    @Autowired
    private UserService userDetailsService;

    @Override
    @Autowired
    protected void configure(AuthenticationManagerBuilder auth) throws Exception
    {
        auth.inMemoryAuthentication().withUser(username).password(passwordEncoder().encode(password)).roles("ADMIN");
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
        //auth to userService and password encoder
    }

但是我不知道如何從客戶創建新帳戶的 /account/ 頁面接受數據。

這是帳戶的 html 代碼。html

<!DOCTYPE html>
<html lang="en" ng-app="userApp">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
    <script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.8.0/angular.min.js"></script>
    <script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.8.0/angular-route.js"></script>
    <script src="account.js"></script>
    <script src="bower_components/angular/angular.js"></script>
    <link rel="stylesheet" href="../app.css" />
</head>
<body ng-controller="UserController">

Username <input ng-model="username"/><br>
Password <input ng-model="password"/><br>
Email <input ng-model="email"/><br>
<input type="button" value="Send" ng-click="postuser(username, password, email)" />


<p>StatusCode: {{statusval}}</p>

<p>Status: {{status}}</p>

<p>Response {{headers}}</p>

</body>
</html>

和 account.js

'use strict';


var userApp = angular.module('userApp', []);

userApp.controller('UserController', function UserController($scope, $http) {


    $scope.username = null;
    $scope.password = null;
    $scope.email = null;
    $scope.postuser = function(username, password, email){
        var data = {

            username: username,
            password: password,
            email: email
        };


        $http.post("http://localhost:8081/auth/users", JSON.stringify(data)).then (function (response){
            if (response.data)
                $scope.msg = "Post Data Submitted Successfully!";

        }, function (response) {
            $scope.msg = JSON.stringify(data)
            $scope.statusval = response.status;
            $scope.statustext = response.statusText;
            $scope.headers = response.xhrStatus;


        })
    };

})

我一直在嘗試修改原始代碼中的 http 安全表達式

 @Override
    protected void configure(HttpSecurity http) throws Exception
    {
       //http.authorizeRequests().antMatchers("/h2-console/**").permitAll();
       http.requestMatchers().antMatchers("/login", "/oauth/authorize").and().authorizeRequests().anyRequest().authenticated().and().formLogin().permitAll();

       // http.requestMatchers().antMatchers("/login", "/oauth/authorize").and().authorizeRequests().antMatchers("/login").authenticated().and().formLogin().permitAll().and().authorizeRequests().antMatchers("/h2-console/**").anonymous();
        //http.authorizeRequests().antMatchers("/h2-console/**").anonymous();

       // http.requestMatchers().antMatchers("/login", "/oauth/authorize").and().authorizeRequests().anyRequest().
       // http.requestMatchers().antMatchers("/login", "/oauth/authorize");
        //http.authorizeRequests().anyRequest().authenticated().and().formLogin().permitAll();
        //http.antMatcher("/**").requestMatchers("/h2-console/**")

      // http.requestMatchers().antMatchers("/login", "/oauth/authorize");

     // http.authorizeRequests().antMatchers("/h2-console/**").permitAll();
            //  .requestMatchers().antMatchers("/login", "/oauth/authorize");

       // http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/h2-console/**").permitAll();
        //to run h2 might use profiles later
        http.csrf().disable();
        http.headers().frameOptions().disable();

    }

注釋掉的都是我試過的

我在接受 POST 請求的 Auth 服務器中有一個 controller。 當我注釋掉正常的 httpSecurity 表達式並添加代碼以禁用 csrf 保護和禁用標頭時,我可以創建帳戶。 (顯然這不是一個好的解決方案)

在這一點上我有點卡住了,我還懷疑這根本不是將數據發送到安全服務器的正確方法。 但是,我一直無法在網上找到任何指南

那么,任何人都可以幫助或指出我正確的方向嗎?

1 個解決方案

解決方案1
 0  2020-07-25 14:00:18

我想出了這行代碼來讓一切正常

http
    .csrf().disable()
    .headers().frameOptions().disable()
        .and()
            .requestMatchers()
                .antMatchers("/login")
        .and()
            .authorizeRequests()
                .antMatchers("/login").authenticated()
        .and().formLogin().permitAll()
        .and()
            .requestMatchers()
                .antMatchers("/oauth/authorize")
        .and()
            .authorizeRequests()
                .antMatchers("/oauth/authorize").authenticated()
        .and().formLogin().permitAll()
        .and().requestMatchers()
            .antMatchers("/h2-console/**")
        .and().authorizeRequests()
            .antMatchers("/h2-console/**").permitAll()
        .and().requestMatchers()
            .antMatchers("/users")
        .and()
            .authorizeRequests().antMatchers("/users").permitAll()
        .and()
            .requestMatchers().antMatchers("/user/currentUser")
        .and()
            .authorizeRequests().antMatchers("/user/currentUser").permitAll();

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 Spring Boot Security OAuth2身份驗證服務器和業務服務器的拆分 Spring Boot Oauth2-授權與資源服務器之間的安全性不兼容 Spring Boot 1.5禁用OAuth2安全性 Spring Boot Security oauth2預檢問題 Spring boot 2.0.3 + 安全 + Oauth2 自動配置 Spring Boot OAuth2帶有自定義安全過濾器 Spring Boot + OAuth2安全和請求過濾器 如何為ADFS配置Spring Boot安全性OAuth2? 如何為未經授權的用戶配置Spring Security + oAuth2 如何在Spring Boot Security OAuth2應用程序中僅對某些類啟用OAuth2?
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM