gpt4 book ai didi

spring-security - Spring Oauth2 独立资源服务器配置

转载 作者:行者123 更新时间:2023-12-03 18:03:19 27 4
gpt4 key购买 nike

我正在尝试为 oauth2 配置单独的身份验证和资源服务器。
我能够成功配置授权服务器并能够验证和生成访问 token 。现在我想配置一个资源服务器,它可以与带有 api 端点的身份验证服务器对话,以验证访问 token 。
下面是我的资源服务器配置。

@Configuration
@EnableResourceServer
@EnableWebSecurity
public class Oauth2SecurityConfiguration extends WebSecurityConfigurerAdapter {


@Override
protected void configure(HttpSecurity http) throws Exception {
System.out.println("Oauth2SecurityConfiguration before");
http
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/api/v1/**").authenticated();
System.out.println("Oauth2SecurityConfiguration after");
}

@Bean
public AccessTokenConverter accessTokenConverter() {
return new DefaultAccessTokenConverter();
}

@Bean
public RemoteTokenServices remoteTokenServices() {
final RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
remoteTokenServices.setCheckTokenEndpointUrl("http://localhost:9000/authserver/oauth/check_token");
remoteTokenServices.setClientId("clientId");
remoteTokenServices.setClientSecret("clientSecret");
remoteTokenServices.setAccessTokenConverter(accessTokenConverter());
return remoteTokenServices;
}

@Override
@Bean
public AuthenticationManager authenticationManager() throws Exception {
OAuth2AuthenticationManager authenticationManager = new OAuth2AuthenticationManager();
authenticationManager.setTokenServices(remoteTokenServices());
return authenticationManager;
}
}


@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
System.out.println("http.csrf().disable()");
http.authorizeRequests().antMatchers(HttpMethod.GET, "/api/v1/**").fullyAuthenticated();
System.out.println("http.authorizeRequests().anyRequest().authenticated()");
}
}


@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return new OAuth2MethodSecurityExpressionHandler();
}
}

问题 :
1.为什么我在资源服务器上进行AuthenticationManager,而所有身份验证都委托(delegate)给身份验证服务器。 (我必须添加它来加载应用程序上下文)

除此之外,我还面临以下问题。
  • 即使我没有通过请求传递授权 header 和访问 token 。它正在经历。
    http GET "http://localhost:8080/DataPlatform/api/v1/123sw/members"
    HTTP/1.1 200 OK
    Content-Type: application/json;charset=UTF-8
    Date: Mon, 19 Oct 2015 19:45:14 GMT
    Server: Apache-Coyote/1.1
    Transfer-Encoding: chunked
    {
    "entities": [],
    "errors": [],
    "message": null
    }
  • 过滤器仅在一次我没有看到以下请求的日志时被调用。它是否在某处缓存授权?

  • 我是spring oauth的新手,如果我做错了什么,请告诉我。我在用
    spring-security-oauth2 : 2.0.7.RELEASE
    spring-security-core : 4.0.1.RELEASE
    java : 1.8

    最佳答案

    要点为 auth-server 和 resource-server 建立单独的端点,它们可以分别为它们提供服务,每个端点都是他自己的。
    如下图“/user/getEmployeesListRole/**”-通过auth-server访问,“/user/getEmployeesListOAuth2/**”-通过aouth2-server生成的token通过resource-server访问。另外请注意auth -server 和 oauth2-server 具有相同的 auth-manager

    在一个 spring-boot 应用程序中配置 spring-boot aouth2-server、resource-server、auth-server

    1.入口点:

    /*AuthApplication.java*/    @SpringBootApplication    @EnableDiscoveryClient    @EnableGlobalMethodSecurity(prePostEnabled = true)    public class AuthApplication {    public static void main(String[] args) {          SpringApplication.run(AuthApplication.class, args);    }}
    2. Config of aouth2-server:
    /*OAuth2AuthorizationConfig.java*/     @Configuration     @EnableAuthorizationServer     public class OAuth2AuthorizationConfig extends AuthorizationServerConfigurerAdapter {
    private TokenStore tokenStore = new InMemoryTokenStore();
    @Autowired @Qualifier("authenticationManagerBean") private AuthenticationManager authenticationManager;
    @Autowired @Qualifier("userDetailsServiceBean") private UserDetailsService userDetailsService;
    @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory() .withClient("browser") .authorizedGrantTypes("password", "refresh_token") .scopes("ui", "read:ui", "write:ui"); }

    @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.tokenStore(tokenStore) .authenticationManager(authenticationManager) .userDetailsService(userDetailsService); }
    @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer.tokenKeyAccess("permitAll()") .checkTokenAccess("isAuthenticated()") .passwordEncoder(NoOpPasswordEncoder.getInstance()); }}

    2.1 aouth2-server auth-request [post with basic auth]:
    http://localhost:5000/uaa/oauth/token?grant_type=password&scope=ui write:ui&username=user&password=123456&client_id=browser
    3.配置资源服务器:
    /*ResourceServer.java*/    @Configuration       @EnableResourceServer       class ResourceServer extends ResourceServerConfigurerAdapter {         //Here we specify to allow the request to the          // url /user/getEmployeesList with valid access token and scope read         @Override         public void configure(HttpSecurity http) throws Exception {             http.requestMatchers()                   .antMatchers("/user/getEmployeesList/**")                   .antMatchers("/user/getEmployeesListOAuth2/**")           .and().authorizeRequests().anyRequest().access("#oauth2.hasScope('ui')");
    }}
    4. Config auth-server:
    /*WebSecurityConfig.java*/    @Configuration    @EnableWebSecurity    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/resources/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
    http
    .authorizeRequests()
    .antMatchers("/user/getEmployeesListRole/**")
    .access("hasAuthority('WRITE_DATA') && hasAuthority('READ_DATA')")
    .anyRequest().permitAll()
    .and().formLogin().permitAll()
    .and().logout().permitAll()
    .and().csrf().disable();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

    auth.inMemoryAuthentication().withUser("admin")
    .password("admin")
    .authorities("WRITE_DATA", "READ_DATA");
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
    }

    @Override
    @Bean
    public UserDetailsService userDetailsServiceBean() throws Exception {
    return super.userDetailsServiceBean();
    }
    }

    关于spring-security - Spring Oauth2 独立资源服务器配置,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33223144/

    27 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com