我使用Spring Boot 1.5.2.RELEASE實現了oAuth2授權服務器。授權服務器支持隱式流。通過登錄表單(http://localhost:8200/login)下方的WebSecurityConfig可以很好地工作。EnableResourceServer中斷oAuth2授權服務器
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JpaUserDetailsService userDetailsService;
@Bean
@Override
public UserDetailsService userDetailsServiceBean() throws Exception {
return userDetailsService;
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public AuthenticationProvider authenticationProvider() throws Exception {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setUserDetailsService(userDetailsServiceBean());
provider.setPasswordEncoder(passwordEncoder());
return provider;
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return new ProviderManager(singletonList(authenticationProvider()));
}
@Override
public void configure(WebSecurity web) {
web.ignoring()
.antMatchers("/")
.antMatchers("/docs/**")
.antMatchers("/swagger/**")
.antMatchers("/token/**")
.antMatchers("/v2/*")
.antMatchers(HttpMethod.OPTIONS, "/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().antMatchers("/login**").permitAll().anyRequest().authenticated().and()
.formLogin().loginPage("/login").permitAll().and()
.logout().permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
}
我希望資源服務器成爲同一個應用程序的一部分。目的是我需要一個端點,它將爲我提供登錄用戶和管理用戶端點的詳細信息。但是,只要我在下面添加了使用EnableResourceServer註釋的ResourceServerConfig,當我請求http://localhost:8200/login時,我開始收到錯誤「需要完全身份驗證才能訪問此資源」。
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
public static final String RESOURCE_ID = "proclaim-auth";
@Autowired
private ResourceServerTokenServices tokenServices;
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources
.resourceId(RESOURCE_ID)
.tokenServices(tokenServices);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/api/ **").authenticated();
}
}
我懷疑資源服務器安全鏈先於授權服務器安全鏈。我試圖詮釋WebSecurityConfig與註釋訂單,但它並沒有解決我的問題:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
...
}
我在做什麼錯?請指教。 在此先感謝!
EDIT 1 我添加方法配置(HttpSecurity HTTP)成ResourceServerConfig和改變值訂單註釋的爲-1上WebSecurityConfig。現在,已應用在WebSecurityConfig中定義的已過濾的安全性,並忽略ResourceServerConfig中定義的安全性。所以當我撥打/me有效令牌的端點時,我被重定向到登錄頁面。