0
您好我是春季安全新手,並試圖找出如何配置auth服務器發出令牌。我現在所擁有的問題是,我收到關於進一步瞭解CORS預檢要求401或403,不知道如何解決以下是基於幾個教程春季CorsFilter似乎仍然工作仍然收到401上的預檢請求
https://spring.io/blog/2015/06/08/cors-support-in-spring-framework http://www.baeldung.com/spring-security-oauth-jwt
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity
@PropertySource(value = "classpath:oauth.properties")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserRepository userRepository;
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(authenticationProvider());
}
@Override
public void configure(WebSecurity web) throws Exception {
super.configure(web);
}
@Autowired
ObjectMapper mapper;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().antMatchers(HttpMethod.OPTIONS,"/oauth/token").permitAll()
.anyRequest().authenticated();
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception{
auth.inMemoryAuthentication().
withUser("john").password("123").roles("USER").
and().
withUser("tom").password("111").roles("ADMIN");
}
@Bean
public FilterRegistrationBean corsFilter() {
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter2());
bean.setOrder(0);
return bean;
}
}
@Configuration
@EnableAuthorizationServer
public class OAuth2ServerConfig extends AuthorizationServerConfigurerAdapter{
@Autowired
private Environment env;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer){
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception{
clients.inMemory().withClient("acme").secret("acmesecret").authorizedGrantTypes("authorization_code", "refresh_token",
"password").scopes("openId");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints){
final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(),accessTokenConverter()));
endpoints.tokenStore(tokenStore())
.tokenEnhancer(tokenEnhancerChain)
.authenticationManager(authenticationManager);
}
@Bean
public JwtAccessTokenConverter accessTokenConverter(){
final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
return converter;
}
@Bean
public TokenStore tokenStore(){
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public FilterRegistrationBean corsFilter() {
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter2());
bean.setOrder(0);
return bean;
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
defaultTokenServices.setSupportRefreshToken(true);
return defaultTokenServices;
}
}
CorsFilter2是spring 4.2中引入的spring cors過濾器。我正在使用它來插入正確的響應頭文件發送回客戶端。
嗨,老兄你在哪裏配置它,我得到:'''The方法忽略()是未定義的類型ExpressionUrlAuthorizationConfigurer .ExpressionInterceptUrlRegistry'''如果我'''authorizeRequests'''後設置「 ''方法忽略()未定義類型HttpSecurity'''''clttp http –
mattobob
@mattobob我將它添加到我的SecurityConfig中的配置方法方法簽名應該看起來像這樣 \t public void configure(WebSecurity web)拋出Exception {} – jcdevbot