我正在使用Spring雲安全和Oauth2來保護我的微服務。現在出海如下:確保微服務春雲安全Oauth2
http://maven.apache.org/xsd/maven-4.0.0.xsd「> 4.0.0
<groupId>com.oreilly.cloud</groupId>
<artifactId>spring-microservices-oauth-server</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>spring-microservices-oauth-server</name>
<description>Demo project for Spring Boot</description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.7.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
<spring-cloud.version>Dalston.SR3</spring-cloud.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.hsqldb</groupId>
<artifactId>hsqldb</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snapshots</id>
<name>Spring Snapshots</name>
<url>https://repo.spring.io/snapshot</url>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
<repository>
<id>spring-milestones</id>
<name>Spring Milestones</name>
<url>https://repo.spring.io/milestone</url>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
春天-boot主類是如下:
package com.oreilly.cloud;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@SpringBootApplication
@EnableAuthorizationServer
@EnableResourceServer
@RestController
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SpringMicroservicesOauthServerApplication {
@RequestMapping("/resource/endpoint")
@PreAuthorize("hasRole('ADMIN')")
public String endpoint(){
return "This message is protected by the resource server.";
}
public static void main(String[] args) {
SpringApplication.run(SpringMicroservicesOauthServerApplication.class, args);
}
}
授權服務器配置如下:
package com.oreilly.cloud;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
@Configuration
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("webapp").secret("websecret").authorizedGrantTypes("password")
.scopes("read,write,trust");
}
}
注意驗證管理器自動連線到授權配置
在下面的類中的驗證管理器進行配置和返回abean,以便它可以被裝配到上面的類:
package com.oreilly.cloud;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user1").password("password1").roles("USER").and().withUser("admin")
.password("password2").roles("ADMIN");
}
}
現在application.properties是如下:
server.port=9090
現在我運行SP如下環啓動應用程序:
MVN春季啓動:運行
的應用程序成功啓動,並準備在本地主機上接受9090端口的請求
現在使用郵遞員我發送POST請求得到access_token。有一點背景是,這裏使用的Aoauth2流是密碼授權。所以在上面的AuthorizationServerConfig類中,我定義了一個密碼授權流程並註冊了一個帶有客戶端名稱和密碼的簡單Web應用程序。可以看出客戶端配置在內存中。
從授權服務器獲取訪問令牌的post man請求如下所示:其基本身份驗證標頭具有 用戶名作爲webapp並且密碼爲websecret的發佈請求。
http://localhost:9090/oauth/token?grant_type=password&username=user1&password=password1
這要求有一個訪問令牌JSON成功返回如下:
{
"access_token": "2d632e54-17c3-41f7-af3b-935ca3022d78",
"token_type": "bearer",
"expires_in": 43199,
"scope": "read,write,trust"
}
現在,當我嘗試上述訪問令牌訪問/地質礦產/端點:
http://localhost:9090/resource/endpoint?access_token=2d632e54-17c3-41f7-af3b-935ca3022d78
而不是返回從服務/資源/端點返回的文本它返回登錄頁面如下:
<html>
<head>
<title>Login Page</title>
</head>
<body onload='document.f.username.focus();'>
<h3>Login with Username and Password</h3>
<form name='f' action='/login' method='POST'>
<table>
<tr>
<td>User:</td>
<td>
<input type='text' name='username' value=''>
</td>
</tr>
<tr>
<td>Password:</td>
<td>
<input type='password' name='password'/>
</td>
</tr>
<tr>
<td colspan='2'>
<input name="submit" type="submit" value="Login"/>
</td>
</tr>
<input name="_csrf" type="hidden" value="8dbc1c38-6f89-43c5-a8f8-797c920722a1" />
</table>
</form>
</body>
</html>
任何人都可以請幫助我在這裏失蹤?????。
備註我同時在相同的應用程序中配置了授權服務器和資源服務器。這是一個POC,所以我嘗試了Spring-Cloud的安全性,稍後我會將這兩個分開......但以後再說。
你的問題到底是什麼? –
在你的令牌中,expires_in的值看起來很有趣..它映射到的是什麼,當然不是蜱蟲,你能檢查它嗎? –
@WilliamHampshire我的問題是我通過點擊以下URL獲得訪問令牌:http:// localhost:9090/oauth/token?grant_type = password&username = admin&password = password2帶有指定客戶端用戶名和密碼的基本auth頭,但if我嘗試訪問受保護的資源(/資源/端點/)access_token參數設置爲上述訪問令牌,我得到一個登錄頁面,而不是我的端點應該返回的文本響應 – santhoshbhatti