我有一個包含兩部分的服務器端應用程序。第一部分是REST Apis,另一部分是用於管理整個服務器端應用程序的網頁儀表板。Oauth和Spring Security
現在我已經使用Oauth的spring security來保護REST apis和基於表單的身份驗證,Spring安全性用於保護網頁儀表板。 但使用基於表單的身份驗證會與oauth配置產生衝突。
在Spring安全中,是否有任何方法同時使用Oauth和基於表單的身份驗證?
這是securityConfiguration文件。我嘗試添加兩個配置,但沒有工作,所以我嘗試了這種配置有兩個安全標籤。這裏的表單登錄配置工作正常,但其他配置爲oauth不起作用。我能夠獲得訪問令牌,但oauth不起作用,當試圖訪問REST Apis時,我被重定向到儀表板登錄頁面。
@Configuration
@EnableWebMvcSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private static final Logger LOG = Logger.getLogger(SecurityConfiguration.class);
@Autowired
UserDetailsService webUserDetailsService;
BCryptPasswordEncoder passwordEncoder;
public SecurityConfiguration(){
LOG.debug("OAuthSecurityConfiguration initialized");
passwordEncoder = new BCryptPasswordEncoder();
LOG.debug(passwordEncoder);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(webUserDetailsService)
.passwordEncoder(passwordEncoder);
LOG.debug("user and password details");
LOG.debug(auth
.userDetailsService(webUserDetailsService)
.passwordEncoder(passwordEncoder));
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
LOG.debug("authenticationManagerBean");
return super.authenticationManagerBean();
}
@Configuration
@EnableResourceServer
@ComponentScan(basePackages = {"**"})
@Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
public void configure(ResourceServerSecurityConfigurer resources) {
LOG.debug(resources);
resources.resourceId("admin");
resources.resourceId("admin");
LOG.debug("configureresource:"+resources.resourceId("admin"));
}
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("..")
.authorizeRequests()
.anyRequest().hasRole("ADMIN");
.and()
.httpBasic();
}
}
@Configuration
@ComponentScan(basePackages = {"**"})
@Order(2)
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/login"
).permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login/new")
.defaultSuccessUrl("/**", true)
.failureUrl("/login/fail")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login/new")
.permitAll();
;
}
}
請參閱:http://projects.spring.io/spring-security-oauth/ – Steve