spring oAuth2不保護資源

Question

我試圖建立一個純粹的資源服務器，使用spring oAuth2來驗證來自授權服務器的訪問令牌。

我無法保護我的資源。我可以直接擊中api。 例如：

• GET 本地主機：8080 /帳戶的access_token = 63884b81-a3d3-4eab-a92c-7eb1e2022dfd （不正確的訪問令牌）
  • GET本地主機：8080 /佔

以上兩個鏈接都能夠訪問我的資源，但這些鏈接應返回未經授權的錯誤。

資源服務器配置。

<bean id="authenticationEntryPoint" 
    class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> 
    <property name="realmName" value="myRealm" /> 
</bean> 

<bean id="oauthAccessDeniedHandler" 
    class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" /> 

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"> 
    <constructor-arg> 
     <list> 
      <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" /> 
      <bean class="org.springframework.security.access.vote.RoleVoter" /> 
      <bean class="org.springframework.security.access.vote.AuthenticatedVoter" /> 
     </list> 
    </constructor-arg> 
</bean> 

<!-- This is not actually used, but it's required by Spring Security --> 
<security:authentication-manager alias="authenticationManager" /> 

<oauth2:expression-handler id="oauthExpressionHandler" /> 

<oauth2:web-expression-handler id="oauthWebExpressionHandler" /> 

<security:global-method-security 
    pre-post-annotations="enabled" proxy-target-class="true"> 
    <security:expression-handler ref="oauthExpressionHandler" /> 
</security:global-method-security> 

<oauth2:resource-server id="myResource" 
    resource-id="myResourceId" token-services-ref="tokenServices" /> 

<security:http pattern="/**" create-session="never" 
    entry-point-ref="authenticationEntryPoint" 
    access-decision-manager-ref="accessDecisionManager"> 
    <security:anonymous enabled="false" /> 
    <security:intercept-url pattern="/**" 
     access="IS_AUTHENTICATED_FULLY" method="GET" /> 
    <security:intercept-url pattern="/**" access="SCOPE_READ" 
     method="HEAD" /> 
    <security:intercept-url pattern="/**" access="SCOPE_READ" 
     method="OPTIONS" /> 
    <security:intercept-url pattern="/**" access="SCOPE_WRITE" 
     method="PUT" /> 
    <security:intercept-url pattern="/**" access="SCOPE_WRITE" 
     method="POST" /> 
    <security:intercept-url pattern="/**" access="SCOPE_WRITE" 
     method="DELETE" /> 
    <security:custom-filter ref="myResource" 
     before="PRE_AUTH_FILTER" /> 
    <security:access-denied-handler ref="oauthAccessDeniedHandler" /> 
    <security:expression-handler ref="oauthWebExpressionHandler" /> 
</security:http> 

Answer 1

你有你的RemoteTokenServices的bean配置，以檢查在授權服務器令牌：

@Bean 
     public RemoteTokenServices LocalTokenService() { 
      final RemoteTokenServices tokenService = new RemoteTokenServices(); 
      tokenService.setCheckTokenEndpointUrl("http://yourauthozationserver/oauth/check_token"); 
      tokenService.setClientId("my-client-with-secret"); 
      tokenService.setClientSecret("secret"); 
      return tokenService; 
     } 

或XML：

<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.RemoteTokenServices" 
      p:checkTokenEndpointUrl="${oaas.endpoint.check_token}" 
      p:clientId="${oaas.client_id}" 
      p:clientSecret="${oaas.client_secret}" /> 

注意，授權服務器檢查端點也應配置爲允許匿名請求進行令牌檢查。