1. 首頁
  2. 問答
  3. 春季基於權限和基於會話的授權是如何協同工作的?

春季基於權限和基於會話的授權是如何協同工作的?

2017-03-06 19 views
0

我正嘗試將基於oauth2的令牌與客戶端憑證授予類型一起使用基於Spring會話的驗證。它與oauth令牌以及授權的機構正常工作。春季基於權限和基於會話的授權是如何協同工作的?

當我將它們結合在一起時,它不起作用。它總是調用UsernamePasswordAuthenticationFilter而不是OAuth2AuthenticationProcessingFilter

如何使它們一起工作?這裏是我的ResourceServer配置

@Configuration 
@EnableResourceServer 
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter { 

    @Override 
    public void configure(ResourceServerSecurityConfigurer resources) { 
     resources.resourceId(SPARKLR_RESOURCE_ID).stateless(false); 
    } 

    @Override 
    public void configure(HttpSecurity http) throws Exception { 
     // @formatter:off 
     http 
      // Since we want the protected resources to be accessible in the UI as well we need 
      // session creation to be allowed (it's disabled by default in 2.0.6) 
      .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) 
     .and() 
      .requestMatchers().antMatchers("/api/account/**", "/oauth/users/**", "/oauth/clients/**","/me") 
     .and() 
      .authorizeRequests() 
       .antMatchers("/api/account/**").access("#oauth2.hasScope('read') or (!#oauth2.isOAuth() and hasRole('ROLE_USER'))")     
       .regexMatchers(HttpMethod.DELETE, "/oauth/users/([^/].*?)/tokens/.*") 
        .access("#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('write')") 
       .regexMatchers(HttpMethod.GET, "/oauth/clients/([^/].*?)/users/.*") 
        .access("#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('read')") 
       .regexMatchers(HttpMethod.GET, "/oauth/clients/.*") 
        .access("#oauth2.clientHasRole('ROLE_CLIENT') and #oauth2.isClient() and #oauth2.hasScope('read')"); 
     // @formatter:on 
    } 
}

的問題是,在過濾器鏈OAuth2AuthenticationProcessingFilter是沒有得到調用。因此,任何其餘的調用都不會發生令牌驗證。以下是過濾器鏈。

XNIO-2 task-1] o.s.security.web.FilterChainProxy  : /api/account at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 
XNIO-2 task-1] o.s.security.web.FilterChainProxy  : /api/account at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 
XNIO-2 task-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists 
XNIO-2 task-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created. 
XNIO-2 task-1] o.s.security.web.FilterChainProxy  : /api/account at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter' 
XNIO-2 task-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]74d294b6 
XNIO-2 task-1] o.s.security.web.FilterChainProxy  : /api/account at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter' 
XNIO-2 task-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/api/logout', GET] 
XNIO-2 task-1] o.s.s.web.util.matcher.OrRequestMatcher : No matches found 
XNIO-2 task-1] o.s.security.web.FilterChainProxy  : /api/account at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' 
XNIO-2 task-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /api/account' doesn't match 'POST /api/authentication 
XNIO-2 task-1] o.s.security.web.FilterChainProxy  : /api/account at position 6 of 12 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter' 
XNIO-2 task-1] o.s.security.web.FilterChainProxy  : /api/account at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 
XNIO-2 task-1] o.s.security.web.FilterChainProxy  : /api/account at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 
XNIO-2 task-1] o.s.security.web.FilterChainProxy  : /api/account at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 
XNIO-2 task-1] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.sprin[email protected]9055c2bc: Principal: anonymousUser; Credentials 
XNIO-2 task-1] o.s.security.web.FilterChainProxy  : /api/account at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter' 
XNIO-2 task-1] o.s.security.web.FilterChainProxy  : /api/account at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 
XNIO-2 task-1] o.s.security.web.FilterChainProxy  : /api/account at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'

編輯: 我想這兩個項目合併在一起。 https://github.com/jhipster/jhipster-sample-apphttps://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2/sparklr

來源

2017-03-06 bagui

+0

您沒有顯示主過濾器鏈是如何配置的(您似乎已經進入了這個請求)。某處是否有完整的示例? –

+0

@Dave - 請找到完整的示例 - (https://github.com/ibagui/besquare-oauth/blob/master/src/main/java/io/github/jhipster/sample/config/OAuth2ServerConfig.java)。我正試圖將這兩個項目合併在一起。 (https://github.com/jhipster/jhipster-sample-app)和(https://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2/sparklr) – bagui

回答

1

您正在使用spring boot 1.5,因此默認情況下資源服務器篩選器鏈的順序比jhipster添加的自定義篩選器鏈的順序更高。您可能需要更改訂單,或者更改模式匹配器,以使OAuth資源與主過濾器鏈不匹配。彈簧引導用戶指南建議您按特定順序放置自定義過濾器鏈(SecurityProperties.ACCESS_OVERRIDE_ORDER)。遵循這個建議可能是一個好主意。

來源

2017-03-18 18:47:42

相關問題

 相關問題