spring boot oauth2配置：资源服务器保持不受保护

我使用 spring boot实现了授权服务器和资源服务器.授权服务器工作正常,我能得到令牌.但我的资源服务器仍然没有受到保护.我的目标是资源服务器只能由具有有效访问令牌的人访问.

我的整个代码是：

@Configuration @EnableAuthorizationServer public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter { @Autowired TokenStore tokenStore; @Autowired private AuthenticationManager authenticationManager; @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints .tokenStore(tokenStore) .authenticationManager(authenticationManager); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients .inMemory() .withClient("client") .scopes("read", "write") .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT") .authorizedGrantTypes("password", "refresh_token") .secret("secret") .accessTokenValiditySeconds(180) .refreshTokenValiditySeconds(600); } @Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { super.configure(security); //To change body of generated methods, choose Tools | Templates. } } @Configuration @EnableResourceServer public class ResourceServerConfig extends ResourceServerConfigurerAdapter { @Autowired private TokenStore tokenStore; @Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { resources .tokenServices(tokenServices()) .resourceId("MY_RESOURCE"); } @Override public void configure(HttpSecurity http) throws Exception { http .anonymous().disable() .requestMatchers().antMatchers("/**") .and() .authorizeRequests() .antMatchers("/").access("hasRole('USER')") .antMatchers("/secure/").access("hasRole('ADMIN')") .and() .exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler()); } @Bean @Primary public DefaultTokenServices tokenServices() { final DefaultTokenServices defaultTokenServices = new DefaultTokenServices(); defaultTokenServices.setTokenStore(tokenStore); return defaultTokenServices; }

    }

@Configuration @EnableWebSecurity public class OAuth2SecurityConfig extends WebSecurityConfigurerAdapter{ @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser("bill").password("abc123").roles("ADMIN").and() .withUser("bob").password("abc123").roles("USER"); } @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .anonymous().disable() .authorizeRequests() .antMatchers("/oauth/token").permitAll(); } } @Configuration @EnableGlobalMethodSecurity public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration { @Override protected MethodSecurityExpressionHandler createExpressionHandler() { return new OAuth2MethodSecurityExpressionHandler(); } } @SpringBootApplication @RestController public class Application extends SpringBootServletInitializer{ public static void main(String[] args) { SpringApplication.run(Application.class, args); } @Override protected SpringApplicationBuilder configure(SpringApplicationBuilder application) { return application.sources(Application.class); } @GetMapping(value = "/") public ResponseEntity<?> hello(){ return ResponseEntity.ok("Hello World"); } @GetMapping(value = "/secure/") public ResponseEntity<?> secure(){ return ResponseEntity.ok("Secure Resorce"); } @Bean public TokenStore tokenStore() { return new InMemoryTokenStore(); }

    }

<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.example</groupId> <artifactId>boot-oauth2</artifactId> <version>1.0-SNAPSHOT</version> <packaging>war</packaging> <name>boot-oauth2</name> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>1.5.2.RELEASE</version> </parent> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <maven.compiler.source>1.8</maven.compiler.source> <maven.compiler.target>1.8</maven.compiler.target> </properties> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.security.oauth</groupId> <artifactId>spring-security-oauth2</artifactId> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin> </plugins> </build> </project>

我错过了什么？
感谢帮助.

更新：
我发现由于存在OAuth2SecurityConfig类,我的资源服务器不受保护.如果我删除此类并添加以下类(我已移动inMemmory用户),则资源服务器将根据需要受到保护

@Configuration public class WebSecurityGlobalConfig extends GlobalAuthenticationConfigurerAdapter { @Autowired UserService userService; @Override public void init(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser("bill").password("abc123").roles("ADMIN").and() .withUser("bob").password("abc123").roles("USER"); } }

所以,我感觉到OAuth2SecurityConfig类中不正确的HttpSecurity配置与资源服务器配置冲突.
那么,我如何配置OAuth2SecurityConfig的HttpSecurity,它确实允许资源服务器路径的访问令牌保护和非资源服务器路径的正常Web安全性

最佳答案

经过大量的谷歌搜索,我找到了解决方案.

这是由于过滤器的顺序.在spring-boot-1.5.1中更改了OAuth2资源过滤器的顺序.正如变更日志所说

The default order of the OAuth2 resource filter has changed from 3 to
SecurityProperties.ACCESS_OVERRIDE_ORDER – 1. This places it after the
actuator endpoints but before the basic authentication filter chain.
The default can be restored by setting
security.oauth2.resource.filter-order = 3

因此,我通过在application.properties security.oauth2.resource.filter-order = 3中设置将OAuth2资源服务器过滤器的顺序更改为3,我的问题解决了.

点击查看更多相关文章