带有Spring Boot REST应用程序的OAuth2-无法使用令牌访问资源
我想将OAuth2用于我的RESTSpring Boot" title="Spring Boot">Spring Boot项目。使用一些示例,我为OAuth2创建了配置:
@Configurationpublic class OAuth2Configuration {
private static final String RESOURCE_ID = "restservice";
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends
ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
// @formatter:off
resources
.resourceId(RESOURCE_ID);
// @formatter:on
}
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.anonymous().disable()
.authorizeRequests().anyRequest().authenticated();
// @formatter:on
}
}
@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends
AuthorizationServerConfigurerAdapter {
private TokenStore tokenStore = new InMemoryTokenStore();
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsServiceImpl userDetailsService;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
// @formatter:off
endpoints
.tokenStore(this.tokenStore)
.authenticationManager(this.authenticationManager)
.userDetailsService(userDetailsService);
// @formatter:on
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
clients
.inMemory()
.withClient("clientapp")
.authorizedGrantTypes("password", "refresh_token", "trust")
.authorities("USER")
.scopes("read", "write")
.resourceIds(RESOURCE_ID)
.secret("clientsecret")
.accessTokenValiditySeconds(1200)
.refreshTokenValiditySeconds(3600);
// @formatter:on
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setSupportRefreshToken(true);
tokenServices.setTokenStore(this.tokenStore);
return tokenServices;
}
}
}
这是我的SecurityConfiguration类:
@Configuration@EnableWebSecurity
@Order(1)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http
.authorizeRequests().antMatchers("/api/register").permitAll()
.and()
.authorizeRequests().antMatchers("/api/free").permitAll()
.and()
.authorizeRequests().antMatchers("/oauth/token").permitAll()
.and()
.authorizeRequests().antMatchers("/api/secured").hasRole("USER")
.and()
.authorizeRequests().anyRequest().authenticated();
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
我尝试通过2个简单的请求检查我的应用程序:
@RequestMapping(value = "/api/secured", method = RequestMethod.GET)public String checkSecured(){
return "Authorization is ok";
}
@RequestMapping(value = "/api/free", method = RequestMethod.GET)
public String checkFree(){
return "Free from authorization";
}
首先,我检查了两个请求:
返回代码200和字符串“免授权”
返回{“时间戳”:1487451065106,“状态”:403,“错误”:“禁止”,“消息”:“访问被拒绝”,“路径”:“ / api /
secured”}
看来它们工作正常。
然后我得到了access_token(使用我的用户数据库中的凭据)
响应:
{“ access_token”:“ 3344669f-c66c-4161-9516-d7e2f31a32e8”,“ token_type”:“
bearer”,“ refresh_token”:“ c71c17e4-45ba-458c-9d98-574de33d1859”,“
expires_in”:1199,“范围” :“读写”}
然后,我尝试发送一个请求(使用获得的令牌)以请求需要身份验证的资源:
这是回应:
{“ timestamp”:1487451630224,“ status”:403,“ error”:“ Forbidden”,“ message”:“
Access Denied”,“ path”:“ / api / secured”}
我不明白为什么访问被拒绝。我不确定配置,似乎它们是不正确的。另外,我仍然不清楚在扩展 类中的 方法的关系。感谢您的任何帮助! ***
回答:
如果您使用的是Spring Boot 1.5.1或最近更新的版本,请注意,他们更改了Spring Security oauth2的过滤器顺序(Spring Boot 1.5发行说明)。
根据发行说明,尝试将以下属性添加到application.properties/yml中,然后在其他过滤器之后使用资源服务器过滤器作为回退-
这将导致在落入资源之前接受授权服务器:
security.oauth2.resource.filter-order = 3以上是 带有Spring Boot REST应用程序的OAuth2-无法使用令牌访问资源 的全部内容, 来源链接: utcz.com/qa/409134.html
