Spring Security OAuth2,哪个决定安全性?
我一直在尝试使用Dave Syer的指南来实现OAuth2身份验证服务器,并从JHipster获得一些启发。但是我无法弄清楚它们如何协同工作。
当我使用ResourceServerConfigurerAdapter时,使用WebSecurityConfigurerAdapter的安全设置似乎被覆盖。
@Configuration@EnableResourceServer
public class OAuth2ResourceConfig extends ResourceServerConfigurerAdapter {
private TokenExtractor tokenExtractor = new BearerTokenExtractor();
@Override
public void configure(HttpSecurity http) throws Exception {
http
.addFilterAfter(contextClearer(), AbstractPreAuthenticatedProcessingFilter.class)
.authorizeRequests()
.anyRequest().authenticated().and().httpBasic();
}
private OncePerRequestFilter contextClearer() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
if (tokenExtractor.extract(request) == null) {
SecurityContextHolder.clearContext();
}
filterChain.doFilter(request, response);
}
};
}
@Component
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
private final AuthenticationManager authenticationManager;
@Autowired
public CustomWebSecurityConfigurerAdapter(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.parentAuthenticationManager(authenticationManager);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.loginPage("/login").permitAll()
.and()
.authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.and()
.requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
.and()
.authorizeRequests().anyRequest().authenticated();
}
}
这是摘自几个不同示例的代码,因此它们可能混合得不好。但是我找不到OAuth2的良好文档/示例列表(不同于Spring Boot的文档很棒),因此我在理解它们如何组合方面遇到了问题。如果我不将loginForm添加到ResourceServerConfigurerAdapter,它将给我未授权的权限。但是我在WebSecurityConfigurererAdapter中将其定义为allowAll()。
这是AuthorizationServerConfigurerAdapter:
@Configuration@EnableAuthorizationServer
public class OAuth2AuthorizationConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private JwtAccessTokenConverter jwtAccessTokenConverter;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("acme")
.secret("acmesecret")
.authorizedGrantTypes("authorization_code", "refresh_token",
"password").scopes("openid");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager).accessTokenConverter(jwtAccessTokenConverter);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}
}
我做错了什么吗?我必须在ResourceServerConfigurerAdapter中设置所有安全性吗?我什至不需要WebSecurityConfigurerAdapter吗?
如果有人知道任何指南,教程,博客或其他类似内容,可能会帮助我确定其工作原理,将不胜感激。
回答:
你需要WebSecurityConfigurerAdapter保护/ authorize端点的安全并为用户提供身份验证的方法。一个Spring Boot应用程序会为你做到这一点(通过添加自己WebSecurityConfigurerAdapter的HTTP基本身份验证)。默认情况下,它将创建一个order = 0的过滤器链,并保护所有资源,除非你提供请求匹配器。@EnableResourceServer功能类似,但默认情况下添加的过滤器链为order = 3。WebSecurityConfigurerAdapter有一个@Order(100)注释。因此,首先将对ResourceServer进行检查(身份验证),然后对WebSecurityConfigureAdapter的扩展名进行检查。
以上是 Spring Security OAuth2,哪个决定安全性? 的全部内容, 来源链接: utcz.com/qa/428780.html
