Spring Oauth2单独的资源服务器配置
问题描述:
我想为oauth2配置单独的auth和资源服务器。 我可以成功配置授权服务器,并且能够进行身份验证并生成访问令牌。现在我想配置一个资源服务器,它可以通过api端点与auth服务器通信来验证访问令牌。 以下是我的资源服务器配置。Spring Oauth2单独的资源服务器配置
@Configuration
@EnableResourceServer
@EnableWebSecurity
public class Oauth2SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
System.out.println("Oauth2SecurityConfiguration before");
http
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/api/v1/**").authenticated();
System.out.println("Oauth2SecurityConfiguration after");
}
@Bean
public AccessTokenConverter accessTokenConverter() {
return new DefaultAccessTokenConverter();
}
@Bean
public RemoteTokenServices remoteTokenServices() {
final RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
remoteTokenServices.setCheckTokenEndpointUrl("http://localhost:9000/authserver/oauth/check_token");
remoteTokenServices.setClientId("clientId");
remoteTokenServices.setClientSecret("clientSecret");
remoteTokenServices.setAccessTokenConverter(accessTokenConverter());
return remoteTokenServices;
}
@Override
@Bean
public AuthenticationManager authenticationManager() throws Exception {
OAuth2AuthenticationManager authenticationManager = new OAuth2AuthenticationManager();
authenticationManager.setTokenServices(remoteTokenServices());
return authenticationManager;
}
}
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
System.out.println("http.csrf().disable()");
http.authorizeRequests().antMatchers(HttpMethod.GET, "/api/v1/**").fullyAuthenticated();
System.out.println("http.authorizeRequests().anyRequest().authenticated()");
}
}
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return new OAuth2MethodSecurityExpressionHandler();
}
}
问: 1.为什么我的AuthenticationManager在资源服务器,而所有的认证委托给auth服务器。 (我不得不添加它来加载应用程序上下文)
除此之外,我正面临以下问题。
-
即使我没有通过授权标头和访问令牌与请求。它正在经历。
http GET "http://localhost:8080/DataPlatform/api/v1/123sw/members" HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Date: Mon, 19 Oct 2015 19:45:14 GMT Server: Apache-Coyote/1.1 Transfer-Encoding: chunked { "entities": [], "errors": [], "message": null }
过滤器只能立即调用我没有看到以下请求的日志。它在某处缓存授权吗?
我是新来的春天oauth请让我知道如果我做错了什么。我使用
spring-security-oauth2 : 2.0.7.RELEASE
spring-security-core : 4.0.1.RELEASE
java : 1.8
答
你不需要@EnableWebSecurity
上Oauth2SecurityConfiguration
@EnableResourceServer
就够了。 您还应该用extends ResourceServerConfigurerAdapter
替换extends WebSecurityConfigurerAdapter
。
如果你想用你的RemoteTokenServices
比如我建议你重写ResourceServerConfigurerAdapter
public void configure(ResourceServerSecurityConfigurer resources) throws Exception
与
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception
{
resources.tokenServices(serverConfig.getTokenServices());
}
但我看到“为了使用此过滤器,你必须在应用程序某处@EnableWebSecurity,”在文档的http: //docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/config/annotation/web/configuration/EnableResourceServer.html –