Java 正确配置spring安全oauth2
我正在尝试使用spring-security-oauth2和jwt配置授权服务器 我的主要意见是:Java 正确配置spring安全oauth2,java,spring,spring-security,spring-security-oauth2,Java,Spring,Spring Security,Spring Security Oauth2,我正在尝试使用spring-security-oauth2和jwt配置授权服务器 我的主要意见是: @SpringBootApplication @EnableResourceServer public class Application { public static void main(String[] args) { SpringApplication.run(Application.class, args); } } 我的安全配置: @Configur
@SpringBootApplication
@EnableResourceServer
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
我的安全配置:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("john").password("123").roles("USER").authorities("FOO_READ");
}
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatchers().antMatchers("/wtf");
}
我的身份验证服务器配置:
@Configuration
@EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("gateway")
.secret("secret")
.authorizedGrantTypes("refresh_token", "password")
.scopes("GATEWAY")
.autoApprove(true) ;
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenEnhancer(jwtTokenEnhancer()).authenticationManager(authenticationManager);
}
}
以及访问当前用户的Web服务:
@RestController
public class UserController {
@GetMapping("/users/me")
public Principal user(Principal principal) {
return principal;
}
}
现在,如果我做这样的post请求:
gateway:secret@localhost:10101/oauth/token
grant_type : password
username : john
password : 123
我的回答是:
{
"access_token": "...access token...",
"token_type": "bearer",
"refresh_token": "...refresh token...",
"expires_in": 43199,
"scope": "GATEWAY",
"jti": "...jti..."
}
如果我使用访问令牌调用我的用户WS:
GET localhost:10101/users/me
Authorization : Bearer ...access token...
我得到一个空响应
但如果我的安全配置中有以下行:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("john").password("123").roles("USER").authorities("FOO_READ");
}
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatchers().antMatchers("/wtf");
}
然后我得到了适当的答复
有人能解释一下这是怎么回事吗?为什么我的用户没有这一行就无法识别
谢谢。实际上,这是spring security的一个问题。 解决方案在此线程中: 应添加此注释以正确调用适配器:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
// ...
}
另一个解决方案是实现ResourceServerConfigurerAdapter,而不是WebSecurity配置适配器。做得好,这使awnser更有用,因为它现在包含更多信息。