Java spring oAuth2不保护资源
我正在尝试使用SpringOAuth2设置一个纯资源服务器,它将验证来自授权服务器的访问令牌 我无法保护我的资源。我可以直接点击api。 例如:Java spring oAuth2不保护资源,java,spring,spring-security,spring-security-oauth2,spring-oauth2,Java,Spring,Spring Security,Spring Security Oauth2,Spring Oauth2,我正在尝试使用SpringOAuth2设置一个纯资源服务器,它将验证来自授权服务器的访问令牌 我无法保护我的资源。我可以直接点击api。 例如: 得到 本地主机:8080/帐户?访问令牌=63884b81-a3d3-4eab-a92c-7eb1e2022dfd (不正确的访问令牌) 获取本地主机:8080/个帐户 以上两个链接都可以访问我的资源,但这些链接应该返回未经授权的错误 资源服务器配置 <bean id="authenticationEntryPoint" clas
- 得到
本地主机:8080/帐户?访问令牌=63884b81-a3d3-4eab-a92c-7eb1e2022dfd
(不正确的访问令牌)
- 获取本地主机:8080/个帐户
<bean id="authenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="myRealm" />
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<!-- This is not actually used, but it's required by Spring Security -->
<security:authentication-manager alias="authenticationManager" />
<oauth2:expression-handler id="oauthExpressionHandler" />
<oauth2:web-expression-handler id="oauthWebExpressionHandler" />
<security:global-method-security
pre-post-annotations="enabled" proxy-target-class="true">
<security:expression-handler ref="oauthExpressionHandler" />
</security:global-method-security>
<oauth2:resource-server id="myResource"
resource-id="myResourceId" token-services-ref="tokenServices" />
<security:http pattern="/**" create-session="never"
entry-point-ref="authenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager">
<security:anonymous enabled="false" />
<security:intercept-url pattern="/**"
access="IS_AUTHENTICATED_FULLY" method="GET" />
<security:intercept-url pattern="/**" access="SCOPE_READ"
method="HEAD" />
<security:intercept-url pattern="/**" access="SCOPE_READ"
method="OPTIONS" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE"
method="PUT" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE"
method="POST" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE"
method="DELETE" />
<security:custom-filter ref="myResource"
before="PRE_AUTH_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>
您必须配置RemoteTokenServices bean以检查授权服务器中的令牌:
@Bean
public RemoteTokenServices LocalTokenService() {
final RemoteTokenServices tokenService = new RemoteTokenServices();
tokenService.setCheckTokenEndpointUrl("http://yourauthozationserver/oauth/check_token");
tokenService.setClientId("my-client-with-secret");
tokenService.setClientSecret("secret");
return tokenService;
}
或从xml:
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.RemoteTokenServices"
p:checkTokenEndpointUrl="${oaas.endpoint.check_token}"
p:clientId="${oaas.client_id}"
p:clientSecret="${oaas.client_secret}" />
请注意,还应将授权服务器检查端点配置为允许匿名请求的令牌检查