Java 另外使用OAuth2进行身份验证时缺少DaoAuthenticationProvider
我发现了一种令人困惑的行为,可能是有意为之,但我无法确定是否如此 当我将基本身份验证与特定oauth2配置一起使用时,不会创建Java 另外使用OAuth2进行身份验证时缺少DaoAuthenticationProvider,java,spring,spring-boot,authentication,spring-security,Java,Spring,Spring Boot,Authentication,Spring Security,我发现了一种令人困惑的行为,可能是有意为之,但我无法确定是否如此 当我将基本身份验证与特定oauth2配置一起使用时,不会创建DaoAuthenticationprovider。如果在application.yaml中没有这个特定的配置,一切都可以正常工作。如果包括在内,我会得到一个内部异常,导致401。我在下面描述了这两种情况 我的问题是:如果这是正确的行为,如何在不提供自定义身份验证提供程序等的情况下运行默认的基本身份验证。?我自己并没有试图实现这一点,因为我不知道如何轻松实现它,而且,如果
DaoAuthenticationproviderapplication.yaml中没有这个特定的配置,一切都可以正常工作。如果包括在内,我会得到一个内部异常,导致401。我在下面描述了这两种情况
我的问题是:如果这是正确的行为,如何在不提供自定义身份验证提供程序等的情况下运行默认的基本身份验证。?我自己并没有试图实现这一点,因为我不知道如何轻松实现它,而且,如果可能的话,我宁愿使用默认行为
基本身份验证在以下情况下不起作用:
答案是
{"timestamp":"2021-05-25T13:25:30.198+00:00","status":401,"error":"Unauthorized","message":"","path":"/actuator/info"}
在Spring中,我得到一个ProviderNotFoundException:
/actuator/info at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2021-05-25 15:23:32.727 DEBUG 4216 --- [nio-8080-exec-2] o.s.s.w.a.www.BasicAuthenticationFilter : Basic Authentication Authorization header found for user 'user'
2021-05-25 15:23:32.730 DEBUG 4216 --- [nio-8080-exec-2] o.s.s.w.a.www.BasicAuthenticationFilter : Authentication request for failed!
org.springframework.security.authentication.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:251) ~[spring-security-core-5.3.4.RELEASE.jar:5.3.4.RELEASE]
调试时,我发现DaoAuthenticationProvider=newdaoauthenticationprovider()InitializeUserDetailsBeanManagerConfigure.java
时,不会调用代码。实际上,似乎InitializeUserDetailsBeanManagerConfigure并不是真正用于配置的,而是在这里登陆的GlobalAuthenticationConfigurerAdapter.java
使一切顺利
我只需要从application.yaml中删除以下行:
oauth2:
resourceserver:
jwt:
issuer-uri: https://someissuer
jwk-set-uri: https://somejwkuri
然后我从同一个卷曲中得到200,这个内部弹簧:
/actuator/info at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2021-05-25 15:51:21.845 DEBUG 16540 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Basic Authentication Authorization header found for user 'user'
2021-05-25 15:51:21.845 DEBUG 16540 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2021-05-25 15:51:22.036 DEBUG 16540 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Authentication success: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@ed8ad585: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ENDPOINT_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ENDPOINT_ADMIN
代码
应用程序.yaml
还有其他配置,如flyway、hikari、camunda,但所有这些都是独立的,不会影响我观察到的行为
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: https://someissuer
jwk-set-uri: https://somejwkuri
user:
name: user
password: password
roles: ENDPOINT_ADMIN
server:
port: 8080
management:
endpoints:
web:
exposure:
include: health,info,metrics,prometheus,loggers
cors:
allowed-origins: "*"
allowed-methods: GET,POST
security:
enabled: false
logging:
level:
org:
springframework: DEBUG
pattern:
console:%d{yyyy-MM-dd HH:mm:ss} %-5level %logger{36} - %msg%n
Web安全配置适配器扩展类
它是一个内部类,因为我使用了多个过滤器链,但在测试期间排除了其他过滤器链-没有影响
public class SecurityConfig {
@Order(1)
@Configuration
public static class BasicAuthSecurityConfig extends WebSecurityConfigurerAdapter {
// info is excluded on purpose
private final String[] ENDPOINTS = { "health", "metrics", "prometheus", /* "info" */ };
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests()
.requestMatchers(EndpointRequest.to(ENDPOINTS)).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ENDPOINT_ADMIN").and()
.httpBasic();
}
}
// other commented out inner classes for oauth and general handling
}
build.gradle
非常简短的版本,但它应该说明它是如何构建的
plugins {
//Spring Boot
id 'org.springframework.boot' version '2.3.3.RELEASE'
}
dependencies {
compile 'org.springframework.boot:spring-boot-starter-security'
compile 'org.springframework.boot:spring-boot-starter-actuator'
compile 'org.springframework.boot:spring-boot-starter-amqp'
compile 'org.springframework.boot:spring-boot-starter-data-jpa'
compile 'org.springframework.boot:spring-boot-starter-data-rest'
compile 'org.springframework.boot:spring-boot-starter-web'
compile 'org.springframework.cloud:spring-cloud-starter-kubernetes-config'
compile 'org.springframework.cloud:spring-cloud-starter-openfeign'
compile 'org.springframework.security:spring-security-oauth2-resource-server'
compile 'org.springframework.security:spring-security-oauth2-jose'
compile 'org.springframework.security:spring-security-config'
}
plugins {
//Spring Boot
id 'org.springframework.boot' version '2.3.3.RELEASE'
}
dependencies {
compile 'org.springframework.boot:spring-boot-starter-security'
compile 'org.springframework.boot:spring-boot-starter-actuator'
compile 'org.springframework.boot:spring-boot-starter-amqp'
compile 'org.springframework.boot:spring-boot-starter-data-jpa'
compile 'org.springframework.boot:spring-boot-starter-data-rest'
compile 'org.springframework.boot:spring-boot-starter-web'
compile 'org.springframework.cloud:spring-cloud-starter-kubernetes-config'
compile 'org.springframework.cloud:spring-cloud-starter-openfeign'
compile 'org.springframework.security:spring-security-oauth2-resource-server'
compile 'org.springframework.security:spring-security-oauth2-jose'
compile 'org.springframework.security:spring-security-config'
}