Java 可以在没有访问令牌的情况下访问受spring oauth2保护的资源

使用：

• spring security 3.2.5
• 弹簧安全oauth2.0.7（oauth2）
• 授权类型：验证码

我在获取身份验证代码和访问令牌方面没有问题。 我的问题是，如果我调用“受保护”的资源，我可以访问它，而不需要任何令牌。以下是“未真正受保护”资源的安全配置：

<security:http pattern="/api/user/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
                  access-decision-manager-ref="accessDecisionManager">
  <security:anonymous enabled="false" />
  <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
  <security:custom-filter ref="userResourceServer" before="PRE_AUTH_FILTER" />
  <security:access-denied-handler ref="oauthAccessDeniedHandler" />
</security:http>

然后是资源端点配置（如问题开头所示）：

然后是“通用”url配置：

  <security:http pattern="/api/oauth/token" 
               create-session="stateless" 
               authentication-manager-ref="clientAuthenticationManager">
    <security:intercept-url pattern="/api/oauth/token"
                            access="IS_AUTHENTICATED_FULLY" />
    <security:anonymous enabled="false" />
    <security:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
    <security:access-denied-handler ref="oauthAccessDeniedHandler" />
  </security:http>

<security:http name="genericSecurityConfiguration" entry-point-ref="customLoginEntrypoint">
    <security:form-login authentication-failure-url="/index.jsp"
                         authentication-success-handler-ref="customAuthenticationSuccessHandler"
                         authentication-failure-handler-ref="customAuthenticationFailureHandler"
                         login-page="/index.jsp"
                         login-processing-url="/solapCore/identification2"
                         username-parameter="username"
                         password-parameter="password"
                         />
    <security:session-management invalid-session-url="/index.jsp?invalidSession=true" session-authentication-strategy-ref="sas" /> 
    <security:custom-filter position="LOGOUT_FILTER" ref="logoutFilter"/>
    <security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="monitoringFilter"/>
    <security:access-denied-handler ref="solapcoreAccessDeniedHandler"/>
  </security:http>

同一文件中的其他oauth特定配置：

<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="oauth" />
  </bean>

  <bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="oauth/client" />
    <property name="typeName" value="Basic" />
  </bean>

  <bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
    <constructor-arg>
     <list>
      <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
      <bean class="org.springframework.security.access.vote.RoleVoter" />
      <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
     </list>
    </constructor-arg>
  </bean>

  <security:authentication-manager id="clientAuthenticationManager">
    <security:authentication-provider user-service-ref="clientDetailsUserService" />
  </security:authentication-manager>

  <bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <constructor-arg ref="clientDetails" />
  </bean>
  <bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

  <oauth:authorization-server  
    client-details-service-ref="clientDetails" 
    token-services-ref="tokenServices" 
    user-approval-handler-ref="userApprovalHandler">
    <oauth:authorization-code />
  </oauth:authorization-server>

  <oauth:resource-server id="userResourceServer" 
                         resource-id="oauth2/user"  
                         token-services-ref="tokenServices" />

  <oauth:client-details-service id="clientDetails">
    <oauth:client client-id="someClientID" 
                  authorized-grant-types="authorization_code"
                  authorities="SOME_AUTHORITY" scope="read" secret="secret" />
  </oauth:client-details-service>

 <security:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
   <security:expression-handler ref="oauthExpressionHandler" />
 </security:global-method-security>

 <oauth:expression-handler id="oauthExpressionHandler" />
 <oauth:web-expression-handler id="oauthWebExpressionHandler" />

 <bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />

 <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
    <property name="tokenStore" ref="tokenStore" />
    <property name="supportRefreshToken" value="true" />
    <property name="clientDetailsService" ref="clientDetails" />
 </bean>

最后，我在web.xml中的dispatcher servlet和filterChain配置：

<servlet>
    <servlet-name>dispatcher</servlet-name>
    <servlet-class>
    org.springframework.web.servlet.DispatcherServlet
    </servlet-class>
    <load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>dispatcher</servlet-name>
    <url-pattern>/api/*</url-pattern>
</servlet-mapping>
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

调度员
org.springframework.web.servlet.DispatcherServlet
2.
调度员
/原料药/*
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*

我认为您缺少“授权”标题。 您需要在标题值中有“Bearer”的值

参考：

---

配置中有问题的部分是

由于“pattern”属性设置为/api/user/**，因此拦截url的“pattern”属性

<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />

除非它具有相同的前缀（/api/user/**），否则不会产生任何效果

如果您试图仅对/api/user/**模式使用IS\u AUTHENTICATED\u，则截取url应为

<security:http pattern="/api/user/**" ...>
  <security:anonymous enabled="false" />
  <security:intercept-url pattern="/api/user/**" access="IS_AUTHENTICATED_FULLY" />
  <security:custom-filter ref="userResourceServer" before="PRE_AUTH_FILTER" />
  <security:access-denied-handler ref="oauthAccessDeniedHandler" />
</security:http>

如果您希望将该规则应用于完整应用程序，那么类似于以下内容的内容应该可以工作：

<security:http create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
                  access-decision-manager-ref="accessDecisionManager">
  <security:anonymous enabled="false" />
  <security:intercept-url pattern="/api/user/**" access="IS_AUTHENTICATED_FULLY" />
  <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
  <security:custom-filter ref="userResourceServer" before="PRE_AUTH_FILTER" />
  <security:access-denied-handler ref="oauthAccessDeniedHandler" />
</security:http>

---

我找到了问题的原因，它非常特定于我们的应用程序

在配置的其他地方，我们覆盖了内置的FilterInvocationSecurityMetadataSource（使用一个邪恶的bean后处理器）来添加一个自定义的FilterInvocationSecurityMetadataSource。这会禁用配置文件中的所有

。我们这样做是因为我们将一个遗留的自定义安全框架迁移到spring security，并希望在现有文件中保持url安全性

---

感谢所有试图提供帮助的人。

它与访问令牌（授权标头）完美配合。问题是，即使没有令牌，也会调用我的资源。在web.xml中，url模式是/api/*。也许您需要从安全配置中删除/api前缀。我有其他不同的servlet映射，所以我需要缩小dispatcher servlet的url模式。但是dispatcher servlet正在处理请求，因此servlet的url模式应该是正确的，否则我会看到404。感谢您尝试帮助我：）问题是我在intercept url模式中放置了“/**”，因为“/api/user/**”不起作用（这是我尝试的第一件事）。另外，我在问题中没有提到它，但在/api/user/**的下面还有一个通用元素，用于捕获其他URL。起初我认为这可能是问题的一部分，但即使没有通用元素，问题仍然存在：我可以访问资源而不需要任何令牌（也不需要以任何其他方式进行身份验证）。不过，非常感谢您的帮助，非常感谢。您能分享完整的安全配置文件吗？很难找出问题的原因。

<security:http create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
                  access-decision-manager-ref="accessDecisionManager">
  <security:anonymous enabled="false" />
  <security:intercept-url pattern="/api/user/**" access="IS_AUTHENTICATED_FULLY" />
  <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
  <security:custom-filter ref="userResourceServer" before="PRE_AUTH_FILTER" />
  <security:access-denied-handler ref="oauthAccessDeniedHandler" />
</security:http>