Java 在Oauth2中使用resourceId的意义是什么?它在令牌生成过程中是否扮演任何角色?
我在oauth2中使用密码授权流。最初,我用resourceId“api”注册了客户端并生成了令牌。现在使用该令牌,我可以访问任何资源。我再次注册了一个没有resourceId的新客户端,并生成了令牌。使用此令牌,我再次被允许访问任何资源。那么这是否意味着一个令牌可以访问任何资源?或为特定资源生成的令牌只能访问该特定资源。如果是,我做错了什么Java 在Oauth2中使用resourceId的意义是什么?它在令牌生成过程中是否扮演任何角色?,java,spring,spring-boot,spring-security,spring-security-oauth2,Java,Spring,Spring Boot,Spring Security,Spring Security Oauth2,我在oauth2中使用密码授权流。最初,我用resourceId“api”注册了客户端并生成了令牌。现在使用该令牌,我可以访问任何资源。我再次注册了一个没有resourceId的新客户端,并生成了令牌。使用此令牌,我再次被允许访问任何资源。那么这是否意味着一个令牌可以访问任何资源?或为特定资源生成的令牌只能访问该特定资源。如果是,我做错了什么 //This is authorization server @EnableAuthorizationServer @Configuration publ
//This is authorization server
@EnableAuthorizationServer
@Configuration
public class OauthConfiguration extends AuthorizationServerConfigurerAdapter {
private final UserDetailsService userService;
private final AuthenticationManager authenticationManager;
@Value("${oauth2.clientId:mobile-app}")
private String clientId;
@Value("${oauth2.clientSecret:mobile123}")
private String clientSecret;
@Value("${oauth2.accessTokenValiditySeconds:43200}") //12 hrs
private int accessTokenValiditySeconds;
@Value("${oauth2.refreshTokenValiditySeconds:2592000}") //30days
private int refreshTokenValiditySeconds;
@Value("${oauth2.authorizedGrantTypes:password,authorization_code,refresh_token}")
private String[] authorizedGrantTypes;
@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
public OauthConfiguration(UserDetailsService userService, AuthenticationManager authenticationManager) {
this.userService = userService;
this.authenticationManager = authenticationManager;
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient(clientId)
.secret(bCryptPasswordEncoder.encode(clientSecret))
.accessTokenValiditySeconds(accessTokenValiditySeconds)
.refreshTokenValiditySeconds(refreshTokenValiditySeconds)
.authorizedGrantTypes(authorizedGrantTypes)
.scopes("read", "write")
.resourceIds("api");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.accessTokenConverter(accessTokenConverter())
.userDetailsService(userService)
.authenticationManager(authenticationManager);
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter tokenConverter = new JwtAccessTokenConverter();
return tokenConverter;
}
}
**And this is resource server**
@EnableResourceServer
@Configuration
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("api");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.antMatcher("/api/**")
.authorizeRequests()
.antMatchers("/api/**").authenticated()
.antMatchers("/api/signin/**").permitAll()
.anyRequest().authenticated();
}
}