Java Spring引导API请求忽略OAuth2令牌,可以在没有它的情况下运行
我的spring boot项目中有3个配置用于实现oauth2 sso安全性,详细信息如下: AuthorizationServerConfig.javaJava Spring引导API请求忽略OAuth2令牌,可以在没有它的情况下运行,java,spring,spring-boot,oauth-2.0,postman,Java,Spring,Spring Boot,Oauth 2.0,Postman,我的spring boot项目中有3个配置用于实现oauth2 sso安全性,详细信息如下: AuthorizationServerConfig.java @Configuration @EnableAuthorizationServer @Order(10) public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter { static final String CLIENT_ID =
@Configuration
@EnableAuthorizationServer
@Order(10)
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
static final String CLIENT_ID = "xxxx";
static final String CLIENT_SECRET = "xxxxx";
static final String GRANT_TYPE = "password";
static final String AUTHORIZATION_CODE = "authorization_code";
static final String REFRESH_TOKEN = "refresh_token";
static final String IMPLICIT = "implicit";
static final String SCOPE_READ = "read";
static final String SCOPE_WRITE = "write";
static final String TRUST = "trust";
static final int ACCESS_TOKEN_VALIDITY_SECONDS = 1*60*60;
static final int REFRESH_TOKEN_VALIDITY_SECONDS = 60*60*24;
@Autowired
private TokenStore tokenStore;
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer configurer) throws Exception {
configurer
.inMemory()
.withClient(CLIENT_ID)
.secret(CLIENT_SECRET)
.authorizedGrantTypes(GRANT_TYPE, AUTHORIZATION_CODE, REFRESH_TOKEN, IMPLICIT )
.scopes(SCOPE_READ, SCOPE_WRITE, TRUST)
.accessTokenValiditySeconds(ACCESS_TOKEN_VALIDITY_SECONDS).
refreshTokenValiditySeconds(REFRESH_TOKEN_VALIDITY_SECONDS);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore)
.authenticationManager(authenticationManager);
}
}
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
private static final String RESOURCE_ID = "resource_id";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID).stateless(false);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.
anonymous().disable()
.authorizeRequests()
.antMatchers("/api-docs/**").authenticated()
.and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
}
}
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(10)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements WebMvcConfigurer {
@Resource(name = "user-service")
private UserDetailsService userDetailsService;
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Autowired
public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService)
.passwordEncoder(encoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.anonymous().disable()
.authorizeRequests()
.antMatchers("/api-docs/**").permitAll();
}
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Bean
public BCryptPasswordEncoder encoder(){
return new BCryptPasswordEncoder();
}
@Bean
public FilterRegistrationBean corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
bean.setOrder(0);
return bean;
}
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**");
}
}
@Configuration
@EnableAuthorizationServer
@Order(10)
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
static final String CLIENT_ID = "xxxx";
static final String CLIENT_SECRET = "xxxxx";
static final String GRANT_TYPE = "password";
static final String AUTHORIZATION_CODE = "authorization_code";
static final String REFRESH_TOKEN = "refresh_token";
static final String IMPLICIT = "implicit";
static final String SCOPE_READ = "read";
static final String SCOPE_WRITE = "write";
static final String TRUST = "trust";
static final int ACCESS_TOKEN_VALIDITY_SECONDS = 1*60*60;
static final int REFRESH_TOKEN_VALIDITY_SECONDS = 60*60*24;
@Autowired
private TokenStore tokenStore;
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer configurer) throws Exception {
configurer
.inMemory()
.withClient(CLIENT_ID)
.secret(CLIENT_SECRET)
.authorizedGrantTypes(GRANT_TYPE, AUTHORIZATION_CODE, REFRESH_TOKEN, IMPLICIT )
.scopes(SCOPE_READ, SCOPE_WRITE, TRUST)
.accessTokenValiditySeconds(ACCESS_TOKEN_VALIDITY_SECONDS).
refreshTokenValiditySeconds(REFRESH_TOKEN_VALIDITY_SECONDS);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore)
.authenticationManager(authenticationManager);
}
}
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
private static final String RESOURCE_ID = "resource_id";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID).stateless(false);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.
anonymous().disable()
.authorizeRequests()
.antMatchers("/api-docs/**").authenticated()
.and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
}
}
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(10)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements WebMvcConfigurer {
@Resource(name = "user-service")
private UserDetailsService userDetailsService;
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Autowired
public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService)
.passwordEncoder(encoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.anonymous().disable()
.authorizeRequests()
.antMatchers("/api-docs/**").permitAll();
}
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Bean
public BCryptPasswordEncoder encoder(){
return new BCryptPasswordEncoder();
}
@Bean
public FilterRegistrationBean corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
bean.setOrder(0);
return bean;
}
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**");
}
}
@Configuration
@EnableAuthorizationServer
@Order(10)
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
static final String CLIENT_ID = "xxxx";
static final String CLIENT_SECRET = "xxxxx";
static final String GRANT_TYPE = "password";
static final String AUTHORIZATION_CODE = "authorization_code";
static final String REFRESH_TOKEN = "refresh_token";
static final String IMPLICIT = "implicit";
static final String SCOPE_READ = "read";
static final String SCOPE_WRITE = "write";
static final String TRUST = "trust";
static final int ACCESS_TOKEN_VALIDITY_SECONDS = 1*60*60;
static final int REFRESH_TOKEN_VALIDITY_SECONDS = 60*60*24;
@Autowired
private TokenStore tokenStore;
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer configurer) throws Exception {
configurer
.inMemory()
.withClient(CLIENT_ID)
.secret(CLIENT_SECRET)
.authorizedGrantTypes(GRANT_TYPE, AUTHORIZATION_CODE, REFRESH_TOKEN, IMPLICIT )
.scopes(SCOPE_READ, SCOPE_WRITE, TRUST)
.accessTokenValiditySeconds(ACCESS_TOKEN_VALIDITY_SECONDS).
refreshTokenValiditySeconds(REFRESH_TOKEN_VALIDITY_SECONDS);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore)
.authenticationManager(authenticationManager);
}
}
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
private static final String RESOURCE_ID = "resource_id";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID).stateless(false);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.
anonymous().disable()
.authorizeRequests()
.antMatchers("/api-docs/**").authenticated()
.and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
}
}
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(10)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements WebMvcConfigurer {
@Resource(name = "user-service")
private UserDetailsService userDetailsService;
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Autowired
public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService)
.passwordEncoder(encoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.anonymous().disable()
.authorizeRequests()
.antMatchers("/api-docs/**").permitAll();
}
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Bean
public BCryptPasswordEncoder encoder(){
return new BCryptPasswordEncoder();
}
@Bean
public FilterRegistrationBean corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
bean.setOrder(0);
return bean;
}
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**");
}
}
@RestController
@RequestMapping("/user")
@EnableResourceServer
public class UserController {
@Autowired
private UserService userService;
@PostMapping("")
@ResponseStatus(HttpStatus.OK)
@ApiOperation("Get All User")
public Map<String, Object> getAll(@RequestParam (value = "pageNumber", defaultValue = "1") Integer
pageNumber,
@RequestParam (value = "pageSize", defaultValue = "20") Integer pageSize,
@RequestParam (value = "sortBy", defaultValue = "userId") String sortBy,
@RequestParam (value = "sortDirection", defaultValue = "DESC") String sortDirection) throws
Exception{
Map<String, Object> resultList = userService.findAll(pageNumber - 1, pageSize, sortBy.trim(),
sortDirection);
if (resultList.get("dataCount").equals(0)) {
throw new ResponseStatusException(HttpStatus.NOT_FOUND, "Data Tidak Ada");
}
return resultList;
}
@PostMapping(path="/create")
@ResponseBody
@ResponseStatus(HttpStatus.OK)
@ApiOperation("Create User")
public Map<String, Object> create(HttpServletRequest request, @RequestBody CreateUser dto) throws Exception{
return userService.create(dto);
}
@PostMapping(path="/detail/{id}")
@ResponseBody
@ResponseStatus(HttpStatus.OK)
@ApiOperation("Find User by Id")
public Map<String, Object> detail(HttpServletRequest request, @PathVariable("id") String id) throws Exception{
Map<String, Object> resultList = userService.findById(id);
if (resultList.get("result") == null) {
throw new ResponseStatusException(HttpStatus.NOT_FOUND, "Data Tidak Ditemukan");
}
return resultList;
}
@PostMapping(path = "/update/{id}")
@ResponseBody
@ResponseStatus(HttpStatus.OK)
@ApiOperation("Edit User")
public Map<String, Object> update(HttpServletRequest request,
@PathVariable("id") String id,
@RequestBody UpdateUser dto) throws Exception {
Map<String, Object> resultList = userService.findById(id);
if (resultList.get("result") == null) {
throw new ResponseStatusException(HttpStatus.NOT_FOUND, "Data Tidak Ditemukan");
}else {
return userService.update(id, dto);
}
}
@PostMapping(path = "/delete/{id}")
@ResponseBody
@ResponseStatus(HttpStatus.OK)
@ApiOperation("Delete User")
public Object delete(HttpServletRequest request, @PathVariable("id") String id) throws Exception{
Map<String, Object> resultList = userService.findById(id);
if (resultList.get("result") == null) {
throw new ResponseStatusException(HttpStatus.NOT_FOUND, "Data Tidak Ditemukan");
}else {
return userService.delete(id);
}
}
@PostMapping(path = "/delete-user-role/{userId}/{roleId}")
@ResponseBody
@ResponseStatus(HttpStatus.OK)
@ApiOperation("Delete Role From User")
@Transactional
public Object deleteRoleFromUser(HttpServletRequest request, @PathVariable("userId") String userId,
@PathVariable("roleId") String roleId)
throws Exception{
return userService.deleteRoleFromUser(userId, roleId);
}
@PostMapping(path = "/add-user-role/{userId}/{roleId}")
@ResponseBody
@ResponseStatus(HttpStatus.OK)
@ApiOperation("Add Role To User")
public Object addRoleToUser(HttpServletRequest request, @PathVariable("userId") String userId,
@PathVariable("roleId") String roleId)
throws Exception{
return userService.addRoleToUser(userId, roleId);
}
}
@RestController
@请求映射(“/user”)
@EnableResourceServer
公共类用户控制器{
@自动连线
私人用户服务;
@邮戳(“”)
@ResponseStatus(HttpStatus.OK)
@API操作(“获取所有用户”)
公共映射getAll(@RequestParam(value=“pageNumber”,defaultValue=“1”)整数
页码,
@RequestParam(value=“pageSize”,defaultValue=“20”)整数pageSize,
@RequestParam(value=“sortBy”,defaultValue=“userId”)字符串sortBy,
@RequestParam(value=“sortDirection”,defaultValue=“DESC”)字符串sortDirection)抛出
例外情况{
Map resultList=userService.findAll(pageNumber-1,pageSize,sortBy.trim(),
排序方向);
if(resultList.get(“dataCount”).equals(0)){
抛出新的ResponseStatusException(HttpStatus.NOT_FOUND,“Data Tidak Ada”);
}
返回结果列表;
}
@后期映射(路径=“/create”)
@应答器
@ResponseStatus(HttpStatus.OK)
@API操作(“创建用户”)
公共映射创建(HttpServletRequest请求,@RequestBody CreateUser dto)引发异常{
返回userService.create(dto);
}
@后期映射(路径=“/detail/{id}”)
@应答器
@ResponseStatus(HttpStatus.OK)
@ApiOperation(“按Id查找用户”)
公共映射详细信息(HttpServletRequest请求,@PathVariable(“id”)字符串id)引发异常{
Map resultList=userService.findById(id);
if(resultList.get(“result”)==null){
抛出新的ResponseStatusException(HttpStatus.NOT_FOUND,“Data Tidak Ditemukan”);
}
返回结果列表;
}
@后期映射(路径=“/update/{id}”)
@应答器
@ResponseStatus(HttpStatus.OK)
@API操作(“编辑用户”)
公共映射更新(HttpServletRequest),
@PathVariable(“id”)字符串id,
@RequestBody UpdateUser dto)引发异常{
Map resultList=userService.findById(id);
if(resultList.get(“result”)==null){
抛出新的ResponseStatusException(HttpStatus.NOT_FOUND,“Data Tidak Ditemukan”);
}否则{
返回userService.update(id,dto);
}
}
@PostMapping(path=“/delete/{id}”)
@应答器
@ResponseStatus(HttpStatus.OK)
@API操作(“删除用户”)
公共对象删除(HttpServletRequest请求,@PathVariable(“id”)字符串id)引发异常{
Map resultList=userService.findById(id);
if(resultList.get(“result”)==null){
抛出新的ResponseStatusException(HttpStatus.NOT_FOUND,“Data Tidak Ditemukan”);
}否则{
返回userService.delete(id);
}
}
@PostMapping(path=“/delete user role/{userId}/{roleId}”)
@应答器
@ResponseStatus(HttpStatus.OK)
@ApiOperation(“从用户删除角色”)
@交易的
公共对象deleteRoleFromUser(HttpServletRequest请求,@PathVariable(“userId”)字符串userId,
@路径变量(“roleId”)字符串(roleId)
抛出异常{
返回userService.deleteRoleFromUser(userId,roleId);
}
@PostMapping(path=“/adduserrole/{userId}/{roleId}”)
@应答器
@ResponseStatus(HttpStatus.OK)
@ApiOperation(“向用户添加角色”)
公共对象addRoleToUser(HttpServletRequest请求,@PathVariable(“userId”)字符串userId,
@路径变量(“roleId”)字符串(roleId)
抛出异常{
返回userService.addRoleToUser(userId,roleId);
}
}
如何解决此问题?看起来您的Web安全配置没有正确配置(它仍然允许所有请求通过),您可以像下面的代码一样更新配置方法吗- websecurityconfig.java
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.anonymous().disable()
.authorizeRequests()
.antMatchers("/api-docs/**").permitAll()
.anyRequest().authenticated();
}
希望这有帮助 谢谢,伙计,它可以工作,但我也将您的解决方案添加到ResourceServerConfig.java中+1.