Spring boot Spring security oauth2始终返回403_Spring Boot_Spring Security_Oauth 2.0

Spring boot Spring security oauth2始终返回403

spring-boot spring-security oauth-2.0

Spring boot Spring security oauth2始终返回403,spring-boot,spring-security,oauth-2.0,Spring Boot,Spring Security,Oauth 2.0,我有一个SpringBoot应用程序服务于Rest端点，我正在使用SpringSecurity和Oauth2保护它。我想保护我的所有端点，除了用于身份验证、创建帐户或某些信息的端点安全配置如下所示： @Configuration @EnableAuthorizationServer public class OAuth2Config extends AuthorizationServerConfigurerAdapter { @Autowired private Authe

我有一个SpringBoot应用程序服务于Rest端点，我正在使用SpringSecurity和Oauth2保护它。我想保护我的所有端点，除了用于身份验证、创建帐户或某些信息的端点

安全配置如下所示：

@Configuration
@EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;
    @Autowired
    private MongoTokenStore tokenStore;

    @Override
    public void configure(final AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
    }

    @Override
    public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
        //clients.withClientDetails(clientDetailsService);
        clients.inMemory().withClient("app").secret("password")
                        .accessTokenValiditySeconds(30000).authorizedGrantTypes("password", "refresh_token")
                        .refreshTokenValiditySeconds(300000000)
                        .scopes("read");
    }

    @Override
    public void configure(final AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager)
                    .pathMapping("/oauth/confirm_access", "/access_confirmation");

    }

    @Bean
    public TokenStore tokenStore() {
        return this.tokenStore;
    }

}


@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Autowired
  private UserRepository userRepository;
  @Autowired
  private SecurityContextService securityContextService;
  @Autowired
  private MongoTemplate mongoTemplate;

  @Bean
  public MongoUserDetailsManager mongoUserDetailsManager() throws Exception {
    return new MongoUserDetailsManager(userRepository, securityContextService, authenticationManagerBean(), mongoTemplate);
  }

  @Override
  protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
    auth.parentAuthenticationManager(authenticationManagerBean())
        .userDetailsService(mongoUserDetailsManager());
  }

  @Override
  @Bean
  public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
  }

  @Override
  protected void configure(final HttpSecurity http) throws Exception {
    http.
        authorizeRequests()
        .antMatchers("/login", "/oauth/authorize", "/oauth/token", "/server/version", "/clients/register").permitAll()
        .and().csrf().disable()
        .authorizeRequests()
        .anyRequest()
        .authenticated()
        .and()
        .formLogin()
        .disable();
  }

}

我可以访问令牌端点以获取我的访问令牌，但我希望使用此访问令牌访问其他安全端点（通过将Authorization:Bearer{access_toke}添加到头），我始终可以获取HTTP 403

我错过什么了吗？如果我添加授权标题，我不应该被授权

我的控制器仅使用这些@RestController、@CrossOrigin进行注释

和@RequestMapping（“/url”）

在Spring的OAuth安全（就url安全而言）中有两种类型的安全配置

1。基本安全配置

此类应实现

websecurityConfigureAdapter

。它将处理所有没有“承载者”令牌类型（不应受oauth保护的URL）的请求

2。资源服务器配置（特定于OAuth）

此类负责处理带有

Bearer

类型的授权头的所有请求。它应该从

ResourceServerConfigurerAdapter

类扩展。在这里，您应该提到所有那些您希望受oauth保护的具有安全配置的URL

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Autowired
  private UserRepository userRepository;
  @Autowired
  private SecurityContextService securityContextService;
  @Autowired
  private MongoTemplate mongoTemplate;

  @Bean
  public MongoUserDetailsManager mongoUserDetailsManager() throws Exception {
    return new MongoUserDetailsManager(userRepository, securityContextService, authenticationManagerBean(), mongoTemplate);
  }

  @Override
  protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
    auth.parentAuthenticationManager(authenticationManagerBean())
        .userDetailsService(mongoUserDetailsManager());
  }

  @Override
  @Bean
  public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
  }

  @Override
  protected void configure(final HttpSecurity http) throws Exception {
    http.
        authorizeRequests()
        .antMatchers("/login", "/oauth/authorize", "/oauth/token", "/server/version", "/clients/register").permitAll()
        .and().csrf().disable()
        .authorizeRequests()
        .anyRequest()
        .authenticated()
        .and()
        .formLogin()
        .disable();
  }

}

@Configuration
@EnableResourceServer
public class OAuthResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {    
        http.requestMatchers().antMatchers("/resources-to-be-protected/**").and().authorizeRequests()
                .antMatchers("/resources-to-be-protected/**").access("#oauth2.isClient()");

}
}

你能确认你的标题吗？它写为

Authorization:Bearer{token}

，但通常需要实现为

Authorization:Bearer{token}

（空间非常重要）我正在使用Postman进行测试，所以我不确定空间是否是问题所在