Spring boot Spring security oauth2始终返回403
我有一个SpringBoot应用程序服务于Rest端点,我正在使用SpringSecurity和Oauth2保护它。 我想保护我的所有端点,除了用于身份验证、创建帐户或某些信息的端点 安全配置如下所示:Spring boot Spring security oauth2始终返回403,spring-boot,spring-security,oauth-2.0,Spring Boot,Spring Security,Oauth 2.0,我有一个SpringBoot应用程序服务于Rest端点,我正在使用SpringSecurity和Oauth2保护它。 我想保护我的所有端点,除了用于身份验证、创建帐户或某些信息的端点 安全配置如下所示: @Configuration @EnableAuthorizationServer public class OAuth2Config extends AuthorizationServerConfigurerAdapter { @Autowired private Authe
@Configuration
@EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private MongoTokenStore tokenStore;
@Override
public void configure(final AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
//clients.withClientDetails(clientDetailsService);
clients.inMemory().withClient("app").secret("password")
.accessTokenValiditySeconds(30000).authorizedGrantTypes("password", "refresh_token")
.refreshTokenValiditySeconds(300000000)
.scopes("read");
}
@Override
public void configure(final AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager)
.pathMapping("/oauth/confirm_access", "/access_confirmation");
}
@Bean
public TokenStore tokenStore() {
return this.tokenStore;
}
}
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserRepository userRepository;
@Autowired
private SecurityContextService securityContextService;
@Autowired
private MongoTemplate mongoTemplate;
@Bean
public MongoUserDetailsManager mongoUserDetailsManager() throws Exception {
return new MongoUserDetailsManager(userRepository, securityContextService, authenticationManagerBean(), mongoTemplate);
}
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManagerBean())
.userDetailsService(mongoUserDetailsManager());
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.
authorizeRequests()
.antMatchers("/login", "/oauth/authorize", "/oauth/token", "/server/version", "/clients/register").permitAll()
.and().csrf().disable()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.disable();
}
}
我可以访问令牌端点以获取我的访问令牌,但我希望使用此访问令牌访问其他安全端点(通过将Authorization:Bearer{access_toke}添加到头),我始终可以获取HTTP 403
我错过什么了吗?如果我添加授权标题,我不应该被授权
我的控制器仅使用这些@RestController、@CrossOrigin进行注释
和@RequestMapping(“/url”)在Spring的OAuth安全(就url安全而言)中有两种类型的安全配置 1。基本安全配置 此类应实现
websecurityConfigureAdapter
。它将处理所有没有“承载者”令牌类型(不应受oauth保护的URL)的请求
2。资源服务器配置(特定于OAuth)
此类负责处理带有Bearer
类型的授权头的所有请求。它应该从ResourceServerConfigurerAdapter
类扩展。在这里,您应该提到所有那些您希望受oauth保护的具有安全配置的URL
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserRepository userRepository;
@Autowired
private SecurityContextService securityContextService;
@Autowired
private MongoTemplate mongoTemplate;
@Bean
public MongoUserDetailsManager mongoUserDetailsManager() throws Exception {
return new MongoUserDetailsManager(userRepository, securityContextService, authenticationManagerBean(), mongoTemplate);
}
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManagerBean())
.userDetailsService(mongoUserDetailsManager());
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.
authorizeRequests()
.antMatchers("/login", "/oauth/authorize", "/oauth/token", "/server/version", "/clients/register").permitAll()
.and().csrf().disable()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.disable();
}
}
@Configuration
@EnableResourceServer
public class OAuthResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers().antMatchers("/resources-to-be-protected/**").and().authorizeRequests()
.antMatchers("/resources-to-be-protected/**").access("#oauth2.isClient()");
}
}
你能确认你的标题吗?它写为
Authorization:Bearer{token}
,但通常需要实现为Authorization:Bearer{token}
(空间非常重要)我正在使用Postman进行测试,所以我不确定空间是否是问题所在