Spring boot 如何将ResourceServer添加到现有的spring安全配置中
我使用以下安全配置进行授权。现在我想将令牌安全端点添加到此项目中 然而,每当我向安全端点发送请求时,我总是发现自己被重定向到登录页面(“/oauth_login”),就好像我未经授权一样。 我做错了什么?我尝试对此进行调试,当我尝试使用有效令牌访问端点时,似乎从未调用我的Spring boot 如何将ResourceServer添加到现有的spring安全配置中,spring-boot,kotlin,spring-security,Spring Boot,Kotlin,Spring Security,我使用以下安全配置进行授权。现在我想将令牌安全端点添加到此项目中 然而,每当我向安全端点发送请求时,我总是发现自己被重定向到登录页面(“/oauth_login”),就好像我未经授权一样。 我做错了什么?我尝试对此进行调试,当我尝试使用有效令牌访问端点时,似乎从未调用我的accessTokenConverter的重写decode()函数 这是我已经拥有的安全配置: @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(preP
accessTokenConverter
的重写decode()
函数
这是我已经拥有的安全配置:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@PropertySource("application.properties")
@Order(1)
class SecurityConfig(
private val userDetailsService: CustomUserDetailsService,
private val inMemoryClientRegistrationRepository: InMemoryClientRegistrationRepository,
private val secretAuthenticationFilter: SecretAuthenticationFilter
) : WebSecurityConfigurerAdapter() {
@Bean
@Throws(Exception::class)
override fun authenticationManager() = super.authenticationManager()
@Throws(Exception::class)
override fun configure(auth: AuthenticationManagerBuilder?) {
auth!!.userDetailsService(userDetailsService)
.passwordEncoder(BCryptPasswordEncoder(10))
}
@Throws(Exception::class)
override fun configure(http: HttpSecurity) {
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
http.addFilterAfter(secretAuthenticationFilter, UsernamePasswordAuthenticationFilter::class.java)
http
.authorizeRequests()
.antMatchers("/oauth_login")
.permitAll()
.antMatchers("/accounts/password")
.permitAll()
.anyRequest()
.authenticated()
.permitAll()
.and()
.logout()
.logoutUrl("/logoutconfirm")
.logoutSuccessUrl("/oauth_login")
.invalidateHttpSession(true)
.and()
.oauth2Login().loginPage("/oauth_login")
.authorizationEndpoint()
.baseUri("/oauth2/authorize-client")
.authorizationRequestRepository(authorizationRequestRepository())
.authorizationRequestResolver(CustomAuthorizationRequestResolver(inMemoryClientRegistrationRepository, "/oauth2/authorize-client"))
.and()
.tokenEndpoint()
.accessTokenResponseClient(accessTokenResponseClient())
.and()
.defaultSuccessUrl("/loginSuccess")
.failureUrl("/loginFailure")
.addObjectPostProcessor(object : ObjectPostProcessor<Any> {
override fun <O : Any> postProcess(obj: O) = when (obj) {
is OAuth2LoginAuthenticationProvider -> CustomOAuth2LoginAuthenticationProvider(obj) as O
is LoginUrlAuthenticationEntryPoint -> customizeLoginUrlAuthenticationEntryPoint(obj) as O
else -> obj
}
})
}
这是我希望能够使用有效令牌访问的安全端点:
@PreAuthorize("hasAuthority('ROLE_USER')")
@PostMapping("/accounts/password")
fun updatePassword(@RequestBody newPassword: JsonWrappedValue<String>): Boolean {
// Update password
}
@预授权(“hasAuthority('ROLE\u USER'))
@后映射(“/accounts/password”)
fun updatePassword(@RequestBody newPassword:JsonWrappedValue):布尔值{
//更新密码
}
我找到了解决问题的方法。
我将所有配置合并到一个文件中,因此安全配置如下所示
@EnableAuthorizationServer
@EnableResourceServer
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@PropertySource("application.properties")
class SecurityConfig(
private val accountRepository: AccountRepository,
private val userDetailsService: CustomUserDetailsService,
private val inMemoryClientRegistrationRepository: InMemoryClientRegistrationRepository,
private val secretAuthenticationFilter: SecretAuthenticationFilter
) : AuthorizationServerConfigurer, ResourceServerConfigurer, WebSecurityConfigurerAdapter()
这使我最终能够使用令牌到达我的端点,但破坏了我的社交登录。
然后我必须修复configure(http:HttpSecurity)
方法,因为ResourceServerConfig的默认实现将SessionCreationPolicy
设置为SessionCreationPolicy.Never
这导致我的社交登录被破坏,因为包含重定向URI等的请求参数无法恢复。添加后
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
要configure(http:HTTPSecurity)
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)