Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/spring-boot/5.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Spring security Spring OAuth2,使用userInfoUri访问角色?_Spring Security_Spring Boot_Spring Security Oauth2 - Fatal编程技术网
Fatal编程技术网
  • spring-security/
  • Spring security Spring OAuth2,使用userInfoUri访问角色?

Spring security Spring OAuth2,使用userInfoUri访问角色?

spring-security spring-boot

Spring security Spring OAuth2,使用userInfoUri访问角色?,spring-security,spring-boot,spring-security-oauth2,Spring Security,Spring Boot,Spring Security Oauth2,我正在构建独立的资源服务器和授权服务器。现在,我使用资源服务器中的用户信息uri从与访问令牌匹配的授权服务器中提取主体,配置为: spring: oauth2: resource: userInfoUri: http://localhost:9999/uaa/user 在资源服务器中,我根据角色设置了受保护的端点,如下所示: http .authorizeRequests() .antMatchers("/invoices/**").hasRol

我正在构建独立的资源服务器和授权服务器。现在,我使用资源服务器中的用户信息uri从与访问令牌匹配的授权服务器中提取主体,配置为:

spring:
  oauth2:
    resource:
      userInfoUri: http://localhost:9999/uaa/user
在资源服务器中,我根据角色设置了受保护的端点,如下所示:

http
    .authorizeRequests()
        .antMatchers("/invoices/**").hasRole("END_USER")            
        .anyRequest().authenticated();
当我手动访问用户信息uri时,我可以看到权限包含:

"authority": "ROLE_END_USER"
但是,当我尝试访问/invoices资源时,我收到一个访问被拒绝的异常,在日志中我看到:

OAuth2Authentication@bc5074a8: Principal: my-login; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: ROLE_USER
身份验证服务器:

@SpringBootApplication
@RestController
@EnableResourceServer
public class ApiAuthServerApplication  extends ResourceServerConfigurerAdapter {

    @Configuration
    @EnableWebSecurity
    @Order(-10)
    protected static class LoginConfig extends WebSecurityConfigurerAdapter {

        @Autowired
        private CustomUserDetailsService userDetailsService;

        @Bean(name = "authenticationManagerBean")
        @Override       
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();
        }

        @Override
        @Autowired
        public void configure(AuthenticationManagerBuilder auth) throws Exception {                 
            auth
            .userDetailsService(userDetailsService)
            .passwordEncoder(passwordEncoder());                
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {          
            http            
            .formLogin().permitAll()
            .and()
            .requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")               
            .and()
            .authorizeRequests().anyRequest().authenticated();
        }

        @Bean
        public PasswordEncoder passwordEncoder() {
            return new BCryptPasswordEncoder();
        }
    }

    @Configuration
    @EnableAuthorizationServer
    protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

        @Autowired
        private TokenStore tokenStore;

        @Autowired
        @Qualifier("authenticationManagerBean")
        private AuthenticationManager authenticationManager;

        @Autowired
        private CustomUserDetailsService userDetailsService;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            endpoints
            .authenticationManager(this.authenticationManager)
            .userDetailsService(this.userDetailsService)                
            .tokenStore(this.tokenStore);
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {            

            clients.inMemory()
            .withClient("my-client")    
            .secret("our_s3cret")
            .authorities("ROLE_CLIENT")         
            .authorizedGrantTypes("implicit", "password", "refresh_token")
            .redirectUris("http://anywhere")
            .scopes("read")
            .autoApprove(true);
        }

        @Bean
        public TokenStore tokenStore() {
            return new InMemoryTokenStore();
        }
    }

    public static void main(String[] args) {
        SpringApplication.run(ApiAuthServerApplication.class, args);
    }

    @RequestMapping("/user")
    public Principal user(Principal user) {
        return user;
    }
}
总结:

  • 我可以使用用户信息uri来验证访问令牌并使用“hasRole”吗
  • 当使用单独的资源服务器和授权服务器时,是否需要使用共享数据库进行令牌存储
    • 我最终使用了一个共享令牌存储,目前它运行良好

    用户如何知道如何使用令牌?这个定义在哪里? 
    @SpringBootApplication
@RestController
@EnableResourceServer
public class ApiAuthServerApplication  extends ResourceServerConfigurerAdapter {

    @Configuration
    @EnableWebSecurity
    @Order(-10)
    protected static class LoginConfig extends WebSecurityConfigurerAdapter {

        @Autowired
        private CustomUserDetailsService userDetailsService;

        @Bean(name = "authenticationManagerBean")
        @Override       
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();
        }

        @Override
        @Autowired
        public void configure(AuthenticationManagerBuilder auth) throws Exception {                 
            auth
            .userDetailsService(userDetailsService)
            .passwordEncoder(passwordEncoder());                
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {          
            http            
            .formLogin().permitAll()
            .and()
            .requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")               
            .and()
            .authorizeRequests().anyRequest().authenticated();
        }

        @Bean
        public PasswordEncoder passwordEncoder() {
            return new BCryptPasswordEncoder();
        }
    }

    @Configuration
    @EnableAuthorizationServer
    protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

        @Autowired
        private TokenStore tokenStore;

        @Autowired
        @Qualifier("authenticationManagerBean")
        private AuthenticationManager authenticationManager;

        @Autowired
        private CustomUserDetailsService userDetailsService;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            endpoints
            .authenticationManager(this.authenticationManager)
            .userDetailsService(this.userDetailsService)                
            .tokenStore(this.tokenStore);
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {            

            clients.inMemory()
            .withClient("my-client")    
            .secret("our_s3cret")
            .authorities("ROLE_CLIENT")         
            .authorizedGrantTypes("implicit", "password", "refresh_token")
            .redirectUris("http://anywhere")
            .scopes("read")
            .autoApprove(true);
        }

        @Bean
        public TokenStore tokenStore() {
            return new InMemoryTokenStore();
        }
    }

    public static void main(String[] args) {
        SpringApplication.run(ApiAuthServerApplication.class, args);
    }

    @RequestMapping("/user")
    public Principal user(Principal user) {
        return user;
    }
}