Spring security Spring OAuth2,使用userInfoUri访问角色?
我正在构建独立的资源服务器和授权服务器。现在,我使用资源服务器中的用户信息uri从与访问令牌匹配的授权服务器中提取主体,配置为:Spring security Spring OAuth2,使用userInfoUri访问角色?,spring-security,spring-boot,spring-security-oauth2,Spring Security,Spring Boot,Spring Security Oauth2,我正在构建独立的资源服务器和授权服务器。现在,我使用资源服务器中的用户信息uri从与访问令牌匹配的授权服务器中提取主体,配置为: spring: oauth2: resource: userInfoUri: http://localhost:9999/uaa/user 在资源服务器中,我根据角色设置了受保护的端点,如下所示: http .authorizeRequests() .antMatchers("/invoices/**").hasRol
spring:
oauth2:
resource:
userInfoUri: http://localhost:9999/uaa/user
在资源服务器中,我根据角色设置了受保护的端点,如下所示:
http
.authorizeRequests()
.antMatchers("/invoices/**").hasRole("END_USER")
.anyRequest().authenticated();
当我手动访问用户信息uri时,我可以看到权限包含:
"authority": "ROLE_END_USER"
但是,当我尝试访问/invoices资源时,我收到一个访问被拒绝的异常,在日志中我看到:
OAuth2Authentication@bc5074a8: Principal: my-login; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: ROLE_USER
身份验证服务器:
@SpringBootApplication
@RestController
@EnableResourceServer
public class ApiAuthServerApplication extends ResourceServerConfigurerAdapter {
@Configuration
@EnableWebSecurity
@Order(-10)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomUserDetailsService userDetailsService;
@Bean(name = "authenticationManagerBean")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin().permitAll()
.and()
.requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
.and()
.authorizeRequests().anyRequest().authenticated();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Autowired
private CustomUserDetailsService userDetailsService;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.authenticationManager(this.authenticationManager)
.userDetailsService(this.userDetailsService)
.tokenStore(this.tokenStore);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("my-client")
.secret("our_s3cret")
.authorities("ROLE_CLIENT")
.authorizedGrantTypes("implicit", "password", "refresh_token")
.redirectUris("http://anywhere")
.scopes("read")
.autoApprove(true);
}
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
}
public static void main(String[] args) {
SpringApplication.run(ApiAuthServerApplication.class, args);
}
@RequestMapping("/user")
public Principal user(Principal user) {
return user;
}
}
总结:
我最终使用了一个共享令牌存储,目前它运行良好用户如何知道如何使用令牌?这个定义在哪里?
@SpringBootApplication
@RestController
@EnableResourceServer
public class ApiAuthServerApplication extends ResourceServerConfigurerAdapter {
@Configuration
@EnableWebSecurity
@Order(-10)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomUserDetailsService userDetailsService;
@Bean(name = "authenticationManagerBean")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin().permitAll()
.and()
.requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
.and()
.authorizeRequests().anyRequest().authenticated();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Autowired
private CustomUserDetailsService userDetailsService;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.authenticationManager(this.authenticationManager)
.userDetailsService(this.userDetailsService)
.tokenStore(this.tokenStore);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("my-client")
.secret("our_s3cret")
.authorities("ROLE_CLIENT")
.authorizedGrantTypes("implicit", "password", "refresh_token")
.redirectUris("http://anywhere")
.scopes("read")
.autoApprove(true);
}
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
}
public static void main(String[] args) {
SpringApplication.run(ApiAuthServerApplication.class, args);
}
@RequestMapping("/user")
public Principal user(Principal user) {
return user;
}
}