Fatal编程技术网
  • spring-security/
  • Spring security 基于oauth令牌和基于会话的授权在spring中如何协同工作?

Spring security 基于oauth令牌和基于会话的授权在spring中如何协同工作?

spring-security oauth-2.0

Spring security 基于oauth令牌和基于会话的授权在spring中如何协同工作?,spring-security,oauth-2.0,spring-security-oauth2,Spring Security,Oauth 2.0,Spring Security Oauth2,我试图将基于oauth2的令牌(具有客户端凭据授予类型)与基于spring会话的身份验证集成在一起。使用oauth令牌和给定的权限,它可以正常工作 当我把两者结合起来时,它就不起作用了。它总是调用UsernamePasswordAuthenticationFilter,而不是OAuth2AuthenticationProcessingFilter 如何让他们一起工作?这是我的ResourceServer配置 @Configuration @EnableResourceServer protect

我试图将基于oauth2的令牌(具有客户端凭据授予类型)与基于spring会话的身份验证集成在一起。使用oauth令牌和给定的权限,它可以正常工作

当我把两者结合起来时,它就不起作用了。它总是调用UsernamePasswordAuthenticationFilter,而不是OAuth2AuthenticationProcessingFilter

如何让他们一起工作?这是我的ResourceServer配置

@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources.resourceId(SPARKLR_RESOURCE_ID).stateless(false);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
            // Since we want the protected resources to be accessible in the UI as well we need 
            // session creation to be allowed (it's disabled by default in 2.0.6)
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
        .and()
            .requestMatchers().antMatchers("/api/account/**", "/oauth/users/**", "/oauth/clients/**","/me")
        .and()
            .authorizeRequests()
                .antMatchers("/api/account/**").access("#oauth2.hasScope('read') or (!#oauth2.isOAuth() and hasRole('ROLE_USER'))")                 
                .regexMatchers(HttpMethod.DELETE, "/oauth/users/([^/].*?)/tokens/.*")
                    .access("#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('write')")
                .regexMatchers(HttpMethod.GET, "/oauth/clients/([^/].*?)/users/.*")
                    .access("#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('read')")
                .regexMatchers(HttpMethod.GET, "/oauth/clients/.*")
                    .access("#oauth2.clientHasRole('ROLE_CLIENT') and #oauth2.isClient() and #oauth2.hasScope('read')");
        // @formatter:on
    }
}
问题是,在筛选器链中,未调用OAuth2AuthenticationProcessingFilter。因此,任何rest调用都不会进行令牌验证。下面是过滤器链

XNIO-2 task-1] o.s.security.web.FilterChainProxy        : /api/account at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
XNIO-2 task-1] o.s.security.web.FilterChainProxy        : /api/account at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
XNIO-2 task-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
XNIO-2 task-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
XNIO-2 task-1] o.s.security.web.FilterChainProxy        : /api/account at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
XNIO-2 task-1] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@74d294b6
XNIO-2 task-1] o.s.security.web.FilterChainProxy        : /api/account at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
XNIO-2 task-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/api/logout', GET]
XNIO-2 task-1] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
XNIO-2 task-1] o.s.security.web.FilterChainProxy        : /api/account at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
XNIO-2 task-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /api/account' doesn't match 'POST /api/authentication
XNIO-2 task-1] o.s.security.web.FilterChainProxy        : /api/account at position 6 of 12 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
XNIO-2 task-1] o.s.security.web.FilterChainProxy        : /api/account at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
XNIO-2 task-1] o.s.security.web.FilterChainProxy        : /api/account at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
XNIO-2 task-1] o.s.security.web.FilterChainProxy        : /api/account at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
XNIO-2 task-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials
XNIO-2 task-1] o.s.security.web.FilterChainProxy        : /api/account at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
XNIO-2 task-1] o.s.security.web.FilterChainProxy        : /api/account at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
XNIO-2 task-1] o.s.security.web.FilterChainProxy        : /api/account at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
编辑:
我正在尝试将这两个项目合并在一起。而且

您使用的是spring boot 1.5,因此默认情况下,资源服务器筛选器链的顺序高于jhipster添加的自定义筛选器链。您需要更改顺序,或者更改模式匹配器,以便OAuth资源不被主过滤器链匹配。《spring boot用户指南》建议您按特定顺序(
SecurityProperties.ACCESS\u OVERRIDE\u order
)放入自定义筛选器链。遵循该建议可能是一个好主意。

您没有显示主筛选链是如何配置的(您似乎已经在该请求中进行了说明)。某处有完整的样本吗?@Dave-请找到完整的样本-()。我正在尝试将这两个项目合并在一起。()和()