Spring security 基于oauth令牌和基于会话的授权在spring中如何协同工作?
我试图将基于oauth2的令牌(具有客户端凭据授予类型)与基于spring会话的身份验证集成在一起。使用oauth令牌和给定的权限,它可以正常工作 当我把两者结合起来时,它就不起作用了。它总是调用UsernamePasswordAuthenticationFilter,而不是OAuth2AuthenticationProcessingFilter 如何让他们一起工作?这是我的ResourceServer配置Spring security 基于oauth令牌和基于会话的授权在spring中如何协同工作?,spring-security,oauth-2.0,spring-security-oauth2,Spring Security,Oauth 2.0,Spring Security Oauth2,我试图将基于oauth2的令牌(具有客户端凭据授予类型)与基于spring会话的身份验证集成在一起。使用oauth令牌和给定的权限,它可以正常工作 当我把两者结合起来时,它就不起作用了。它总是调用UsernamePasswordAuthenticationFilter,而不是OAuth2AuthenticationProcessingFilter 如何让他们一起工作?这是我的ResourceServer配置 @Configuration @EnableResourceServer protect
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(SPARKLR_RESOURCE_ID).stateless(false);
}
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
// Since we want the protected resources to be accessible in the UI as well we need
// session creation to be allowed (it's disabled by default in 2.0.6)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.and()
.requestMatchers().antMatchers("/api/account/**", "/oauth/users/**", "/oauth/clients/**","/me")
.and()
.authorizeRequests()
.antMatchers("/api/account/**").access("#oauth2.hasScope('read') or (!#oauth2.isOAuth() and hasRole('ROLE_USER'))")
.regexMatchers(HttpMethod.DELETE, "/oauth/users/([^/].*?)/tokens/.*")
.access("#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('write')")
.regexMatchers(HttpMethod.GET, "/oauth/clients/([^/].*?)/users/.*")
.access("#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('read')")
.regexMatchers(HttpMethod.GET, "/oauth/clients/.*")
.access("#oauth2.clientHasRole('ROLE_CLIENT') and #oauth2.isClient() and #oauth2.hasScope('read')");
// @formatter:on
}
}
问题是,在筛选器链中,未调用OAuth2AuthenticationProcessingFilter。因此,任何rest调用都不会进行令牌验证。下面是过滤器链
XNIO-2 task-1] o.s.security.web.FilterChainProxy : /api/account at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
XNIO-2 task-1] o.s.security.web.FilterChainProxy : /api/account at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
XNIO-2 task-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
XNIO-2 task-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
XNIO-2 task-1] o.s.security.web.FilterChainProxy : /api/account at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
XNIO-2 task-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@74d294b6
XNIO-2 task-1] o.s.security.web.FilterChainProxy : /api/account at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
XNIO-2 task-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/api/logout', GET]
XNIO-2 task-1] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
XNIO-2 task-1] o.s.security.web.FilterChainProxy : /api/account at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
XNIO-2 task-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /api/account' doesn't match 'POST /api/authentication
XNIO-2 task-1] o.s.security.web.FilterChainProxy : /api/account at position 6 of 12 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
XNIO-2 task-1] o.s.security.web.FilterChainProxy : /api/account at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
XNIO-2 task-1] o.s.security.web.FilterChainProxy : /api/account at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
XNIO-2 task-1] o.s.security.web.FilterChainProxy : /api/account at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
XNIO-2 task-1] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials
XNIO-2 task-1] o.s.security.web.FilterChainProxy : /api/account at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
XNIO-2 task-1] o.s.security.web.FilterChainProxy : /api/account at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
XNIO-2 task-1] o.s.security.web.FilterChainProxy : /api/account at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
编辑:
我正在尝试将这两个项目合并在一起。而且您使用的是spring boot 1.5,因此默认情况下,资源服务器筛选器链的顺序高于jhipster添加的自定义筛选器链。您需要更改顺序,或者更改模式匹配器,以便OAuth资源不被主过滤器链匹配。《spring boot用户指南》建议您按特定顺序(
SecurityProperties.ACCESS\u OVERRIDE\u order
)放入自定义筛选器链。遵循该建议可能是一个好主意。您没有显示主筛选链是如何配置的(您似乎已经在该请求中进行了说明)。某处有完整的样本吗?@Dave-请找到完整的样本-()。我正在尝试将这两个项目合并在一起。()和()