Fatal编程技术网
  • spring-security/
  • Spring security 使用oAuth和基于表单的身份验证配置spring安全性

Spring security 使用oAuth和基于表单的身份验证配置spring安全性

spring-security

Spring security 使用oAuth和基于表单的身份验证配置spring安全性,spring-security,spring-security-oauth2,Spring Security,Spring Security Oauth2,我有一个包含两个组件的服务器应用程序: a) 使用oAuth(SpringSecurityOAuth)保护的一组RESTAPI b) 具有基于角色的UI的管理仪表板 出于业务原因,这两个组件需要共同托管,即作为单个war部署。 到目前为止,我们只有用于RESTAPI的oAuth,一切都很好。 当我们尝试对仪表板使用基于表单的身份验证时,问题就出现了。现在,当我们在没有oAuth令牌的情况下访问RESTAPI时,它只是重定向到登录页面,而不是给出401未经授权的错误。 我们的配置如下: 基于表单的

我有一个包含两个组件的服务器应用程序: a) 使用oAuth(SpringSecurityOAuth)保护的一组RESTAPI b) 具有基于角色的UI的管理仪表板

出于业务原因,这两个组件需要共同托管,即作为单个war部署。 到目前为止,我们只有用于RESTAPI的oAuth,一切都很好。 当我们尝试对仪表板使用基于表单的身份验证时,问题就出现了。现在,当我们在没有oAuth令牌的情况下访问RESTAPI时,它只是重定向到登录页面,而不是给出401未经授权的错误。 我们的配置如下: 基于表单的身份验证(WebSecurity配置适配器):

oAuth:

资源提供程序配置:

    http
            .authorizeRequests()
                .antMatchers("/abc").access("#oauth2.hasScope('read')and hasRole('ROLE_USER')")
                .antMatchers("/xyz").access("#oauth2.hasScope('read') and hasRole('ROLE_ADMIN')")
我们基本上希望将不同的API配置为不同的安全性。客户端应用程序使用的RESTAPI必须由oAuth和SpringMVCAPI使用基于表单的身份验证呈现仪表板页面来保护。 这可能吗

编辑: 添加顺序,并能够在访问受oauth保护的REST API时获得401条未经授权的消息。但是表单登录不起作用。我无需登录即可访问所有仪表板页面。 更多代码片段:

 @Configuration
    @EnableResourceServer
    public class ResourceProviderConfiguration extends   ResourceServerConfigurerAdapter {
    .....
    @Override
    public void configure(HttpSecurity http) throws Exception {
    http
                .authorizeRequests()
                    .antMatchers("/abc").access("#oauth2.hasScope('read')and  hasRole('ROLE_USER')")
                    .antMatchers("/xyz").access("#oauth2.hasScope('read') and  hasRole('ROLE_ADMIN')").
.and()
                    .requestMatchers()
                    .antMatchers("/abc","/xyz","/others");

       }

    }
    @Configuration
    @EnableAuthorizationServer
    public class AuthorizationProviderConfiguration extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private TokenStore tokenStore;

    @Autowired
    private UserApprovalHandler userApprovalHandler;

    @Autowired
    ClientDetailsService webClientDetailsService;


    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    .......
    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }
    ......
    }

    @Configuration
    @EnableWebSecurity
    @Order(5)
    public class UserAuthenticationConfiguration extends     WebSecurityConfigurerAdapter {

     @Override
     protected void configure(HttpSecurity http) throws Exception {
      http
            .csrf().disable()
            .authorizeRequests()                              
            .antMatchers("/css/**","/img/**","/login/**",
             "/oauth/**).permitAll()
                     .anyRequest().authenticated()
                 .and()
                .formLogin().loginPage("/login")
              .defaultSuccessUrl("/delegate/success", true)
                .failureUrl("/login/fail")
                    .permitAll()
               .and()
            .logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login")                                  
                .permitAll();

    }
    }
Spring安全日志:

DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant    [pattern='/oauth/token']
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/oauth/token'
DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/token_key']
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/oauth/token_key'
DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/check_token']
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/oauth/check_token'
DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/abc/**']
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/abc/**'
DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/xyz/**']
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/xyz/**'
DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@7f8059. A new one will be created.
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG o.s.s.w.h.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@cebda04
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/logout'
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 5 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET '/def'' doesn't match 'POST /login/new
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 794828541EF505314237BBC81C2ACAF4; Granted Authorities: ROLE_ANONYMOUS'
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/css/**'
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/oauth/**'
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/img/**'
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/login/**'
DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Public object - authentication not attempted
DEBUG o.s.security.web.FilterChainProxy - '/def' reached end of additional     filter chain; proceeding with original chain
DEBUG o.s.web.servlet.DispatcherServlet - DispatcherServlet with name 'webservice' processing GET request for ['/handler/def']
有效的最终配置: 1.在默认为3的资源提供程序配置之后,向web安全配置程序添加@Order

  • 确保WebSecurity配置适配器具有.anyRequest().authenticated()配置

    • 我可以看到它正在检查日志中的
    permitAll()
    匹配程序,但没有任何
    anyRequest().authenticated()的迹象。您还需要将请求匹配器添加到
    HttpSecurity
    (即
    http.requestMatchers().anyRequest()
    )。
    您在
    websecurityconfigureadapter
    上使用了什么
    @Order
    (它需要位于
    ResourceServerConfiguration
    之后,默认为3)?我们为ResourceServerConfiguration添加了1个订单,为WebSecurityConfigureAdapter添加了2个订单。它仍然表现出同样的行为。未经授权的REST API访问重定向到登录页面您是如何更改
    ResourceServerConfiguration
    的顺序的?(我不会那样做)对。这种方法不起作用。我现在已经将ResourceServerConfiguration更改为@Order(3),将WebSecurity配置适配器更改为@Order(4)。我确实收到RESTAPI的401未经授权错误,但是web配置不起作用!我可以在没有身份验证的情况下访问仪表板中的任何链接。我们还使用AuthorizationServerConfigurerAdapter和GlobalMethodSecurity配置。我在这里缺少什么固有的秩序?我找不到任何有关这方面的文件。如果你有链接,一定要分享。谢谢如果没有看到更多的代码,我真的说不出你做了什么。为什么您甚至有
    资源服务器配置
    (通常使用
    @enableSourceServer
    导入它)?

    DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant    [pattern='/oauth/token']
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/oauth/token'
DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/token_key']
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/oauth/token_key'
DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/check_token']
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/oauth/check_token'
DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/abc/**']
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/abc/**'
DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/xyz/**']
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/xyz/**'
DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@7f8059. A new one will be created.
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG o.s.s.w.h.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@cebda04
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/logout'
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 5 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET '/def'' doesn't match 'POST /login/new
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 794828541EF505314237BBC81C2ACAF4; Granted Authorities: ROLE_ANONYMOUS'
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG o.s.security.web.FilterChainProxy - '/def' at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/css/**'
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/oauth/**'
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/img/**'
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/def'; against '/login/**'
DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Public object - authentication not attempted
DEBUG o.s.security.web.FilterChainProxy - '/def' reached end of additional     filter chain; proceeding with original chain
DEBUG o.s.web.servlet.DispatcherServlet - DispatcherServlet with name 'webservice' processing GET request for ['/handler/def']

    

    @Configuration
@EnableResourceServer
public class ResourceProviderConfiguration extends   ResourceServerConfigurerAdapter {
.....
@Override
public void configure(HttpSecurity http) throws Exception {
http
            .authorizeRequests()
                .antMatchers("/abc").access("#oauth2.hasScope('read')and   hasRole('ROLE_USER')")
                .antMatchers("/xyz").access("#oauth2.hasScope('read')   and  hasRole('ROLE_ADMIN')").
                .and()
                .requestMatchers()
                .antMatchers("/abc","/xyz","/others");

   }

}
@Configuration
@EnableAuthorizationServer
public class AuthorizationProviderConfiguration extends AuthorizationServerConfigurerAdapter {

@Autowired
private TokenStore tokenStore;

@Autowired
private UserApprovalHandler userApprovalHandler;

@Autowired
ClientDetailsService webClientDetailsService;


@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;

.......
@Bean
public TokenStore tokenStore() {
    return new InMemoryTokenStore();
}
......
}

@Configuration
@EnableWebSecurity
@Order(5)
public class UserAuthenticationConfiguration extends     WebSecurityConfigurerAdapter {

 @Override
 protected void configure(HttpSecurity http) throws Exception {
  http
        .csrf().disable()
        .authorizeRequests()                              
        .antMatchers("/css/**","/img/**","/login/**",
         "/oauth/**).permitAll()
                 .anyRequest().authenticated()
             .and()
            .formLogin().loginPage("/login")
          .defaultSuccessUrl("/delegate/success", true)
            .failureUrl("/login/fail")
                .permitAll()
           .and()
        .logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login")                                  
            .permitAll();

}
}