1. 技术文章
  2. Spring OAuth2 multi Server annotations configuration (resource & authorization)

Spring OAuth2 multi Server annotations configuration (resource & authorization)

孤者浪人 提交于 2019-12-12 08:59:50

问题


I am using the following:

  • spring 4.2
  • spring security 4.0.2
  • spring oauth2 2.0.7

I am trying to configure a single server which handles:

  • general MVC stuff (some protected and some not)
  • authorization server
  • resource server

It seems like the resource server configuration is not limited to /rest/** but is overriding ALL security configuration. i.e calls to protected NON-OAuth resources are not being protected (i.e. the filter is not catching them and redirecting to login).

The configuration (I have removed some stuff fro simplicity):

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter  {



        @Autowired
        private TokenStore tokenStore;

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) {
            resources
                .resourceId(RESOURCE_ID)
                .tokenStore(tokenStore)
                .stateless(true);
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                .requestMatchers()
                    .antMatchers("/rest/**")
                    .and()
                .authorizeRequests()
                    .antMatchers("/rest/**").access("hasRole('USER') and #oauth2.hasScope('read')");

        }

    }

@Configuration
@EnableWebSecurity
public class SecurityConfig  extends WebSecurityConfigurerAdapter {

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();

    }
   @Bean
    protected AuthenticationEntryPoint authenticationEntryPoint() {
        OAuth2AuthenticationEntryPoint entryPoint = new OAuth2AuthenticationEntryPoint();
        entryPoint.setRealmName("example");
        return entryPoint;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        auth
            .authenticationProvider(mongoClientAuthenticationProvider)
            .authenticationProvider(mongoUserAuthenticationProvider)
            .userDetailsService(formUserDetailsService);
    }

    @Bean
    protected ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter() throws Exception{
        ClientCredentialsTokenEndpointFilter filter = new ClientCredentialsTokenEndpointFilter();
        filter.setAuthenticationManager(authenticationManagerBean());
        filter.afterPropertiesSet();
        return filter;
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
        .requestMatchers()
            .antMatchers("/account/**", "/account")
            .antMatchers("/oauth/token")
            .antMatchers("/login")
            .and()
        .authorizeRequests()
            .antMatchers("/account/**", "/account").hasRole("USER")
            .antMatchers("/oauth/token").access("isFullyAuthenticated()")
            .antMatchers("/login").permitAll()
            .and()
        .exceptionHandling()
            .accessDeniedPage("/login?authentication_error=true")
            .and()
        .csrf()
            .disable()
        .logout()
            .logoutUrl("/logout")
            .invalidateHttpSession(true)
            .and()
        .formLogin()
            .loginProcessingUrl("/login")
            .failureUrl("/login?authentication_error=true")
            .loginPage("/login")
        ;

        http.addFilterBefore(clientCredentialsTokenEndpointFilter(), BasicAuthenticationFilter.class);

    }

回答1:


You are using multiple HttpSecurity configuration. Spring needs to know the order. Annotate your SecurityConfig class with @Order

@Configuration
@EnableWebSecurity
@Order(4)
public class SecurityConfig  extends WebSecurityConfigurerAdapter{}

The annotation @EnableResourceServer creates a WebSecurityConfigurerAdapter with a hard-coded Order (of 3). It's not possible to change the order right now owing to technical limitations in Spring, so you must avoid using order=3 in other WebSecurityConfigurerAdapters in your application (Spring Security will let you know if you forget).

Reference:

http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity

http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/config/annotation/web/configuration/EnableResourceServer.html




回答2:


Solution is that you should use follow lib(s) version, otherwise you will face this issue.Hope this help.You can't use spring-security 4.0.2 version. spring-security-acl-3.2.7.RELEASE.jar spring-security-config-3.2.7.RELEASE.jar spring-security-core-3.2.7.RELEASE.jar spring-security-oauth2-2.0.7.RELEASE.jar spring-security-taglibs-3.2.7.RELEASE.jar



来源:https://stackoverflow.com/questions/32206843/spring-oauth2-multi-server-annotations-configuration-resource-authorization

标签
Spring
spring-security
spring-security-oauth2
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!