Spring Oauth2單獨的資源服務器配置

Question

我想爲oauth2配置單獨的auth和資源服務器。 我可以成功配置授權服務器，並且能夠進行身份驗證並生成訪問令牌。現在我想配置一個資源服務器，它可以通過api端點與auth服務器通信來驗證訪問令牌。 以下是我的資源服務器配置。

@Configuration 
@EnableResourceServer 
@EnableWebSecurity 
public class Oauth2SecurityConfiguration extends WebSecurityConfigurerAdapter  { 


@Override 
protected void configure(HttpSecurity http) throws Exception { 
    System.out.println("Oauth2SecurityConfiguration before"); 
    http 
       .authorizeRequests() 
       .antMatchers(HttpMethod.GET, "/api/v1/**").authenticated(); 
    System.out.println("Oauth2SecurityConfiguration after"); 
} 

@Bean 
public AccessTokenConverter accessTokenConverter() { 
    return new DefaultAccessTokenConverter(); 
} 

@Bean 
public RemoteTokenServices remoteTokenServices() { 
    final RemoteTokenServices remoteTokenServices = new RemoteTokenServices(); 
    remoteTokenServices.setCheckTokenEndpointUrl("http://localhost:9000/authserver/oauth/check_token"); 
    remoteTokenServices.setClientId("clientId"); 
    remoteTokenServices.setClientSecret("clientSecret"); 
    remoteTokenServices.setAccessTokenConverter(accessTokenConverter()); 
    return remoteTokenServices; 
} 

@Override 
@Bean 
public AuthenticationManager authenticationManager() throws Exception { 
    OAuth2AuthenticationManager authenticationManager = new OAuth2AuthenticationManager(); 
    authenticationManager.setTokenServices(remoteTokenServices()); 
    return authenticationManager; 
} 
} 


@Configuration 
@EnableResourceServer 
public class ResourceServerConfig extends ResourceServerConfigurerAdapter { 
    @Override 
    public void configure(HttpSecurity http) throws Exception { 
     http.csrf().disable(); 
     System.out.println("http.csrf().disable()"); 
     http.authorizeRequests().antMatchers(HttpMethod.GET, "/api/v1/**").fullyAuthenticated(); 
     System.out.println("http.authorizeRequests().anyRequest().authenticated()"); 
    } 
} 


@Configuration 
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true) 
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration { 

@Override 
protected MethodSecurityExpressionHandler createExpressionHandler() { 
    return new OAuth2MethodSecurityExpressionHandler(); 
} 
} 

問： 1.爲什麼我的AuthenticationManager在資源服務器，而所有的認證委託給auth服務器。 （我不得不添加它來加載應用程序上下文）

除此之外，我正面臨以下問題。

1. 即使我沒有通過授權標頭和訪問令牌與請求。它正在經歷。

   http GET "http://localhost:8080/DataPlatform/api/v1/123sw/members" 
   HTTP/1.1 200 OK 
   Content-Type: application/json;charset=UTF-8 
   Date: Mon, 19 Oct 2015 19:45:14 GMT 
   Server: Apache-Coyote/1.1 
   Transfer-Encoding: chunked 
   { 
   "entities": [], 
   "errors": [], 
   "message": null 
   } 
   

2. 過濾器只能立即調用我沒有看到以下請求的日誌。它在某處緩存授權嗎？

我是新來的春天oauth請讓我知道如果我做錯了什麼。我使用

spring-security-oauth2 : 2.0.7.RELEASE 
spring-security-core : 4.0.1.RELEASE 
java : 1.8 

Answer 1

你不需要@EnableWebSecurity上Oauth2SecurityConfiguration@EnableResourceServer就夠了。 您還應該用extends ResourceServerConfigurerAdapter替換extends WebSecurityConfigurerAdapter。

如果你想用你的RemoteTokenServices比如我建議你重寫ResourceServerConfigurerAdapterpublic void configure(ResourceServerSecurityConfigurer resources) throws Exception與

@Override 
public void configure(ResourceServerSecurityConfigurer resources) throws Exception 
{ 
    resources.tokenServices(serverConfig.getTokenServices()); 
}