我想爲oauth2配置單獨的auth和資源服務器。 我可以成功配置授權服務器,並且能夠進行身份驗證並生成訪問令牌。現在我想配置一個資源服務器,它可以通過api端點與auth服務器通信來驗證訪問令牌。 以下是我的資源服務器配置。Spring Oauth2單獨的資源服務器配置
@Configuration
@EnableResourceServer
@EnableWebSecurity
public class Oauth2SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
System.out.println("Oauth2SecurityConfiguration before");
http
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/api/v1/**").authenticated();
System.out.println("Oauth2SecurityConfiguration after");
}
@Bean
public AccessTokenConverter accessTokenConverter() {
return new DefaultAccessTokenConverter();
}
@Bean
public RemoteTokenServices remoteTokenServices() {
final RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
remoteTokenServices.setCheckTokenEndpointUrl("http://localhost:9000/authserver/oauth/check_token");
remoteTokenServices.setClientId("clientId");
remoteTokenServices.setClientSecret("clientSecret");
remoteTokenServices.setAccessTokenConverter(accessTokenConverter());
return remoteTokenServices;
}
@Override
@Bean
public AuthenticationManager authenticationManager() throws Exception {
OAuth2AuthenticationManager authenticationManager = new OAuth2AuthenticationManager();
authenticationManager.setTokenServices(remoteTokenServices());
return authenticationManager;
}
}
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
System.out.println("http.csrf().disable()");
http.authorizeRequests().antMatchers(HttpMethod.GET, "/api/v1/**").fullyAuthenticated();
System.out.println("http.authorizeRequests().anyRequest().authenticated()");
}
}
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return new OAuth2MethodSecurityExpressionHandler();
}
}
問: 1.爲什麼我的AuthenticationManager在資源服務器,而所有的認證委託給auth服務器。 (我不得不添加它來加載應用程序上下文)
除此之外,我正面臨以下問題。
即使我沒有通過授權標頭和訪問令牌與請求。它正在經歷。
http GET "http://localhost:8080/DataPlatform/api/v1/123sw/members" HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Date: Mon, 19 Oct 2015 19:45:14 GMT Server: Apache-Coyote/1.1 Transfer-Encoding: chunked { "entities": [], "errors": [], "message": null }
過濾器只能立即調用我沒有看到以下請求的日誌。它在某處緩存授權嗎?
我是新來的春天oauth請讓我知道如果我做錯了什麼。我使用
spring-security-oauth2 : 2.0.7.RELEASE
spring-security-core : 4.0.1.RELEASE
java : 1.8
但我看到「爲了使用此過濾器,你必須在應用程序某處@EnableWebSecurity,」在文檔的http: //docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/config/annotation/web/configuration/EnableResourceServer.html –