我正在尝试使用OAuth从Spring Boot 1.4.1 Brixton.RELEASE升级示例Spring Boot和Spring Cloud Security到Spring Boot 1.5.3 Dalston.RELEASE . 然而,这是一个漫长的艰难尝试,没有任何成功 .
似乎由于某种原因资源服务器安全过滤器链没有被解雇 . 因此,默认安全过滤器链正在处理对“/ me”或“/ user”的调用 . 我在想这是否是订单问题 . 但是尝试按如下方式明确设置安全过滤器链的顺序
-
Auth Server 6
-
Web默认值5
-
资源服务器3(硬编码??)
由于默认过滤器链正在处理请求,因此它总是进入登录页面,该页面生成HTML并且SSO客户端(服务器端百万美元Web UI)失败 .
源代码如下
Authorization server
@SpringBootApplication
public class MyAuthServerApplication {
public static void main(String[] args) {
SpringApplication.run(MyAuthServerApplication.class, args);
}
}
然后是授权服务器配置
@Configuration
@EnableAuthorizationServer
@Order(6)
public class AuthorizationServerConfigurer extends A
uthorizationServerConfigurerAdapter {
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws
Exception {
clients.inMemory()
.withClient("myauthserver")
.secret("verysecretpassword")
.redirectUris("http://localhost:8080/")
.authorizedGrantTypes("authorization_code", "refresh_token")
.scopes("myscope")
.autoApprove(true);
}
}
然后是资源服务器类
@Configuration
@EnableResourceServer
public class ResourceServerConfigurer extends
ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/user")
.authorizeRequests()
.anyRequest()
.authenticated();
}
}
Web MVC配置
@Configuration
public class WebMvcConfigurer extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("login").setViewName("login");
}
}
默认的spring安全配置
@Configuration
@EnableWebSecurity
@Order(9)
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and().csrf()
.and().formLogin().loginPage("/login");
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
{
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER")
.and()
.withUser("admin").password("admin").roles("USER", "ADMIN");
}
}
资源控制器
@RestController
public class ResourceController {
@RequestMapping(value = { "/user" }, produces = "application/json")
public Map<String, Object> user(OAuth2Authentication user) {
Map<String, Object> userDetails = new HashMap<>();
userDetails.put("user", user.getUserAuthentication().getPrincipal());
userDetails.put("authorities",
AuthorityUtils.
authorityListToSet(user.getUserAuthentication().getAuthorities()));
return userDetails;
}
}
最后配置 - auth服务器的application.yml
server:
port: 9090
contextPath: /auth
logging:
level:
org.springframework: INFO
org.springframework.security: DEBUG
此处未显示login.html Thymeleaf模板 .
OAUTH 2 SSO Client Web App
@SpringBootApplication
public class MyWebsiteApplication {
public static void main(String[] args) {
SpringApplication.run(MyWebsiteApplication.class, args);
}
}
Web安全配置
@Configuration
@EnableOAuth2Sso
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/").permitAll() // Allow navigating to index
page,
.anyRequest().authenticated(); // but secure all the other URLs
}
}
Web控制器
@Controller公共类MyWebsiteController {
/**
* Default index page to verify that our application works.
*/
@RequestMapping("/")
@ResponseBody
public String helloWorld() {
return "Hello world!";
}
/**
* Return a ModelAndView which will cause the
'src/main/resources/templates/time.html' template to be rendered,
* with the current time.
*/
@RequestMapping("/time")
public ModelAndView time() {
ModelAndView mav = new ModelAndView("time");
mav.addObject("currentTime", getCurrentTime());
return mav;
}
private String getCurrentTime() {
return LocalTime.now().format(DateTimeFormatter.ISO_LOCAL_TIME);
}
}
应用程序配置 - 客户端Web应用程序的application.yml
server:
port: 8080
contextPath: /
security:
oauth2:
client:
accessTokenUri: http://localhost:9090/auth/oauth/token
userAuthorizationUri: http://localhost:9090/auth/oauth/authorize
clientId: myauthserver
clientSecret: verysecretpassword
resource:
userInfoUri: http://localhost:9090/auth/user
此处未显示time.html页面的Thymeleaf模板 .
必须有一些微妙的小配置错误或我不知道的一些错误 . 任何帮助或想法高度赞赏 .
1 回答
Solution
猜猜是对的,安全过滤器链的订购被改变了 . 这是链接
Spring 1.5.x release note
修改后的代码在这里,稍后会将其上传到Github . auth服务器配置的所有更改 .
Spring安全配置 - 删除@Order注释 .
然后按如下方式更改application.yml
那就是在auth服务器上进行身份验证后,客户端应用程序/时间URL上显示的时间 .