Spring Boot和Spring Cloud Security OAUTH 2 SSO最新版本失败-Java 学习之路

我正在尝试使用OAuth从Spring Boot 1.4.1 Brixton.RELEASE升级示例Spring Boot和Spring Cloud Security到Spring Boot 1.5.3 Dalston.RELEASE . 然而，这是一个漫长的艰难尝试，没有任何成功 .

似乎由于某种原因资源服务器安全过滤器链没有被解雇 . 因此，默认安全过滤器链正在处理对“/ me”或“/ user”的调用 . 我在想这是否是订单问题 . 但是尝试按如下方式明确设置安全过滤器链的顺序

Auth Server 6
Web默认值5
资源服务器3（硬编码??）

由于默认过滤器链正在处理请求，因此它总是进入登录页面，该页面生成HTML并且SSO客户端（服务器端百万美元Web UI）失败 .

源代码如下

Authorization server

@SpringBootApplication
public class MyAuthServerApplication {

public static void main(String[] args) {
    SpringApplication.run(MyAuthServerApplication.class, args);
}
}

然后是授权服务器配置

@Configuration
@EnableAuthorizationServer
@Order(6)
public class AuthorizationServerConfigurer extends A 
uthorizationServerConfigurerAdapter {


@Override
public void configure(ClientDetailsServiceConfigurer clients) throws 
Exception {
    clients.inMemory()
            .withClient("myauthserver")
            .secret("verysecretpassword")
            .redirectUris("http://localhost:8080/")
            .authorizedGrantTypes("authorization_code", "refresh_token")
            .scopes("myscope")
            .autoApprove(true);
}
}

然后是资源服务器类

@Configuration
@EnableResourceServer
public class ResourceServerConfigurer extends 
ResourceServerConfigurerAdapter {

@Override
public void configure(HttpSecurity http) throws Exception {
    http.antMatcher("/user")
            .authorizeRequests()
            .anyRequest()
            .authenticated();
}
}

Web MVC配置

@Configuration
public class WebMvcConfigurer extends WebMvcConfigurerAdapter {

 @Override
 public void addViewControllers(ViewControllerRegistry registry) {
    registry.addViewController("login").setViewName("login");
 }
 }

默认的spring安全配置

@Configuration
@EnableWebSecurity
@Order(9)
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {


@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
                .antMatchers("/login").permitAll()
                .anyRequest().authenticated()
            .and().csrf()
            .and().formLogin().loginPage("/login");
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception 
{
    auth
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER")
            .and()
                .withUser("admin").password("admin").roles("USER", "ADMIN");
}
}

资源控制器

@RestController
public class ResourceController {

@RequestMapping(value = { "/user" }, produces = "application/json")
public Map<String, Object> user(OAuth2Authentication user) {
    Map<String, Object> userDetails = new HashMap<>();
    userDetails.put("user", user.getUserAuthentication().getPrincipal());
    userDetails.put("authorities",

AuthorityUtils.
 authorityListToSet(user.getUserAuthentication().getAuthorities()));
    return userDetails;
}

}

最后配置 - auth服务器的application.yml

server:
  port: 9090
  contextPath: /auth

logging:
  level:
      org.springframework: INFO
      org.springframework.security: DEBUG

此处未显示login.html Thymeleaf模板 .

OAUTH 2 SSO Client Web App

@SpringBootApplication
public class MyWebsiteApplication {

public static void main(String[] args) {
    SpringApplication.run(MyWebsiteApplication.class, args);
}
}

Web安全配置

@Configuration
@EnableOAuth2Sso
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/").permitAll()   // Allow navigating to index 
 page,
            .anyRequest().authenticated();  // but secure all the other URLs
}
}

Web控制器

@Controller公共类MyWebsiteController {

/**
 * Default index page to verify that our application works.
 */
@RequestMapping("/")
@ResponseBody
public String helloWorld() {
    return "Hello world!";
}

/**
 * Return a ModelAndView which will cause the 
'src/main/resources/templates/time.html' template to be rendered,
 * with the current time.
 */
@RequestMapping("/time")
public ModelAndView time() {
    ModelAndView mav = new ModelAndView("time");
    mav.addObject("currentTime", getCurrentTime());
    return mav;
}

private String getCurrentTime() {
    return LocalTime.now().format(DateTimeFormatter.ISO_LOCAL_TIME);
}
}

应用程序配置 - 客户端Web应用程序的application.yml

server:
  port: 8080
  contextPath: /

security:
  oauth2:
  client:
    accessTokenUri: http://localhost:9090/auth/oauth/token
    userAuthorizationUri: http://localhost:9090/auth/oauth/authorize
    clientId: myauthserver
    clientSecret: verysecretpassword
  resource:
    userInfoUri: http://localhost:9090/auth/user

此处未显示time.html页面的Thymeleaf模板 .

必须有一些微妙的小配置错误或我不知道的一些错误 . 任何帮助或想法高度赞赏 .

1 回答

Solution

猜猜是对的，安全过滤器链的订购被改变了 . 这是链接
Spring 1.5.x release note

修改后的代码在这里，稍后会将其上传到Github . auth服务器配置的所有更改 .

Spring安全配置 - 删除@Order注释 .

@Configuration
@EnableWebSecurity
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {


@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
                .antMatchers("/login").permitAll()
                .anyRequest().authenticated()
            .and().csrf()
            .and().formLogin().loginPage("/login");
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception 
{
    auth
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER")
            .and()
                .withUser("admin").password("admin").roles("USER", "ADMIN");
}
}

然后按如下方式更改application.yml

server:
  port: 9090
  contextPath: /auth

logging:
  level:
    org.springframework: INFO
    org.springframework.security: DEBUG

security:
  oauth2:
    resource:
    filter-order : 3

那就是在auth服务器上进行身份验证后，客户端应用程序/时间URL上显示的时间 .

回复于 2024-04-25T23:03:02+08:00

Spring Boot和Spring Cloud Security OAUTH 2 SSO最新版本失败

1 回答

相关问题