Spring security oauth2 总是返回 403

【问题标题】:Spring security oauth2 always returning 403Spring security oauth2 总是返回 403
【发布时间】:2018-08-28 17:56:54
【问题描述】:

我有一个 Spring boot 应用程序服务于我使用 Spring security 和 Oauth2 保护的 Rest 端点。 我想保护我的所有端点,除了用于身份验证、创建帐户或一些信息的端点。

安全配置是这样的:

@Configuration
@EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;
    @Autowired
    private MongoTokenStore tokenStore;

    @Override
    public void configure(final AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
    }

    @Override
    public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
        //clients.withClientDetails(clientDetailsService);
        clients.inMemory().withClient("app").secret("password")
                        .accessTokenValiditySeconds(30000).authorizedGrantTypes("password", "refresh_token")
                        .refreshTokenValiditySeconds(300000000)
                        .scopes("read");
    }

    @Override
    public void configure(final AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager)
                    .pathMapping("/oauth/confirm_access", "/access_confirmation");

    }

    @Bean
    public TokenStore tokenStore() {
        return this.tokenStore;
    }

}


@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Autowired
  private UserRepository userRepository;
  @Autowired
  private SecurityContextService securityContextService;
  @Autowired
  private MongoTemplate mongoTemplate;

  @Bean
  public MongoUserDetailsManager mongoUserDetailsManager() throws Exception {
    return new MongoUserDetailsManager(userRepository, securityContextService, authenticationManagerBean(), mongoTemplate);
  }

  @Override
  protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
    auth.parentAuthenticationManager(authenticationManagerBean())
        .userDetailsService(mongoUserDetailsManager());
  }

  @Override
  @Bean
  public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
  }

  @Override
  protected void configure(final HttpSecurity http) throws Exception {
    http.
        authorizeRequests()
        .antMatchers("/login", "/oauth/authorize", "/oauth/token", "/server/version", "/clients/register").permitAll()
        .and().csrf().disable()
        .authorizeRequests()
        .anyRequest()
        .authenticated()
        .and()
        .formLogin()
        .disable();
  }

}

我可以访问令牌端点以获取我的 access_token,但我想使用此 access_token 访问其他安全端点(通过将 Authorization:Bearer {access_toke} 添加到标头),我总是得到 HTTP 403。

我错过了什么吗?如果我添加了 Authorization 标头,我就不应该被授权?

我的控制器只用这些 @RestController、@CrossOrigin 注释 和@RequestMapping("/url")

【问题讨论】:

  • 你能确认你的标题吗?写成Authorization:Bearer {token}但一般需要实现成Authorization: Bearer {token}(空格超级重要)
  • 我正在使用 Postman 进行测试,所以我不确定空间是否存在问题

标签: spring-boot spring-security oauth-2.0


【解决方案1】:

Spring 中的 OAuth 安全性(就 urls 安全性而言)有两种类型的安全配置。

1.基本安全配置

这个类应该实现WebSecurityConfigurerAdapter。它将处理所有没有“承载”令牌类型的请求(不应受 oauth 保护的 URL)。

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Autowired
  private UserRepository userRepository;
  @Autowired
  private SecurityContextService securityContextService;
  @Autowired
  private MongoTemplate mongoTemplate;

  @Bean
  public MongoUserDetailsManager mongoUserDetailsManager() throws Exception {
    return new MongoUserDetailsManager(userRepository, securityContextService, authenticationManagerBean(), mongoTemplate);
  }

  @Override
  protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
    auth.parentAuthenticationManager(authenticationManagerBean())
        .userDetailsService(mongoUserDetailsManager());
  }

  @Override
  @Bean
  public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
  }

  @Override
  protected void configure(final HttpSecurity http) throws Exception {
    http.
        authorizeRequests()
        .antMatchers("/login", "/oauth/authorize", "/oauth/token", "/server/version", "/clients/register").permitAll()
        .and().csrf().disable()
        .authorizeRequests()
        .anyRequest()
        .authenticated()
        .and()
        .formLogin()
        .disable();
  }

}

2。资源服务器配置(OAuth 特定)

该类负责处理所有带有Bearer 类型授权标头的请求。它应该从ResourceServerConfigurerAdapter 类扩展。在这里,您应该提及所有那些您希望受到 oauth 保护的具有安全配置的 url。

@Configuration
@EnableResourceServer
public class OAuthResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {    
        http.requestMatchers().antMatchers("/resources-to-be-protected/**").and().authorizeRequests()
                .antMatchers("/resources-to-be-protected/**").access("#oauth2.isClient()");

}
}

【讨论】:

    猜你喜欢
    • 2018-08-15
    • 2015-10-23
    • 1970-01-01
    • 2017-06-30
    • 2019-05-24
    • 2018-04-23
    • 2022-01-16
    • 2015-11-12
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode