java – SpringBoot 1.5.x安全性OAuth2
我有一个带有OAuth2安全性的
Spring Boot REST API.
今天我将spring-boot-starter-parent的版本从1.4.2升级到1.5.2. 变化让我很困惑. 之前,我可以使用Postman测试我的REST API.当我的访问令牌不正确或我没有特定资源的权限时,服务器响应如下: { "error": "access_denied","error_description": "Access is denied" } 现在它一直将我重定向到/登录页面…当我登录时 – 它显示我的资源而没有任何OAuth2身份验证… 我试图禁用它,我发现了这个神奇的属性: security.oauth2.resource.filter-order = 3 此行关闭重定向到登录页面. 但是,我的问题是: >这两个版本在安全方面发生了什么? 我的代码中一些更重要的部分: 的pom.xml <!--- .... --> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>1.5.2.RELEASE</version> </parent> <properties> <!--- .... --> <spring-security-oauth.version>2.1.0.RELEASE</spring-security-oauth.version> <!--- .... --> </properties> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-data-jpa</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <!-- Monitor features --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-actuator</artifactId> </dependency> <!-- Security + OAuth2 --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.security.oauth</groupId> <artifactId>spring-security-oauth2</artifactId> <version>${spring-security-oauth.version}</version> </dependency> <!--- .... --> application.properties #other properties security.oauth2.resource.filter-order = 3 OAuth2.java public class OAuth2 { @EnableAuthorizationServer @Configuration @ComponentScan public static class AuthorizationServer extends AuthorizationServerConfigurerAdapter { @Autowired private AuthenticationManager authenticationManagerBean; @Autowired private UserDetailsService userDetailsService; @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory() .withClient("trusted_client") .authorizedGrantTypes("password","refresh_token") .scopes("read","write"); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.authenticationManager(authenticationManagerBean).userDetailsService(userDetailsService); } @Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { security.allowFormAuthenticationForClients(); } } @EnableResourceServer @Configuration @ComponentScan public static class ResourceServer extends ResourceServerConfigurerAdapter { @Autowired private RoleHierarchy roleHierarchy; private SecurityExpressionHandler<FilterInvocation> webExpressionHandler() { DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler(); defaultWebSecurityExpressionHandler.setRoleHierarchy(roleHierarchy); return defaultWebSecurityExpressionHandler; } @Override public void configure(HttpSecurity http) throws Exception { http .authorizeRequests().expressionHandler(webExpressionHandler()) .antMatchers("/api/**").hasRole("DEVELOPER"); } } } Security.java @EnableWebSecurity @Configuration @ComponentScan public class Security extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; @Bean public JpaAccountDetailsService userDetailsService(AccountsRepository accountsRepository) { return new JpaAccountDetailsService(accountsRepository); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder()); } @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Bean public PasswordEncoder passwordEncoder(){ return new BCryptPasswordEncoder(); } } 解决方法
好的,我现在明白了.
@Cleto Gadelha向我指出了非常有用的信息. 但是我觉得发行说明很不清楚或遗漏了一些信息.除了OAuth2资源过滤器从3更改为SecurityProperties.ACCESS_OVERRIDE_ORDER – 1之外,关键信息是默认WebSecurityConfigurerAdapter顺序为100 (source). 因此,在1.5.x版之前,OAuth2资源服务器顺序为3,其优先级高于WebSecurityConfigurerAdapter. 发布1.5.x后,OAuth2资源服务器顺序设置为SecurityProperties.ACCESS_OVERRIDE_ORDER – 1 这就是为什么从1.4.x迁移到1.5.x后,我会看到登录页面的原因 因此,更优雅和类似Java的样式解决方案是在WebSecurityConfigurerAdapter类上设置@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |