猿问

spring security和oauth2的资源控制互相覆盖,无法同时生效

在本来spring security的基础上使用了spring security oauth2,控制/api下的请求。浏览了很多网上的配置,但是测试时发现spring security的资源控制和spring securtiy oauth2的资源控制会互相覆盖,没法做到分离控制。如果配置添加了security.oauth2.resource.filter-order=3,则使用spring security的控制,反之则为oauth2的控制。

代码中我的配置如下:

Spring security配置:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserManagerService userManagerService;
    
    @Override
    @Bean //分享到oauth2
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
    
    /**
     * 密码加密
     */
    @Bean
    public BCryptPasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            // 关闭csrf保护功能(跨域访问)
            .csrf().disable()
            .authorizeRequests()
                .antMatchers("/oauth/**").permitAll()
                .antMatchers("/**/*.js", "/**/*.css", "/**/*.png",
                        "/**/*.gif", "/**/*.jpg", "/**/*.jpeg", "/**/*.map",
                        "/**/*.ico").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/user/login_page")
                .loginProcessingUrl("/login")
                .usernameParameter("username")
                .passwordParameter("password")
                .successHandler(new CustomSimpleUrlAuthenticationSuccessHandler())
                .failureHandler(new CustomSimpleUrlAuthenticationFailureHandler())
                .permitAll()
                 .and()
             .logout()
                 .logoutUrl("/logout")
                 .logoutSuccessUrl("/user/login_page")
                 .permitAll();
    }
    
    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.userDetailsService(userManagerService)
        .passwordEncoder(passwordEncoder());
    }
    
}

Spring security oatuth2配置:

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration
        extends AuthorizationServerConfigurerAdapter {
    @Autowired
    AuthenticationManager authenticationManager;
    @Autowired
    private UserManagerService userManagerService;
    
    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {
        endpoints.tokenStore(tokenStore())
                .userDetailsService(userManagerService)
                .authenticationManager(authenticationManager);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security)
            throws Exception {
        // 允许表单认证
        security
                .allowFormAuthenticationForClients();
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients)
            throws Exception {
        clients.inMemory()
                .withClient("cmdb")
                .authorizedGrantTypes("password", "refresh_token")
                .secret("api")
                .scopes("xxx");
    }
}

@Configuration
@EnableResourceServer
public class ResourceServerConfiguration
        extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/api/**").authenticated();
    }
}

之前查阅过很多博客,也查过spring oauth2的几种模式的授权流程,但是都没有找到原因

慕侠2389804
浏览 2187回答 1
1回答
随时随地看视频慕课网APP

相关分类

Java
我要回答