在本来spring security的基础上使用了spring security oauth2,控制/api下的请求。浏览了很多网上的配置,但是测试时发现spring security的资源控制和spring securtiy oauth2的资源控制会互相覆盖,没法做到分离控制。如果配置添加了security.oauth2.resource.filter-order=3,则使用spring security的控制,反之则为oauth2的控制。
代码中我的配置如下:
Spring security配置:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserManagerService userManagerService;
@Override
@Bean //分享到oauth2
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
/**
* 密码加密
*/
@Bean
public BCryptPasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// 关闭csrf保护功能(跨域访问)
.csrf().disable()
.authorizeRequests()
.antMatchers("/oauth/**").permitAll()
.antMatchers("/**/*.js", "/**/*.css", "/**/*.png",
"/**/*.gif", "/**/*.jpg", "/**/*.jpeg", "/**/*.map",
"/**/*.ico").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/user/login_page")
.loginProcessingUrl("/login")
.usernameParameter("username")
.passwordParameter("password")
.successHandler(new CustomSimpleUrlAuthenticationSuccessHandler())
.failureHandler(new CustomSimpleUrlAuthenticationFailureHandler())
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/user/login_page")
.permitAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.userDetailsService(userManagerService)
.passwordEncoder(passwordEncoder());
}
}
Spring security oatuth2配置:
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration
extends AuthorizationServerConfigurerAdapter {
@Autowired
AuthenticationManager authenticationManager;
@Autowired
private UserManagerService userManagerService;
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints.tokenStore(tokenStore())
.userDetailsService(userManagerService)
.authenticationManager(authenticationManager);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security)
throws Exception {
// 允许表单认证
security
.allowFormAuthenticationForClients();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients)
throws Exception {
clients.inMemory()
.withClient("cmdb")
.authorizedGrantTypes("password", "refresh_token")
.secret("api")
.scopes("xxx");
}
}
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration
extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/**").authenticated();
}
}
之前查阅过很多博客,也查过spring oauth2的几种模式的授权流程,但是都没有找到原因
相关分类