Spring OAuth @EnableResourceServer阻止来自OAuth服务器的登录页面

Question

localhost的浏览器响应:9999/uaa/oauth/authorize？response_type = code&client_id = acme&redirect_uri = http://example.com是302 Found,
但localhost:9999/uaa/login的响应是401 Unauthorized.

我可以在添加@EnableResourceServer之前获取登录令牌.我使用Spring启动并扩展WebSecurityConfigurerAdapter以使用带有数据源的身份验证管理器.当我尝试添加ResourceServerConfigurerAdapter时,它不会构建.允许登录页面的最简单方法是什么？

@SpringBootApplication
@RestController
@EnableResourceServer
public class OAuthSvcApplication extends WebMvcConfigurerAdapter {

private static final Logger log = LoggerFactory.getLogger(OAuthSvcApplication.class);

   @RequestMapping("/user")
   public Principal user(Principal user) {
    return user;
   }
   public static void main(String[] args) {
      SpringApplication.run(OAuthSvcApplication.class, args);
   }

}

@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {


@Autowired
public void configureAuth(AuthenticationManagerBuilder auth,DataSource dataSource, Environment env)
        throws Exception {

    auth.jdbcAuthentication().dataSource(dataSource);
}


@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {


    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private DataSource dataSource;


    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {
        endpoints.authenticationManager(authenticationManager);
    }


    @Override
    public void configure(AuthorizationServerSecurityConfigurer security)
            throws Exception {
            security.checkTokenAccess("hasAuthority('USER')");
        }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients)
            throws Exception {
        clients.inMemory()
                .withClient("acme")
                .secret("acmesecret")
                .authorizedGrantTypes("authorization_code",
                        "refresh_token", "password").scopes("openid");
        }

    }
}

Answer 1

应始终在其他过滤器之前订购SpringSecurityFilterChain.如果要为所有或某些端点添加自己的身份验证,最好的办法是添加自己的WebSecurityConfigurerAdapter,其顺序较低.如下修改WebSecurityConfigurerAdapter子类允许ResourceServer使用jdbc身份验证mgr:

@Configuration
@Order(-10)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {


    @Autowired
    private AuthenticationManager authenticationManager;


    @Autowired
    private DataSource dataSource;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .formLogin().loginPage("/login").permitAll()
        .and()
            .requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
        .and()
            .authorizeRequests().anyRequest().authenticated();
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.parentAuthenticationManager(authenticationManager).jdbcAuthentication().dataSource(dataSource);

    }

}