无法使用access_token访问资源:spring boot Oauth2
vjn*_*369 8 java spring oauth-2.0 spring-boot
我试图在我现有的应用程序中实现Oauth2.最初我添加了spring安全性然后尝试添加oauth2,添加配置后我能够生成access_token但是通过使用access_token我无法访问资源.
这是我的代码:
SecurityConfiguration.java
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Autowired
private ClientDetailsService clientDetailsService;
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**");
}
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication().dataSource(dataSource);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/", "/patients").permitAll()
.antMatchers("/oauth/token").permitAll()
.anyRequest().authenticated()
.and().httpBasic();
http.csrf().disable();
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication().dataSource(dataSource)
.usersByUsernameQuery("select username, password, 1 as enabled from user where username=?")
.authoritiesByUsernameQuery("select username, authority from authorities where username=?");
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public JdbcTokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Bean
@Autowired
public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore) {
TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
handler.setTokenStore(tokenStore);
handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
handler.setClientDetailsService(clientDetailsService);
return handler;
}
@Bean
@Autowired
public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception {
TokenApprovalStore store = new TokenApprovalStore();
store.setTokenStore(tokenStore);
return store;
}
}
SecurityOAuth2Configuration.java
@Configuration
@EnableAuthorizationServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Import(SecurityConfiguration.class)
public class SecurityOAuth2Configuration extends AuthorizationServerConfigurerAdapter {
private static String REALM = "CRM_REALM";
private static final int ONE_DAY = 60 * 60 * 24;
private static final int THIRTY_DAYS = 60 * 60 * 24 * 30;
@Autowired
private TokenStore tokenStore;
@Autowired
private DataSource dataSource;
@Autowired
private UserApprovalHandler userApprovalHandler;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.realm(REALM);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler)
.authenticationManager(authenticationManager);
}
}
ResourceServer.java
@Configuration
@EnableResourceServer
public class ResourceServer extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.anonymous().disable()
.requestMatchers().antMatchers("/patients/**").and().authorizeRequests()
.antMatchers("/patient/**").access("hasRole('USER')")
.and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
}
}
我使用本教程作为参考.
我可以使用基本身份验证凭据获取访问令牌.
但是当我使用相同的访问令牌来获取资源时,它就失败了.
我为oauth添加了所有必需的表.我有什么遗失的吗?
更新:
我删除.and().httpBasic();并在WebsecurityConfigurerAdapter中添加了@Order(3)并更新了属性文件security.oauth2.resource.filter-order = 3
现在得到错误
{
"timestamp": 1543500350487,
"status": 403,
"error": "Forbidden",
"message": "Access Denied",
"path": "/patient/1/"
}
更新2
这是我的用户和权限架构:
用户
+----------+-----------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+-----------------+------+-----+---------+----------------+
| id | int(6) unsigned | NO | PRI | NULL | auto_increment |
| username | varchar(50) | NO | UNI | NULL | |
| password | varchar(100) | NO | | NULL | |
+----------+-----------------+------+-----+---------+----------------+
当局
+-----------+-----------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+-----------------+------+-----+---------+----------------+
| id | int(6) unsigned | NO | PRI | NULL | auto_increment |
| username | varchar(50) | NO | MUL | NULL | |
| authority | varchar(50) | NO | | NULL | |
+-----------+-----------------+------+-----+---------+----------------+
您应该hasRole直接在您的antmatcher上使用,而不是在access()函数内部使用字符串。这将hasRole正确评估并确定用户有权访问所请求的资源。
这将导致以下代码ResourceServer.java:
@Configuration
@EnableResourceServer
public class ResourceServer extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.anonymous().disable()
.requestMatchers().antMatchers("/patients/**").and().authorizeRequests()
.antMatchers("/patient/**").hasRole('USER')
.and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
}
}
我怀疑问题可能出在您保存/加载角色的方式上。在 Spring Security 中,角色有一个默认前缀:ROLE_。因此,在您的数据库(存储)中,您需要将它们保存为ROLE_FOO例如,然后您可以使用hasRole('FOO')
我在这里发现了同样的问题,我的答案似乎解决了问题:/sf/answers/3049801961/
遇到问题的人也有403 - Forbidden并将角色正确保存在数据库中解决了问题。
您还可以更改默认前缀,但我不推荐它,除非您想稍微搞乱 spring。
| 归档时间: |
|
| 查看次数: |
2186 次 |
| 最近记录: |