java Spring Oauth2配置授权端点
我使用Spring-security-oauth2:2.3.3和Spring boot starter security:2.0.2构建了带有REST WS的Spring web应用程序。但我无法设置哪些端点受到保护
ResourceServerConfig
@EnableResourceServer
@Configuration
public class ResourceServerConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/", "/customers", "/v2/**").permitAll()
.antMatchers("/api/**").authenticated();
}
@Bean
public AuthenticationManager authenticationManager(AuthenticationProvider authenticationProvider) {
return new CustomAuthenticationManager(authenticationProvider);
}
@Bean
public AuthenticationProvider authenticationProvider(UserRepository userRepository, PasswordEncoder passwordEncoder) {
return new DBAuthenticationProvider(userRepository, passwordEncoder);
}
}
授权服务器配置
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerSecurityConfigurer security) {
security.checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients
.inMemory()
.withClient("ClientId")
.secret("secret")
.authorizedGrantTypes("password")
.scopes("read", "write");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
endpoints.authenticationManager(authenticationManager);
}
}
当我首先获得访问令牌时,一切都很正常,但我希望端点“/”、“/customers”、“/v2/**”都能在没有任何授权的情况下获得许可。但当我调用'curl http://{{host}}/'或http://{{{host}}}/客户时,我仍然得到401:
{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}
添加“-header”Authorization:Basic{{base64 client id:password}}也没有帮助。这怎么可能
编辑 根据spring security permitAll still considering token passed in Authorization header and returns 401 if token is invalid,通过向ResourceServerConfig添加@Order(1)来覆盖默认的OAuth2来解决。但这应该只有在添加“授权”标题时才会生效,这不是我的情况。那么这怎么可能呢
共 (0) 个答案