在 Java Spring 引导中配置 OAuth 2
Configuring OAuth 2 in Java Spring Boot
我正在尝试使用 OAuth 2 创建服务器,但我遇到了问题。我配置了 OAuth,用户可以授权并获得令牌,但 REST 方法始终可用,例如用户可以在未授权时使用方法 POST。
如何配置 OAuth,以便 REST 方法仅在用户授权时 运行?
这是我的一些代码的样子(我使用了这个 example code):
OAuthConfiguration class
@Configuration
public class OAuth2ServerConfiguration {
private static final String RESOURCE_ID = "restservice";
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends
ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
// @formatter:off
resources
.resourceId(RESOURCE_ID);
// @formatter:on
}
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/users").hasRole("ADMIN")
.antMatchers("/greeting").authenticated();
// @formatter:on
}
}
AuthorizationServerConfigurationclass:
@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
private TokenStore tokenStore = new InMemoryTokenStore();
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Autowired
private CustomUserDetailsService userDetailsService;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
// @formatter:off
endpoints
.tokenStore(this.tokenStore)
.authenticationManager(this.authenticationManager)
.userDetailsService(userDetailsService);
// @formatter:on
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
clients
.inMemory()
.withClient("clientapp")
.authorizedGrantTypes("password", "refresh_token")
.authorities("USER")
.scopes("read", "write")
.resourceIds(RESOURCE_ID)
.secret("123456");
// @formatter:on
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setSupportRefreshToken(true);
tokenServices.setTokenStore(this.tokenStore);
return tokenServices;
}
}
休息控制器:
@RestController
@RequestMapping("/ABC")
final class Controller {
@Autowired
Repository repository;
@RequestMapping(method = RequestMethod.POST)
@ResponseStatus(HttpStatus.CREATED)
int create(@RequestBody @Valid Data myData) {
repository.create(myData);
return 1;
}
@RequestMapping(value = "{number}", method = RequestMethod.GET)
Data findByNumber(@PathVariable("number") String number) {
Data data = repository.findByNumber(number);
return data;
}
@RequestMapping(value = "{number}", method = RequestMethod.PUT)
int update(@RequestBody @Valid Data myData) {
int rows = repository.update(myData);
return 1;
}
@RequestMapping(value = "{number}", method = RequestMethod.DELETE)
int delete(@PathVariable("number") String number) {
repository.delete(serialNumber);
return 1;
}
}
您需要添加 .antMatchers("/ABC/**").authenticated()
参见 jhipster 示例 oauth2 示例
我正在尝试使用 OAuth 2 创建服务器,但我遇到了问题。我配置了 OAuth,用户可以授权并获得令牌,但 REST 方法始终可用,例如用户可以在未授权时使用方法 POST。
如何配置 OAuth,以便 REST 方法仅在用户授权时 运行?
这是我的一些代码的样子(我使用了这个 example code):
OAuthConfiguration class
@Configuration
public class OAuth2ServerConfiguration {
private static final String RESOURCE_ID = "restservice";
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends
ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
// @formatter:off
resources
.resourceId(RESOURCE_ID);
// @formatter:on
}
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/users").hasRole("ADMIN")
.antMatchers("/greeting").authenticated();
// @formatter:on
}
}
AuthorizationServerConfigurationclass:
@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
private TokenStore tokenStore = new InMemoryTokenStore();
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Autowired
private CustomUserDetailsService userDetailsService;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
// @formatter:off
endpoints
.tokenStore(this.tokenStore)
.authenticationManager(this.authenticationManager)
.userDetailsService(userDetailsService);
// @formatter:on
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
clients
.inMemory()
.withClient("clientapp")
.authorizedGrantTypes("password", "refresh_token")
.authorities("USER")
.scopes("read", "write")
.resourceIds(RESOURCE_ID)
.secret("123456");
// @formatter:on
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setSupportRefreshToken(true);
tokenServices.setTokenStore(this.tokenStore);
return tokenServices;
}
}
休息控制器:
@RestController
@RequestMapping("/ABC")
final class Controller {
@Autowired
Repository repository;
@RequestMapping(method = RequestMethod.POST)
@ResponseStatus(HttpStatus.CREATED)
int create(@RequestBody @Valid Data myData) {
repository.create(myData);
return 1;
}
@RequestMapping(value = "{number}", method = RequestMethod.GET)
Data findByNumber(@PathVariable("number") String number) {
Data data = repository.findByNumber(number);
return data;
}
@RequestMapping(value = "{number}", method = RequestMethod.PUT)
int update(@RequestBody @Valid Data myData) {
int rows = repository.update(myData);
return 1;
}
@RequestMapping(value = "{number}", method = RequestMethod.DELETE)
int delete(@PathVariable("number") String number) {
repository.delete(serialNumber);
return 1;
}
}
您需要添加 .antMatchers("/ABC/**").authenticated()
参见 jhipster 示例 oauth2 示例