WebSecurityConfigurerAdapter 覆盖 EnableResourceServer?
WebSecurityConfigurerAdapter overrides EnableResourceServer?
我有完美运行的 spring 启动应用程序,它使用 spring oAuth2。当我在 main class 上使用 @EnableResourceServer 时,它运行良好。
但是要为我在下面实施的服务启用 CORS class
@Configuration
public class CorsConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.cors();
}
@Bean
public CorsConfigurationSource corsConfigurationSource() {
final org.springframework.web.cors.CorsConfiguration configuration = new org.springframework.web.cors.CorsConfiguration();
configuration.setAllowedOrigins(ImmutableList.of("*"));
configuration.setAllowedMethods(ImmutableList.of("HEAD",
"GET", "POST", "PUT", "DELETE", "PATCH"));
configuration.setAllowCredentials(true);
configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
在我添加 class 之后,似乎请求未使用 oAuth 令牌进行验证。即使没有 oAuth 令牌,任何请求也可以访问服务。
我做错了什么?
我不能同时使用两者吗?有什么特别的事情可以同时工作吗?
有没有比这更好的方法来启用 CORS。 (我试过@CrossOrigin注解没用)
我不确定你为什么要使用 WebSecurityConfigurerAdapter
我认为您的问题是您没有将呼叫转发给 oAuth 进行授权。试试这个对我有用
@Configuration
public class CorsConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable().authorizeRequests().anyRequest().authenticated();
}
@Bean
public CorsFilter corsFilter() {
final org.springframework.web.cors.CorsConfiguration configuration = new org.springframework.web.cors.CorsConfiguration();
configuration.setAllowedOrigins(ImmutableList.of("*"));
configuration.setAllowedMethods(ImmutableList.of("HEAD",
"GET", "POST", "PUT", "DELETE", "PATCH"));
configuration.setAllowCredentials(true);
configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return new CorsFilter(source);
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("resource");
}
}
这里 resources.resourceId("resource"); 应该是您在 oAuth 服务器中使用的资源
与此类似的方法
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("clinet").secret("secret").accessTokenValiditySeconds(3600).scopes("read", "write")
.authorizedGrantTypes("password", "refresh_token").resourceIds("resource");
}
我有完美运行的 spring 启动应用程序,它使用 spring oAuth2。当我在 main class 上使用 @EnableResourceServer 时,它运行良好。 但是要为我在下面实施的服务启用 CORS class
@Configuration
public class CorsConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.cors();
}
@Bean
public CorsConfigurationSource corsConfigurationSource() {
final org.springframework.web.cors.CorsConfiguration configuration = new org.springframework.web.cors.CorsConfiguration();
configuration.setAllowedOrigins(ImmutableList.of("*"));
configuration.setAllowedMethods(ImmutableList.of("HEAD",
"GET", "POST", "PUT", "DELETE", "PATCH"));
configuration.setAllowCredentials(true);
configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
在我添加 class 之后,似乎请求未使用 oAuth 令牌进行验证。即使没有 oAuth 令牌,任何请求也可以访问服务。
我做错了什么? 我不能同时使用两者吗?有什么特别的事情可以同时工作吗? 有没有比这更好的方法来启用 CORS。 (我试过@CrossOrigin注解没用)
我不确定你为什么要使用 WebSecurityConfigurerAdapter
我认为您的问题是您没有将呼叫转发给 oAuth 进行授权。试试这个对我有用
@Configuration
public class CorsConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable().authorizeRequests().anyRequest().authenticated();
}
@Bean
public CorsFilter corsFilter() {
final org.springframework.web.cors.CorsConfiguration configuration = new org.springframework.web.cors.CorsConfiguration();
configuration.setAllowedOrigins(ImmutableList.of("*"));
configuration.setAllowedMethods(ImmutableList.of("HEAD",
"GET", "POST", "PUT", "DELETE", "PATCH"));
configuration.setAllowCredentials(true);
configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return new CorsFilter(source);
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("resource");
}
}
这里 resources.resourceId("resource"); 应该是您在 oAuth 服务器中使用的资源
与此类似的方法
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("clinet").secret("secret").accessTokenValiditySeconds(3600).scopes("read", "write")
.authorizedGrantTypes("password", "refresh_token").resourceIds("resource");
}