使用 JHipster、Spring Security 和 oauth2 控制身份验证重定向
Controlling authentication redirects with JHipster, Spring Security, and oauth2
我希望能够在用户未登录时控制自动重定向到 oauth2 授权服务器。
我生成了一个 JHipster Gateway 项目,下面的代码只是它的一个副本,添加了 oAuth2ClientContextFilter 变量,即 autowired,然后我用它来 setRedirectStrategy
然而,当需要使用它时,变量是 NULL。我做错了什么?
@EnableOAuth2Sso
@Configuration
public class OAuth2SsoConfiguration extends WebSecurityConfigurerAdapter {
private final RequestMatcher authorizationHeaderRequestMatcher;
private final CorsFilter corsFilter;
@Autowired
private OAuth2ClientContextFilter oAuth2ClientContextFilter;
private final Logger log = LoggerFactory.getLogger(OAuth2SsoConfiguration.class);
public OAuth2SsoConfiguration(@Qualifier("authorizationHeaderRequestMatcher")
RequestMatcher authorizationHeaderRequestMatcher, CorsFilter corsFilter) {
this.authorizationHeaderRequestMatcher = authorizationHeaderRequestMatcher;
this.corsFilter = corsFilter;
oAuth2ClientContextFilter.setRedirectStrategy(new RedirectStrategy() {
@Override
public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException {
// My Code Here
}
});
}
@Bean
public AjaxLogoutSuccessHandler ajaxLogoutSuccessHandler() {
return new AjaxLogoutSuccessHandler();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.addFilterBefore(corsFilter, CsrfFilter.class)
.headers()
.frameOptions()
.disable()
.and()
.logout()
.logoutUrl("/api/logout")
.logoutSuccessHandler(ajaxLogoutSuccessHandler())
.and()
.requestMatcher(new NegatedRequestMatcher(authorizationHeaderRequestMatcher))
.authorizeRequests()
.antMatchers("/api/profile-info").permitAll()
.antMatchers("/api/**").authenticated()
.antMatchers("/management/health").permitAll()
.antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
.anyRequest().permitAll();
}
}
混合自动装配策略(字段自动装配和构造函数自动装配)并不好,因为构造发生在 @Autowired 之前。所以要么将过滤器注入构造函数:
private OAuth2ClientContextFilter oAuth2ClientContextFilter;
public OAuth2SsoConfiguration(
@Qualifier("authorizationHeaderRequestMatcher")RequestMatcher authorizationHeaderRequestMatcher,
CorsFilter corsFilter,
OAuth2ClientContextFilter oAuth2ClientContextFilter
) {
this.authorizationHeaderRequestMatcher = authorizationHeaderRequestMatcher;
this.corsFilter = corsFilter;
this.oAuth2ClientContextFilter = oAuth2ClientContextFilter;
.....
}
或将 RequestMatcher 和 CorsFilter 移出构造函数参数并表示它们 @Autowired
我希望能够在用户未登录时控制自动重定向到 oauth2 授权服务器。
我生成了一个 JHipster Gateway 项目,下面的代码只是它的一个副本,添加了 oAuth2ClientContextFilter 变量,即 autowired,然后我用它来 setRedirectStrategy
然而,当需要使用它时,变量是 NULL。我做错了什么?
@EnableOAuth2Sso
@Configuration
public class OAuth2SsoConfiguration extends WebSecurityConfigurerAdapter {
private final RequestMatcher authorizationHeaderRequestMatcher;
private final CorsFilter corsFilter;
@Autowired
private OAuth2ClientContextFilter oAuth2ClientContextFilter;
private final Logger log = LoggerFactory.getLogger(OAuth2SsoConfiguration.class);
public OAuth2SsoConfiguration(@Qualifier("authorizationHeaderRequestMatcher")
RequestMatcher authorizationHeaderRequestMatcher, CorsFilter corsFilter) {
this.authorizationHeaderRequestMatcher = authorizationHeaderRequestMatcher;
this.corsFilter = corsFilter;
oAuth2ClientContextFilter.setRedirectStrategy(new RedirectStrategy() {
@Override
public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException {
// My Code Here
}
});
}
@Bean
public AjaxLogoutSuccessHandler ajaxLogoutSuccessHandler() {
return new AjaxLogoutSuccessHandler();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.addFilterBefore(corsFilter, CsrfFilter.class)
.headers()
.frameOptions()
.disable()
.and()
.logout()
.logoutUrl("/api/logout")
.logoutSuccessHandler(ajaxLogoutSuccessHandler())
.and()
.requestMatcher(new NegatedRequestMatcher(authorizationHeaderRequestMatcher))
.authorizeRequests()
.antMatchers("/api/profile-info").permitAll()
.antMatchers("/api/**").authenticated()
.antMatchers("/management/health").permitAll()
.antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
.anyRequest().permitAll();
}
}
混合自动装配策略(字段自动装配和构造函数自动装配)并不好,因为构造发生在 @Autowired 之前。所以要么将过滤器注入构造函数:
private OAuth2ClientContextFilter oAuth2ClientContextFilter;
public OAuth2SsoConfiguration(
@Qualifier("authorizationHeaderRequestMatcher")RequestMatcher authorizationHeaderRequestMatcher,
CorsFilter corsFilter,
OAuth2ClientContextFilter oAuth2ClientContextFilter
) {
this.authorizationHeaderRequestMatcher = authorizationHeaderRequestMatcher;
this.corsFilter = corsFilter;
this.oAuth2ClientContextFilter = oAuth2ClientContextFilter;
.....
}
或将 RequestMatcher 和 CorsFilter 移出构造函数参数并表示它们 @Autowired