spring-security-oauth2 授权端点被授权服务器阻止
spring-security-oauth2 authorization endpoint gets blocked by authorizationserver
我已经安静地进行了大量研究和调试,但我无法弄清楚以下破坏我的授权端点的行为...
我创建了一个简单的授权服务器配置,如下所示:
@EnableWebSecurity
@Configuration
@Order(4)
public class OpenIdConnectConfiguration extends WebSecurityConfigurerAdapter
{
/**
* {@inheritDoc}
*/
@Override
protected void configure(HttpSecurity http) throws Exception
{
http.csrf()
.disable()
.authorizeRequests()
.antMatchers(ContextPaths.LOGIN,
ContextPaths.AUTHORIZATION_ENDPOINT,
ContextPaths.TOKEN_ENDPOINT,
SamlRedirectContextPaths.SAML_CONSUMER_URL,
SamlRedirectContextPaths.USER_REDIRECT_ENDPOINT)
.permitAll()
.and()
.formLogin()
.loginPage(ContextPaths.LOGIN + "?npa");
}
/**
* authorization server configuration for Open ID Connect
*/
@Configuration
@EnableAuthorizationServer
protected static class AuthorisationServerConfiguration extends AuthorizationServerConfigurerAdapter
{
...
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception
{
super.configure(security);
security.sslOnly();
}
/**
* {@inheritDoc}
*/
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception
{
super.configure(clients);
clients.withClientDetails(customClientDetails);
}
/**
* {@inheritDoc}
*/
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception
{
endpoints.authorizationCodeServices(new CustomInMemoryAuthCodeService(cacheManager));
endpoints.tokenStore(new CustomTokenStore(cacheManager));
endpoints.pathMapping("/oauth/authorize", ContextPaths.AUTHORIZATION_ENDPOINT);
endpoints.pathMapping("/oauth/token", ContextPaths.TOKEN_ENDPOINT);
}
}
...
}
使用此配置一切正常,可以使用授权码获取我的授权码和访问令牌。但是,如果我现在启用资源服务器,我的应用程序会因添加到安全过滤器链中的新过滤器而中断,我无法弄清楚问题出在哪里。
我的资源服务器配置如下:
@EnableResourceServer
@Order(5)
@Configuration
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter
{
@Override
public void configure(HttpSecurity http) throws Exception
{
http.authorizeRequests()
.antMatchers("/oic/user-info")
.authenticated();
}
}
有了这个,我可以毫无问题地为用户执行身份验证机制,但情况是 AuthorizationEndpoint 获得了 AnonymousAuthenticationToken。我将登录用户手动放入 spring 安全上下文中:
SecurityContextHolder.getContext().setAuthentication(authentication);
如果我在 "org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint"
中进行一些调试
我可以看到我的 CustomAuthentication 不再在此安全上下文中。它被删除并被 AnonymousAuthenticationToken 取代。如果我启用资源服务器,有人知道为什么这个 authenticationObject 会被覆盖吗?
经过大量调试,我找到了解决方案。 ResourceServerConfiguration 需要一个额外的条目:
/**
* the resource server configuration for the user-info endpoint
*/
@Override
public void configure(HttpSecurity http) throws Exception
{
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.and()
.authorizeRequests()
.antMatchers(ContextPaths.USER_INFO_ENDPOINT)
.authenticated();
}
这样就可以了
我已经安静地进行了大量研究和调试,但我无法弄清楚以下破坏我的授权端点的行为...
我创建了一个简单的授权服务器配置,如下所示:
@EnableWebSecurity
@Configuration
@Order(4)
public class OpenIdConnectConfiguration extends WebSecurityConfigurerAdapter
{
/**
* {@inheritDoc}
*/
@Override
protected void configure(HttpSecurity http) throws Exception
{
http.csrf()
.disable()
.authorizeRequests()
.antMatchers(ContextPaths.LOGIN,
ContextPaths.AUTHORIZATION_ENDPOINT,
ContextPaths.TOKEN_ENDPOINT,
SamlRedirectContextPaths.SAML_CONSUMER_URL,
SamlRedirectContextPaths.USER_REDIRECT_ENDPOINT)
.permitAll()
.and()
.formLogin()
.loginPage(ContextPaths.LOGIN + "?npa");
}
/**
* authorization server configuration for Open ID Connect
*/
@Configuration
@EnableAuthorizationServer
protected static class AuthorisationServerConfiguration extends AuthorizationServerConfigurerAdapter
{
...
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception
{
super.configure(security);
security.sslOnly();
}
/**
* {@inheritDoc}
*/
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception
{
super.configure(clients);
clients.withClientDetails(customClientDetails);
}
/**
* {@inheritDoc}
*/
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception
{
endpoints.authorizationCodeServices(new CustomInMemoryAuthCodeService(cacheManager));
endpoints.tokenStore(new CustomTokenStore(cacheManager));
endpoints.pathMapping("/oauth/authorize", ContextPaths.AUTHORIZATION_ENDPOINT);
endpoints.pathMapping("/oauth/token", ContextPaths.TOKEN_ENDPOINT);
}
}
...
}
使用此配置一切正常,可以使用授权码获取我的授权码和访问令牌。但是,如果我现在启用资源服务器,我的应用程序会因添加到安全过滤器链中的新过滤器而中断,我无法弄清楚问题出在哪里。
我的资源服务器配置如下:
@EnableResourceServer
@Order(5)
@Configuration
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter
{
@Override
public void configure(HttpSecurity http) throws Exception
{
http.authorizeRequests()
.antMatchers("/oic/user-info")
.authenticated();
}
}
有了这个,我可以毫无问题地为用户执行身份验证机制,但情况是 AuthorizationEndpoint 获得了 AnonymousAuthenticationToken。我将登录用户手动放入 spring 安全上下文中:
SecurityContextHolder.getContext().setAuthentication(authentication);
如果我在 "org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint"
中进行一些调试我可以看到我的 CustomAuthentication 不再在此安全上下文中。它被删除并被 AnonymousAuthenticationToken 取代。如果我启用资源服务器,有人知道为什么这个 authenticationObject 会被覆盖吗?
经过大量调试,我找到了解决方案。 ResourceServerConfiguration 需要一个额外的条目:
/**
* the resource server configuration for the user-info endpoint
*/
@Override
public void configure(HttpSecurity http) throws Exception
{
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.and()
.authorizeRequests()
.antMatchers(ContextPaths.USER_INFO_ENDPOINT)
.authenticated();
}
这样就可以了