如何在我的 Spring Boot Security OAuth2 应用程序中仅为某些 类 启用 OAuth2?
How do I enable OAuth2 for only certain classes in my Spring Boot Security OAuth2 app?
我按照本指南添加了 OAuth2
https://spring.io/guides/tutorials/bookmarks/#_securing_a_rest_service
但现在它要求对每个页面进行身份验证!
$ curl -s http://localhost:8080/login
{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}
我只想在一个特定的 class 中对 API 使用 OAuth2。我尝试阅读 Spring Boot
的参考资料
但是一点帮助也没有!它给出了 0 个例子。
To customize it you normally use external properties and beans of type WebSecurityConfigurerAdapter (e.g. to add form-based login).
All of the above can be switched on and off or modified using external properties (security.*). To override the access rules without changing any other auto-configured features add a @Bean of type WebSecurityConfigurerAdapter with @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) and configure it to meet your needs.
如何自定义?! 哪个属性?! 如何配置以满足您的需求?!
我尝试设置 application.properties
security.basic.enabled = false
security.ignored = /login
但它仍然需要OAuth2认证。我只想为 class IShortUrlApiInteface 启用 OAuth2 并为所有其他 @Controllers.
禁用它
在您的情况下,您需要设置登录URI 的权限。
如果你是微服务架构,你需要在每个 project/service 中创建资源配置。
- security.oauth2.resource.user-info-uri 定义授权服务 URI
- clientId 定义您的实际客户 ID
在oauth中对于每一个资源服务器都需要创建唯一的resource-id
下面是资源服务器的例子。
@配置
@EnableResourceServer
public class ResourceConfig 扩展 ResourceServerConfigurerAdapter {
@Value("${security.oauth2.resource.user-info-uri}")
私人字符串 userInfoUri;
@Value("${client-id}")
private String clientId;
@Override
public void configure(final ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("ig-user");
}
@Override
public void configure(final HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/api/v1/user/activate/**").permitAll()//
.antMatchers("/api/v1/user/access/check/**").permitAll()//
.antMatchers("/api/v1/profile/exists/**").permitAll()//
.antMatchers("/api/v1/user/sign-up/**").permitAll()//
.antMatchers("/download/**").permitAll()//
.anyRequest().authenticated();
}
@Primary
@Bean
public UserInfoTokenServices tokenService() {
final UserInfoTokenServices tokenService = new UserInfoTokenServices(userInfoUri, clientId);
return tokenService;
}
}
创建一个 new class,扩展 ResourceServerConfigurerAdapter,并覆盖方法 configure(HttpSecurity)。
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
String [] ignoredPaths = new String[]{
"/robots.txt", "/error", "/login", "/doLogut", "/home", "/pageNotFound",
"/css/**", "/js/**", "/fonts/**", "/img/**", ...
};
@Override
public void configure(HttpSecurity http) throws Exception{
http.authorizeRequests()
.antMatchers(ignoredPaths).permitAll()
.anyRequest().authenticated()
.and()
.httpBasic();
}
我按照本指南添加了 OAuth2
https://spring.io/guides/tutorials/bookmarks/#_securing_a_rest_service
但现在它要求对每个页面进行身份验证!
$ curl -s http://localhost:8080/login
{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}
我只想在一个特定的 class 中对 API 使用 OAuth2。我尝试阅读 Spring Boot
的参考资料但是一点帮助也没有!它给出了 0 个例子。
To customize it you normally use external properties and beans of type WebSecurityConfigurerAdapter (e.g. to add form-based login).
All of the above can be switched on and off or modified using external properties (security.*). To override the access rules without changing any other auto-configured features add a @Bean of type WebSecurityConfigurerAdapter with @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) and configure it to meet your needs.
如何自定义?! 哪个属性?! 如何配置以满足您的需求?!
我尝试设置 application.properties
security.basic.enabled = false
security.ignored = /login
但它仍然需要OAuth2认证。我只想为 class IShortUrlApiInteface 启用 OAuth2 并为所有其他 @Controllers.
在您的情况下,您需要设置登录URI 的权限。 如果你是微服务架构,你需要在每个 project/service 中创建资源配置。
- security.oauth2.resource.user-info-uri 定义授权服务 URI
- clientId 定义您的实际客户 ID
在oauth中对于每一个资源服务器都需要创建唯一的resource-id 下面是资源服务器的例子。
@配置 @EnableResourceServer
public class ResourceConfig 扩展 ResourceServerConfigurerAdapter { @Value("${security.oauth2.resource.user-info-uri}") 私人字符串 userInfoUri;@Value("${client-id}") private String clientId; @Override public void configure(final ResourceServerSecurityConfigurer resources) throws Exception { resources.resourceId("ig-user"); } @Override public void configure(final HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/api/v1/user/activate/**").permitAll()// .antMatchers("/api/v1/user/access/check/**").permitAll()// .antMatchers("/api/v1/profile/exists/**").permitAll()// .antMatchers("/api/v1/user/sign-up/**").permitAll()// .antMatchers("/download/**").permitAll()// .anyRequest().authenticated(); } @Primary @Bean public UserInfoTokenServices tokenService() { final UserInfoTokenServices tokenService = new UserInfoTokenServices(userInfoUri, clientId); return tokenService; }}
创建一个 new class,扩展 ResourceServerConfigurerAdapter,并覆盖方法 configure(HttpSecurity)。
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
String [] ignoredPaths = new String[]{
"/robots.txt", "/error", "/login", "/doLogut", "/home", "/pageNotFound",
"/css/**", "/js/**", "/fonts/**", "/img/**", ...
};
@Override
public void configure(HttpSecurity http) throws Exception{
http.authorizeRequests()
.antMatchers(ignoredPaths).permitAll()
.anyRequest().authenticated()
.and()
.httpBasic();
}