1
我试图用OAuth 2创建一个服务器,但我遇到了问题。我配置了OAuth,用户可以授权并获取令牌,但REST方法始终可访问,例如,用户可以在未授权时使用POST方法。在Java中配置OAuth 2 Spring Boot
如何配置OAuth,以便REST方法仅在用户授权时运行?
这是怎么了我的一些代码,看起来像(我用这个example code):
OAuthConfiguration类
@Configuration
public class OAuth2ServerConfiguration {
private static final String RESOURCE_ID = "restservice";
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends
ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
// @formatter:off
resources
.resourceId(RESOURCE_ID);
// @formatter:on
}
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/users").hasRole("ADMIN")
.antMatchers("/greeting").authenticated();
// @formatter:on
}
}
AuthorizationServerConfiguration类:
@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
private TokenStore tokenStore = new InMemoryTokenStore();
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Autowired
private CustomUserDetailsService userDetailsService;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
// @formatter:off
endpoints
.tokenStore(this.tokenStore)
.authenticationManager(this.authenticationManager)
.userDetailsService(userDetailsService);
// @formatter:on
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
clients
.inMemory()
.withClient("clientapp")
.authorizedGrantTypes("password", "refresh_token")
.authorities("USER")
.scopes("read", "write")
.resourceIds(RESOURCE_ID)
.secret("123456");
// @formatter:on
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setSupportRefreshToken(true);
tokenServices.setTokenStore(this.tokenStore);
return tokenServices;
}
}
休息控制器:
@RestController
@RequestMapping("/ABC")
final class Controller {
@Autowired
Repository repository;
@RequestMapping(method = RequestMethod.POST)
@ResponseStatus(HttpStatus.CREATED)
int create(@RequestBody @Valid Data myData) {
repository.create(myData);
return 1;
}
@RequestMapping(value = "{number}", method = RequestMethod.GET)
Data findByNumber(@PathVariable("number") String number) {
Data data = repository.findByNumber(number);
return data;
}
@RequestMapping(value = "{number}", method = RequestMethod.PUT)
int update(@RequestBody @Valid Data myData) {
int rows = repository.update(myData);
return 1;
}
@RequestMapping(value = "{number}", method = RequestMethod.DELETE)
int delete(@PathVariable("number") String number) {
repository.delete(serialNumber);
return 1;
}
}
谢谢你,它的工作!一个小题目,但是你也许知道用户输入授权的密码是否可以从服务器访问? – Someone
我不确定你的新问题的答案。取决于您是否将resourceServer和authorizationServer视为同一台服务器。资源服务器应该不需要知道有关凭证。如果认为正确,请接受上面的答案。谢谢 – sdoxsee