1. 首页
  2. 问答
  3. 在Java中配置OAuth 2 Spring Boot

在Java中配置OAuth 2 Spring Boot

2015-09-27 96 views
1

我试图用OAuth 2创建一个服务器,但我遇到了问题。我配置了OAuth,用户可以授权并获取令牌,但REST方法始终可访问,例如,用户可以在未授权时使用POST方法。在Java中配置OAuth 2 Spring Boot

如何配置OAuth,以便REST方法仅在用户授权时运行?

这是怎么了我的一些代码,看起来像(我用这个example code):

OAuthConfiguration类

@Configuration 
public class OAuth2ServerConfiguration { 

    private static final String RESOURCE_ID = "restservice"; 

    @Configuration 
    @EnableResourceServer 
    protected static class ResourceServerConfiguration extends 
      ResourceServerConfigurerAdapter { 

     @Override 
     public void configure(ResourceServerSecurityConfigurer resources) { 
      // @formatter:off 
      resources 
       .resourceId(RESOURCE_ID); 
      // @formatter:on 
     } 

     @Override 
     public void configure(HttpSecurity http) throws Exception { 
      // @formatter:off 
      http 
       .authorizeRequests() 
        .antMatchers("/users").hasRole("ADMIN") 
        .antMatchers("/greeting").authenticated(); 
      // @formatter:on 
     } 

}

AuthorizationServerConfiguration类:

@Configuration 
@EnableAuthorizationServer 
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter { 

    private TokenStore tokenStore = new InMemoryTokenStore(); 

    @Autowired 
    @Qualifier("authenticationManagerBean") 
    private AuthenticationManager authenticationManager; 

    @Autowired 
    private CustomUserDetailsService userDetailsService; 

    @Override 
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) 
      throws Exception { 
     // @formatter:off 
     endpoints 
      .tokenStore(this.tokenStore) 
      .authenticationManager(this.authenticationManager) 
      .userDetailsService(userDetailsService); 
     // @formatter:on 
    } 

    @Override 
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception { 
     // @formatter:off 
     clients 
      .inMemory() 
       .withClient("clientapp") 
        .authorizedGrantTypes("password", "refresh_token") 
        .authorities("USER") 
        .scopes("read", "write") 
        .resourceIds(RESOURCE_ID) 
        .secret("123456"); 
     // @formatter:on 
    } 

    @Bean 
    @Primary 
    public DefaultTokenServices tokenServices() { 
     DefaultTokenServices tokenServices = new DefaultTokenServices(); 
     tokenServices.setSupportRefreshToken(true); 
     tokenServices.setTokenStore(this.tokenStore); 
     return tokenServices; 
    } 

}

休息控制器:

@RestController 
@RequestMapping("/ABC") 
final class Controller { 

    @Autowired 
    Repository repository; 


    @RequestMapping(method = RequestMethod.POST) 
    @ResponseStatus(HttpStatus.CREATED) 
    int create(@RequestBody @Valid Data myData) { 
     repository.create(myData); 
     return 1; 

    } 

    @RequestMapping(value = "{number}", method = RequestMethod.GET) 
    Data findByNumber(@PathVariable("number") String number) { 
     Data data = repository.findByNumber(number); 
     return data; 
    } 

    @RequestMapping(value = "{number}", method = RequestMethod.PUT) 
    int update(@RequestBody @Valid Data myData) { 
     int rows = repository.update(myData); 
     return 1; 
    } 

    @RequestMapping(value = "{number}", method = RequestMethod.DELETE) 
    int delete(@PathVariable("number") String number) { 
     repository.delete(serialNumber); 
     return 1; 
    } 
}

来源

2015-09-27 Someone

回答

1

你想添加.antMatchers( “/ ABC/**”)。验证()

见jhipster样品的oauth2例如

https://github.com/jhipster/jhipster-sample-app-oauth2/blob/master/src/main/java/com/mycompany/myapp/config/OAuth2ServerConfiguration.java

来源

2015-09-27 21:01:04 sdoxsee

+0

谢谢你,它的工作!一个小题目,但是你也许知道用户输入授权的密码是否可以从服务器访问? – Someone

+0

我不确定你的新问题的答案。取决于您是否将resourceServer和authorizationServer视为同一台服务器。资源服务器应该不需要知道有关凭证。如果认为正确,请接受上面的答案。谢谢 – sdoxsee

相关问题

 相关问题