Spring oauth2已拒绝访问
作者:互联网
我是OAuth2的新手,并尝试在角色auth.server中构建一个服务器来授权用户和一个保留受保护资源的服务器…
我有使用ResourceServerConfigurerAdapter保护的问题.看起来他忽略了从userInfoUrl获取所有角色…
所以这里的代码:
AuthServer
@SpringBootApplication
@EnableAuthorizationServer
@EnableResourceServer
@RestController
public class Oa2AuthServerApplication {
@RequestMapping("/user")
public Principal user(Principal user) {
return user;
}
public static void main(String[] args) {
SpringApplication.run(Oa2AuthServerApplication.class, args);
}
}
__
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password("admin")
.roles("ADMIN", "USER")
.and()
.withUser("user")
.password("user")
.roles("USER");
}
}
__
@Configuration
public class OA2AuthConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("default")
.secret("kx")
.scopes("AUTH", "TRUST")
.autoApprove(true)
.authorities("ROLE_GUEST", "ROLE_USER", "ROLE_ADMIN")
.authorizedGrantTypes("authorization_code", "implicit", "refresh_token");
}
}
ResourceServer
@SpringBootApplication
@RestController
@EnableResourceServer
public class Oa2ResourceServerApplication {
@RequestMapping("/")
public String greet() {
return UUID.randomUUID().toString() + "\r\n";
}
@RequestMapping("/forAdmin")
public String admin() {
return "hi admin!";
}
public static void main(String[] args) {
SpringApplication.run(Oa2ResourceServerApplication.class, args);
}
}
因此,从authserver调用“localhost:9091 /”和“/ forAdmin”获取令牌可以使用此令牌.
但是当我这样做时:
public class WebSecurityConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/forAdmin").hasRole("USER");
}
我被拒绝访问….
可以肯定的是,角色正在到达资源服务器,我已经从上面更改了geet()
@RequestMapping("/")
public String greet(Principal user) {
if (user instanceof OAuth2Authentication) {
log.info("having roles: {}", ((OAuth2Authentication) user).getAuthorities());
}
return UUID.randomUUID().toString() + "\r\n";
}
和控制台显示
d.k.auth.Oa2ResourceServerApplication:具有角色:[{authority = ROLE_USER}]
因此,当“Principal”是当前经过身份验证的用户时,我认为resourceserverer配置程序存在错误….或者我正在做一些致命的错误…
或两者……我不知道
有没有人可以帮我解决这个问题?
解决方法:
所以JWT是必要的,没有它不起作用.
我用组合解决了它:
@PreAuthorize("#oauth2.hasScope('openid') and hasRole('ROLE_ADMIN')")
您可以找到受保护资源here的示例.
标签:spring,spring-cloud-2,spring-oauth2 来源: https://codeday.me/bug/20190528/1167861.html