其他分享
首页 > 其他分享> > Spring oauth2已拒绝访问

Spring oauth2已拒绝访问

作者:互联网

我是OAuth2的新手,并尝试在角色auth.server中构建一个服务器来授权用户和一个保留受保护资源的服务器…

我有使用ResourceServerConfigurerAdapter保护的问题.看起来他忽略了从userInfoUrl获取所有角色…

所以这里的代码:

AuthServer

@SpringBootApplication
@EnableAuthorizationServer
@EnableResourceServer
@RestController
public class Oa2AuthServerApplication {

    @RequestMapping("/user")
    public Principal user(Principal user) {
        return user;
    }
    public static void main(String[] args) {
        SpringApplication.run(Oa2AuthServerApplication.class, args);
    }
}

__

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("admin")
                .password("admin")
                .roles("ADMIN", "USER")
                .and()
                .withUser("user")
                .password("user")
                .roles("USER");
    }
}

__

@Configuration
public class OA2AuthConfig extends AuthorizationServerConfigurerAdapter {
    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(authenticationManager);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("default")
                .secret("kx")
                .scopes("AUTH", "TRUST")
                .autoApprove(true)
                .authorities("ROLE_GUEST", "ROLE_USER", "ROLE_ADMIN")
                .authorizedGrantTypes("authorization_code", "implicit", "refresh_token");
    }
}

ResourceServer

@SpringBootApplication
@RestController
@EnableResourceServer
public class Oa2ResourceServerApplication {
    @RequestMapping("/")
    public String greet() {
        return UUID.randomUUID().toString() + "\r\n";
    }

    @RequestMapping("/forAdmin")
    public String admin() {
        return "hi admin!";
    }


    public static void main(String[] args) {
        SpringApplication.run(Oa2ResourceServerApplication.class, args);
    }
}

因此,从authserver调用“localhost:9091 /”和“/ forAdmin”获取令牌可以使用此令牌.

但是当我这样做时:

public class WebSecurityConfig extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/forAdmin").hasRole("USER");
    }

我被拒绝访问….

可以肯定的是,角色正在到达资源服务器,我已经从上面更改了geet()

@RequestMapping("/")
    public String greet(Principal user) {
        if (user instanceof OAuth2Authentication) {
            log.info("having roles: {}", ((OAuth2Authentication) user).getAuthorities());
        }
        return UUID.randomUUID().toString() + "\r\n";
    }

和控制台显示

d.k.auth.Oa2ResourceServerApplication:具有角色:[{authority = ROLE_USER}]

因此,当“Principal”是当前经过身份验证的用户时,我认为resourceserverer配置程序存在错误….或者我正在做一些致命的错误…

或两者……我不知道

有没有人可以帮我解决这个问题?

解决方法:

所以JWT是必要的,没有它不起作用.

我用组合解决了它:

@PreAuthorize("#oauth2.hasScope('openid') and hasRole('ROLE_ADMIN')")

您可以找到受保护资源here的示例.

标签:spring,spring-cloud-2,spring-oauth2
来源: https://codeday.me/bug/20190528/1167861.html