我正在使用Spring 4.0 java配置。
我想在我的 oauth 终结点上要求 x509 身份验证,但只需要所有其他资源终结点的 oauth 令牌。第一个antMatchers似乎被覆盖了:
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Autowired
RequestMappingUriProvider requestMappingUriProvider;
@Autowired
private DelegatedUserManager userManager;
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
// @formatter:off
resources.resourceId(RESOURCE_ID);
// @formatter:on
}
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
// Require x509 certificate for obtaining OAuth credentials
http.requestMatchers().antMatchers("/oauth/**")
.and()
.authorizeRequests().anyRequest().hasAnyRole("USER","CLIENT")
.and()
.x509().subjectPrincipalRegex("CN=(.*?),").authenticationUserDetailsService(authenticationUserDetailsService())
.and()
//Only require a user role for interaction with all other resources
.requestMatchers().antMatchers(requestMappingUriProvider.uriPatterns())
.and()
.authorizeRequests().anyRequest().hasRole("USER");
// @formatter:on
}
@Bean
public DelegatedAuthenticationUserDetailsService authenticationUserDetailsService() {
return new DelegatedAuthenticationUserDetailsService(userManager);
}
}
Spring 的调试输出没有显示在 x509 筛选器链中检查的任何/oauth/**端点。
我的问题是我需要多个HttpSecurity元素。这篇文章帮助了我:在Spring Security Java Config中创建多个HTTP部分
以下是我如何实现它:
@Configuration
@EnableResourceServer
public static class ResourceServerConfiguration {
@Configuration
@Order(1)
public static class OAuthResourceServerConfigAdapter extends ResourceServerConfigurerAdapter {
@Autowired
private DelegatedUserManager userManager;
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
// Require x509 certificate for obtaining OAuth credentials
http.requestMatchers().antMatchers("/oauth/**")
.and()
.authorizeRequests().anyRequest().hasAnyRole("USER","CLIENT")
.and()
.x509().subjectPrincipalRegex("CN=(.*?),").authenticationUserDetailsService(authenticationUserDetailsService());
// @formatter:on
}
@Bean
public DelegatedAuthenticationUserDetailsService authenticationUserDetailsService() {
return new DelegatedAuthenticationUserDetailsService(userManager);
}
}
public static class MyResourceServerConfigAdapter extends ResourceServerConfigurerAdapter {
@Autowired
RequestMappingUriProvider requestMappingUriProvider;
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
//Only require a user role for interaction with all other resources
http.requestMatchers().antMatchers(requestMappingUriProvider.uriPatterns())
.and()
.authorizeRequests().anyRequest().hasRole("USER");
// @formatter:on
}
}
}