我遵循Spring Boot安全入门的第五部分来保护我的RESTful微服务。
我打算实现的简单流程是:-如果未经认证,用户将被重定向到自定义登录页面说/登录。
用户提供凭据。
认证成功后,用户被重定向到首页(/home)。我应该能够访问我的REST端点
上面提到的入门指南使用基本认证和虚拟用户配置在。properties或。yml文件。
我是这样配置的:-
@Configuration
@EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("acme").secret("acmesecret")
.authorizedGrantTypes("authorization_code", "refresh_token", "password").scopes("openid")
.accessTokenValiditySeconds(3600);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("isAnonymous()").checkTokenAccess("isAnonymous()")
.allowFormAuthenticationForClients();
}
}
@Configuration
@Import({ OptoSoftSecurityServiceConfig.class })
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService; // backed by MongoDB
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().disable().formLogin();// disabled basic auth and configured to use dafault Spring Security form login.
}
}
点击授权端点将我重定向到'http://localhost:9999/uaa/login',错误信息为:-
<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>
如何配置授权服务器使用UserDetailsService使用Form Login代替Basic Auth
如何配置自动审批,同时使用'authorization_code'作为授予类型?
/oauth/authorize endpoint是否必须由基本认证吗?为什么需要"完全身份验证"才能访问oauth/授权的端点。我相信我们不知道谁是用户在这个端点之前。用户只有在注册后才能被识别已使用表单后面的有效凭据进行身份验证登录。
终于修好了。上述博客中的git仓库已经配置了这个功能。结果是相当直接的。
这对我来说是有效的(我也将自动批准配置为true):-
**
* @author kumar
*
*/
@SpringBootApplication
public class AuthenticationServerApplication {
/**
* @param args
*/
public static void main(String[] args) {
SpringApplication.run(AuthenticationServerApplication.class, args);
}
@Configuration
protected static class LoginConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin().permitAll().and().authorizeRequests().anyRequest().authenticated();//.and().userDetailsService(yourCustomerUserDetailsService);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManager);
}
}
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("acme").secret("acmesecret")
.authorizedGrantTypes("authorization_code", "refresh_token", "password").scopes("openid")
.autoApprove(true);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}
}
}
application.yml: -
security:
user:
password: password
server:
port: 9999
context-path: /uaa