今天我将spring-boot-starter-parent的版本从1.4.2升级到1.5.2.
变化让我很困惑.
之前,我可以使用Postman测试我的REST API.当我的访问令牌不正确或我没有特定资源的权限时,服务器响应如下:
{
"error": "access_denied","error_description": "Access is denied"
}
现在它一直将我重定向到/登录页面…当我登录时 – 它显示我的资源而没有任何OAuth2身份验证…
我试图禁用它,我发现了这个神奇的属性:
security.oauth2.resource.filter-order = 3
但是,我的问题是:
>这两个版本在安全方面发生了什么?
>这个“奇怪的”线是唯一有效的修复吗?
>这个登录页面的目的是什么以及它正在使用什么身份验证(我检查了Google Chrome中的请求和响应,我看不到任何访问令牌和oauth2的内容,所以它只使用用户存储库?)
我的代码中一些更重要的部分:
的pom.xml
<!--- .... -->
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.2.RELEASE</version>
</parent>
<properties>
<!--- .... -->
<spring-security-oauth.version>2.1.0.RELEASE</spring-security-oauth.version>
<!--- .... -->
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- Monitor features -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-actuator</artifactId>
</dependency>
<!-- Security + OAuth2 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>${spring-security-oauth.version}</version>
</dependency>
<!--- .... -->
application.properties
#other properties security.oauth2.resource.filter-order = 3
OAuth2.java
public class OAuth2 {
@EnableAuthorizationServer
@Configuration
@ComponentScan
public static class AuthorizationServer extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManagerBean;
@Autowired
private UserDetailsService userDetailsService;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("trusted_client")
.authorizedGrantTypes("password","refresh_token")
.scopes("read","write");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManagerBean).userDetailsService(userDetailsService);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.allowFormAuthenticationForClients();
}
}
@EnableResourceServer
@Configuration
@ComponentScan
public static class ResourceServer extends ResourceServerConfigurerAdapter {
@Autowired
private RoleHierarchy roleHierarchy;
private SecurityExpressionHandler<FilterInvocation> webExpressionHandler() {
DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
defaultWebSecurityExpressionHandler.setRoleHierarchy(roleHierarchy);
return defaultWebSecurityExpressionHandler;
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().expressionHandler(webExpressionHandler())
.antMatchers("/api/**").hasRole("DEVELOPER");
}
}
}
Security.java
@EnableWebSecurity @Configuration @ComponentScan public class Security extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; @Bean public JpaAccountDetailsService userDetailsService(AccountsRepository accountsRepository) { return new JpaAccountDetailsService(accountsRepository); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder()); } @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Bean public PasswordEncoder passwordEncoder(){ return new BCryptPasswordEncoder(); } }
解决方法
@Cleto Gadelha向我指出了非常有用的信息.
但是我觉得发行说明很不清楚或遗漏了一些信息.除了OAuth2资源过滤器从3更改为SecurityProperties.ACCESS_OVERRIDE_ORDER – 1之外,关键信息是默认WebSecurityConfigurerAdapter顺序为100 (source).
因此,在1.5.x版之前,OAuth2资源服务器顺序为3,其优先级高于WebSecurityConfigurerAdapter.
发布1.5.x后,OAuth2资源服务器顺序设置为SecurityProperties.ACCESS_OVERRIDE_ORDER – 1
(我认为是Integer.MAX_VALUE – 8),它的优先级现在肯定低于基本的WebSecurityConfigurerAdapter顺序.
这就是为什么从1.4.x迁移到1.5.x后,我会看到登录页面的原因
因此,更优雅和类似Java的样式解决方案是在WebSecurityConfigurerAdapter类上设置@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
原文地址:https://www.jb51.cc/springboot/126889.html
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
