在 Java Spring Boot 中配置 OAuth 2

Question

我正在尝试使用 OAuth 2 创建服务器，但遇到了问题。我配置了 OAuth，用户可以授权并获取令牌，但是 REST 方法总是可以访问的，例如用户可以在未授权时使用方法 POST。

如何配置 OAuth 以便 REST 方法仅在用户授权时运行？

这就是我的一些代码的样子（我使用了这个example code）：

OAuthConfiguration 类

@Configuration
public class OAuth2ServerConfiguration {

    private static final String RESOURCE_ID = "restservice";

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends
            ResourceServerConfigurerAdapter {

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) {
            // @formatter:off
            resources
                .resourceId(RESOURCE_ID);
            // @formatter:on
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            // @formatter:off
            http
                .authorizeRequests()
                    .antMatchers("/users").hasRole("ADMIN")
                    .antMatchers("/greeting").authenticated();
            // @formatter:on
        }

}

AuthorizationServerConfiguration 类：

@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

    private TokenStore tokenStore = new InMemoryTokenStore();

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Autowired
    private CustomUserDetailsService userDetailsService;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {
        // @formatter:off
        endpoints
            .tokenStore(this.tokenStore)
            .authenticationManager(this.authenticationManager)
            .userDetailsService(userDetailsService);
        // @formatter:on
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        // @formatter:off
        clients
            .inMemory()
                .withClient("clientapp")
                    .authorizedGrantTypes("password", "refresh_token")
                    .authorities("USER")
                    .scopes("read", "write")
                    .resourceIds(RESOURCE_ID)
                    .secret("123456");
        // @formatter:on
    }

    @Bean
    @Primary
    public DefaultTokenServices tokenServices() {
        DefaultTokenServices tokenServices = new DefaultTokenServices();
        tokenServices.setSupportRefreshToken(true);
        tokenServices.setTokenStore(this.tokenStore);
        return tokenServices;
    }

}

休息控制器：

@RestController
@RequestMapping("/ABC")
final class Controller {

    @Autowired
    Repository repository;


    @RequestMapping(method = RequestMethod.POST)
    @ResponseStatus(HttpStatus.CREATED)
    int create(@RequestBody @Valid Data myData) {
        repository.create(myData);
        return 1;

    }

    @RequestMapping(value = "{number}", method = RequestMethod.GET)
    Data findByNumber(@PathVariable("number") String number) {
        Data data = repository.findByNumber(number);
        return data;
    }

    @RequestMapping(value = "{number}", method = RequestMethod.PUT)
    int update(@RequestBody @Valid Data myData) {
        int rows = repository.update(myData);
        return 1;
    }

    @RequestMapping(value = "{number}", method = RequestMethod.DELETE)
    int delete(@PathVariable("number") String number) {
        repository.delete(serialNumber);
        return 1;
    }
}

Answer 1

您需要添加 .antMatchers("/ABC/**").authenticated()

查看 jhipster 示例 oauth2 示例

https://github.com/jhipster/jhipster-sample-app-oauth2/blob/master/src/main/java/com/mycompany/myapp/config/OAuth2ServerConfiguration.java