【问题标题】:spring oAuth2 not protecting the resourcesspring oAuth2 不保护资源
【发布时间】:2017-08-18 08:02:51
【问题描述】:

我正在尝试使用 spring oAuth2 设置一个纯资源服务器,它将验证来自授权服务器的访问令牌。

我无法保护我的资源。我可以直接点击api。 示例:

  • 获取 本地主机:8080/accounts?access_token=63884b81-a3d3-4eab-a92c-7eb1e2022dfd (不正确的访问令牌)
    • GET localhost:8080/accounts

以上两个链接都可以访问我的资源,但这些链接应该返回未经授权的错误。

资源服务器配置。

<bean id="authenticationEntryPoint"
    class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="myRealm" />
</bean>

<bean id="oauthAccessDeniedHandler"
    class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
            <bean class="org.springframework.security.access.vote.RoleVoter" />
            <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
        </list>
    </constructor-arg>
</bean>

<!-- This is not actually used, but it's required by Spring Security -->
<security:authentication-manager alias="authenticationManager" />

<oauth2:expression-handler id="oauthExpressionHandler" />

<oauth2:web-expression-handler id="oauthWebExpressionHandler" />

<security:global-method-security
    pre-post-annotations="enabled" proxy-target-class="true">
    <security:expression-handler ref="oauthExpressionHandler" />
</security:global-method-security>

<oauth2:resource-server id="myResource"
    resource-id="myResourceId" token-services-ref="tokenServices" />

<security:http pattern="/**" create-session="never"
    entry-point-ref="authenticationEntryPoint"
    access-decision-manager-ref="accessDecisionManager">
    <security:anonymous enabled="false" />
    <security:intercept-url pattern="/**"
        access="IS_AUTHENTICATED_FULLY" method="GET" />
    <security:intercept-url pattern="/**" access="SCOPE_READ"
        method="HEAD" />
    <security:intercept-url pattern="/**" access="SCOPE_READ"
        method="OPTIONS" />
    <security:intercept-url pattern="/**" access="SCOPE_WRITE"
        method="PUT" />
    <security:intercept-url pattern="/**" access="SCOPE_WRITE"
        method="POST" />
    <security:intercept-url pattern="/**" access="SCOPE_WRITE"
        method="DELETE" />
    <security:custom-filter ref="myResource"
        before="PRE_AUTH_FILTER" />
    <security:access-denied-handler ref="oauthAccessDeniedHandler" />
    <security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>

【问题讨论】:

    标签: java spring spring-security spring-security-oauth2 spring-oauth2


    【解决方案1】:

    你必须配置你的 RemoteTokenServices bean 来检查授权服务器中的令牌:

     @Bean
           public RemoteTokenServices LocalTokenService() {
                final RemoteTokenServices tokenService = new RemoteTokenServices();
                tokenService.setCheckTokenEndpointUrl("http://yourauthozationserver/oauth/check_token");
                tokenService.setClientId("my-client-with-secret");
                tokenService.setClientSecret("secret");
                return tokenService;
            }
    

    或来自 xml:

     <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.RemoteTokenServices"
              p:checkTokenEndpointUrl="${oaas.endpoint.check_token}"
              p:clientId="${oaas.client_id}"
              p:clientSecret="${oaas.client_secret}" />
    

    请注意,授权服务器检查端点也应配置为允许匿名请求的令牌检查。

    【讨论】:

      猜你喜欢
      • 2020-11-30
      • 1970-01-01
      • 2015-03-19
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2017-08-01
      • 2013-10-02
      • 2012-11-23
      相关资源
      最近更新 更多