【发布时间】:2017-08-18 08:02:51
【问题描述】:
我正在尝试使用 spring oAuth2 设置一个纯资源服务器,它将验证来自授权服务器的访问令牌。
我无法保护我的资源。我可以直接点击api。 示例:
- 获取
本地主机:8080/accounts?access_token=63884b81-a3d3-4eab-a92c-7eb1e2022dfd
(不正确的访问令牌)
- GET localhost:8080/accounts
以上两个链接都可以访问我的资源,但这些链接应该返回未经授权的错误。
资源服务器配置。
<bean id="authenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="myRealm" />
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<!-- This is not actually used, but it's required by Spring Security -->
<security:authentication-manager alias="authenticationManager" />
<oauth2:expression-handler id="oauthExpressionHandler" />
<oauth2:web-expression-handler id="oauthWebExpressionHandler" />
<security:global-method-security
pre-post-annotations="enabled" proxy-target-class="true">
<security:expression-handler ref="oauthExpressionHandler" />
</security:global-method-security>
<oauth2:resource-server id="myResource"
resource-id="myResourceId" token-services-ref="tokenServices" />
<security:http pattern="/**" create-session="never"
entry-point-ref="authenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager">
<security:anonymous enabled="false" />
<security:intercept-url pattern="/**"
access="IS_AUTHENTICATED_FULLY" method="GET" />
<security:intercept-url pattern="/**" access="SCOPE_READ"
method="HEAD" />
<security:intercept-url pattern="/**" access="SCOPE_READ"
method="OPTIONS" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE"
method="PUT" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE"
method="POST" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE"
method="DELETE" />
<security:custom-filter ref="myResource"
before="PRE_AUTH_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>
【问题讨论】:
标签: java spring spring-security spring-security-oauth2 spring-oauth2