【发布时间】:2019-02-21 06:38:45
【问题描述】:
我正在使用微服务架构,因此我有一个单独的 SSO 服务来处理所有身份验证和授权请求。
我在其他服务中使用 spring websockets,我需要使用 SSO 处理的令牌来保护它,所以我添加了这个配置来保护 websockets。
@Configuration
@EnableResourceServer
public class WebSocketSecurityConfig extends AbstractSecurityWebSocketMessageBrokerConfigurer {
@Override
protected void configureInbound(MessageSecurityMetadataSourceRegistry messages) {
messages
.nullDestMatcher().authenticated()
.simpTypeMatchers(CONNECT).authenticated()
.simpDestMatchers("/ws/**").hasRole("USER")
.simpSubscribeDestMatchers("/ws/**").hasRole("USER")
.anyMessage().denyAll();
}
@Override
protected boolean sameOriginDisabled() {
return true;
}
}
对于 websocket 配置
@Configuration
@EnableWebSocketMessageBroker
public class WebSocketConfig extends AbstractWebSocketMessageBrokerConfigurer {
@Override
public void configureMessageBroker(MessageBrokerRegistry config) {
config.enableSimpleBroker("/ws/topic");
config.setApplicationDestinationPrefixes("/ws/view");
}
@Override
public void registerStompEndpoints(StompEndpointRegistry registry) {
registry.addEndpoint("/socket/").withSockJS();
}
}
对于远程 SSO 服务器
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/api/**").permitAll()
.antMatchers("/api/**").access("#oauth2.hasScope('service-name')");
http.csrf().disable();
http.httpBasic().disable();
}
@Bean
@Primary
@RefreshScope
public CachedRemoteTokenService tokenServices() {
final CachedRemoteTokenService remoteTokenServices = new CachedRemoteTokenService();
remoteTokenServices.setCheckTokenEndpointUrl(getCheckTokenEndPointUrl());
remoteTokenServices.setClientId(getClientId());
remoteTokenServices.setClientSecret(getClientSecret());
return remoteTokenServices;
}
我在客户端添加了令牌,但它抛出了 AccessDeniedException
var headers = {
Authorization: 'Bearer ' + myToken
}
stompClient.send("/ws/view/update/", headers, JSON.stringify(view));
我检查了 SSO 服务器日志,发现它根本没有调用它!有什么遗漏吗?
任何帮助将不胜感激
【问题讨论】:
标签: java spring-boot websocket oauth-2.0 single-sign-on