我正在编写一个具有链接到数据库的身份验证的小应用程序,此身份验证将由Oauth2方面管理(由@EnableAuthorizationServer和@EnableResourceServer注释的类).管理页面在同一个应用程序中有另一个身份验证,它将链接到另一个不同的数据库,并将使用正常的基于表单的身份验证.
我为此特定目的编写了以下Web安全配置类:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig{
@Configuration
@Order(5)
public static class AdminSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.logout().logoutRequestMatcher(new AntPathRequestMatcher("/admin_logout"))
.invalidateHttpSession(true).logoutSuccessUrl("/admin/login.html");
http.authorizeRequests()
.antMatchers("/admin/login.html").permitAll().antMatchers("/admin/protected.html")
.hasRole("ADMIN")
.and().formLogin().loginPage("/admin/login.html")
.loginProcessingUrl("/admin_login").defaultSuccessUrl("/admin/protected.html");
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
//Data source for form based auth
auth.inMemoryAuthentication().withUser("adminuser").password("adminpassword").roles("ADMIN");
}
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
//Data source for Oauth
auth.inMemoryAuthentication().withUser("myuser").password("mypassword").roles("USER").and().withUser("test")
.password("testpassword").roles("USER");
}
}
其他相关组件是:
授权服务器配置:
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter{
@Autowired
AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager).tokenEnhancer(tokenEnhancer())
.tokenStore(tokenStore());
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients
.inMemory()
.withClient("client")
.secret("secret")
.authorizedGrantTypes("password", "refresh_token")
.scopes("read", "write")
.resourceIds("resource").accessTokenValiditySeconds(60);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception
{
oauthServer.checkTokenAccess("isAuthenticated()");
}
@Bean
public TokenEnhancer tokenEnhancer() {
return new CustomTokenEnhancer();
}
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
}
资源服务器配置:
@Configuration
@EnableResourceServer
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER-1)
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter{
@Autowired
TokenStore tokenStore;
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId("resource").tokenStore(tokenStore);
}
@Override
public void configure(final HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/api/**").authenticated();
}
}
你也可以在这里查看代码:https://github.com/cenobyte321/spring-oauth2-tokenenhancer-test/tree/webspeciallogin(Branch:webspeciallogin)
问题是AdminSecurityConfig类中的所有内容都被忽略,我可以进入protected.html页面而不用自己登录,并且不会创建指定的登录和注销处理URL.
另一方面,基于Oauth2的登录工作没有问题.我还没想出如何在Oauth2中指定一个AuthenticationManagerBuilder,大多数在线资源建议使用由Oauth适当读取的configureGlobal注入方法,这就是为什么它在上面的代码中设置的原因.
如何在单个启用Oauth2的应用程序中相互独立配置两个身份验证源?
问候.
京公网安备 11010802040832号 | 京ICP备19059560号-6 