Spring Security OAuth2

本文介绍了Spring Security OAuth2 - @ EnableOauth2Sso，但也接受令牌作为身份验证的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我的应用程序在 WebSecurityConfigurerAdapter

添加 @ EnableOAuth2Sso 后，应用程序会将我重定向到授权服务器，并允许在此授权服务器登录后进行访问。我也想提供API访问，所以我希望应用程序能够通过Authorization-Header传递一个accessstoken来访问我的资源

After adding @EnableOAuth2Ssothe application redirects me to the authorization server and allows access after login at this authorization server. I want to offer API access as well, so i want applications be able to access my resources by passing an accesstoken via the Authorization-Header

Authorization: bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...

我通过与 @ EnableOAuth2Sso 注意到，未检查Authorization-Header值。

I debuged through the authentication filter which is used with @EnableOAuth2Sso noticed, that Authorization-Header value is not checked.

之后我尝试创建自定义过滤器并添加此过滤器到安全配置

After that i tried to create a custom filter and added this filter to the security configuration

@Override public void configure(HttpSecurity http) throws Exception { http.addFilter(myCustomFilter) ...; }

但现在我得到以下例外：

But now i get the following Exception:

Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is org.springframework.security.config.annotation.AlreadyBuiltException: This object has already been built at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:189) at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:588) ... 26 more Caused by: org.springframework.security.config.annotation.AlreadyBuiltException: This object has already been built at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:44) at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain(WebSecurityConfiguration.java:105) at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerBySpringCGLIB$$f0788cea.CGLIB$springSecurityFilterChain$5(<generated>) at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerBySpringCGLIB$$f0788cea$$FastClassBySpringCGLIB$$7e95689d.invoke(<generated>) at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228) at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:318) at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerBySpringCGLIB$$f0788cea.springSecurityFilterChain(<generated>) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:162)

起初我以为我做错了什么我的过滤器，但我最后得到一个简单的过滤器类除了继续过滤链，但仍然有相同的错误。

At first i thought i've done something wrong inside my filter but i ended up with a plain filter class doing nothing else than proceed the filterchain and still having the same error.

所以我有两个问题：

为什么会出现此异常？

是否有办法允许应用程序中的端点进行令牌身份验证使用 @ EnableOAuth2Sso ？

Why do i get this exception?

Is there a way to allow token authentication for endpoints in an application which uses @EnableOAuth2Sso ?

推荐答案

异常的原因是 @jah 等过滤器的排序。

The reason for the exception was the ordering of the filters like @jah said.

我在Authorization-Header中实现对包含访问令牌的请求进行身份验证的方法是创建一个 ApiTokenAccessFilter 类，扩展 OAuth2AuthenticationProcessingFilter 。此过滤器采用 ResourceServerTokenServices 构造函数参数，并将无状态标志设置为false。

What i did to achieve the authentication of requests, containing an access token in the Authorization-Header, is to create a class ApiTokenAccessFilter which extends OAuth2AuthenticationProcessingFilter. This filter takes a ResourceServerTokenServices constructor parameter and sets the stateless flag to false.

public class ApiTokenAccessFilter extends OAuth2AuthenticationProcessingFilter { public ApiTokenAccessFilter(ResourceServerTokenServices resourceServerTokenServices) { super(); setStateless(false); setAuthenticationManager(oauthAuthenticationManager(resourceServerTokenServices)); } private AuthenticationManager oauthAuthenticationManager(ResourceServerTokenServices tokenServices) { OAuth2AuthenticationManager oauthAuthenticationManager = new OAuth2AuthenticationManager(); oauthAuthenticationManager.setResourceId("oauth2-resource"); oauthAuthenticationManager.setTokenServices(tokenServices); oauthAuthenticationManager.setClientDetailsService(null); return oauthAuthenticationManager; } }

在我的安全配置中，我使用此过滤器如下：

In my security config i used this Filter as follows:

@Configuration @EnableOAuth2Sso public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired private ResourceServerTokenServices tokenServices; @Override public void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .anyRequest() .authenticated() .and() .addFilterBefore(new ApiTokenAccessFilter(tokenServices), AbstractPreAuthenticatedProcessingFilter.class); } }

我认为这可能会更容易，所以我打开了一个问题在 spring-security-oauth Github repo 上。我不确定这种解决方案是否可行，但我没有找到另一种选择。

I think this could be easier so i opened an issue on the spring-security-oauth Github repo. I'm not sure whether this solution is the way to go, but i didn't find another alternative.