如何将 Oauth2 服务器正确设置为 Spring 现有 API?
Posted
技术标签:
【中文标题】如何将 Oauth2 服务器正确设置为 Spring 现有 API?【英文标题】:How to properly set Oauth2 servers into a Spring existing API? 【发布时间】:2017-07-07 12:05:29 【问题描述】:我正在将 Oauth2 服务器实现到现有的 REST api 中,以向其中的某些部分添加安全性。 问题是:如果我没有在主类中声明ResourceServer和AuthorizationServer的@configuration,spring security不会加载配置,所以我无法访问API。
我想将此配置放在不同包中的外部类中,但我对 Spring 很陌生,找不到正确执行此操作的方法。
所以我的外部配置文件,如果他的内容在主类中就可以工作,但如果在外部文件中则不行:
SecurityConf.java
@RestController
@Configuration
public class Security
@RequestMapping("/")
public String home()
return "Hello World";
@Configuration
@EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter
@Override
public void configure(HttpSecurity http) throws Exception
// @formatter:off
http
.authorizeRequests()
.antMatchers("/features/**").permitAll()
.antMatchers("/itineraries/**").permitAll()
.anyRequest().access("#oauth2.hasScope('read')"); //This makes all other petitions under authorization
@Override
public void configure(ResourceServerSecurityConfigurer resources)
throws Exception
resources.resourceId("sparklr");
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception
endpoints.authenticationManager(authenticationManager);
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception
// @formatter:off
clients.inMemory().withClient("my-trusted-client")
.authorizedGrantTypes("password", "authorization_code",
"refresh_token", "implicit")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write", "trust").resourceIds("sparklr")
.accessTokenValiditySeconds(60).and()
.withClient("my-client-with-registered-redirect")
.authorizedGrantTypes("authorization_code").authorities("ROLE_CLIENT")
.scopes("read", "trust").resourceIds("sparklr")
.redirectUris("http://anywhere?key=value").and()
.withClient("my-client-with-secret")
.authorizedGrantTypes("client_credentials", "password")
.authorities("ROLE_CLIENT").scopes("read").resourceIds("sparklr")
.secret("secret");
// @formatter:on
还有主类,
Application.java
@Configuration
@EnableConfigurationProperties
@ComponentScan(basePackageClasses = SimpleCORSFilter.class)
@EnableAutoConfiguration
@EntityScan(basePackages = "com.pace.things.model")
public class Application
@Bean
public FilterRegistrationBean filterRegistrationBean()
FilterRegistrationBean registrationBean = new FilterRegistrationBean();
CharacterEncodingFilter characterEncodingFilter = new CharacterEncodingFilter();
registrationBean.setFilter(characterEncodingFilter);
characterEncodingFilter.setEncoding("UTF-8");
characterEncodingFilter.setForceEncoding(true);
registrationBean.setOrder(Integer.MIN_VALUE);
registrationBean.addUrlPatterns("/*");
return registrationBean;
public static void main(String[] args)
SpringApplication application = new SpringApplication(Application.class);
SpringApplication.run(Application.class, args);
那么我忘记了什么?
提前致谢
【问题讨论】:
我自己在这个other 线程上解决了这个问题。 【参考方案1】:Referenced thread:
我需要将 WebSecurityConfig 添加到应用程序上下文中,在主类声明中添加这一行:
...
@Import(WebSecurityConfig.class)
public class Application
...
我做的另一件事是将SpringBoot升级到1.4.3.RELEASE并将主应用程序放到根文件夹:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.4.3.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
树将是,例如:
└── com
└── app
├── Application.java
└── config
└── WebSecurityConfig.java
这会自动加载子文件夹中的所有@Configuration。
【讨论】:
以上是关于如何将 Oauth2 服务器正确设置为 Spring 现有 API?的主要内容,如果未能解决你的问题,请参考以下文章
如何覆盖 Spring Cloud OAuth2 客户端自动配置?