Oauth 2.0 配置与 Spring Security 冲突

Posted 2023-02-27

技术标签:

【中文标题】Oauth 2.0 配置与 Spring Security 冲突【英文标题】：Oauth 2.0 configuration conflicts with Spring Security 【发布时间】：2017-03-31 22:10:27 【问题描述】：

我正在尝试使用 Spring Security 配置 Oauth2。但是我的 Oauth 配置与 Spring Security 配置冲突。

资源服务器配置似乎不限于 /api/v0/.*，而是覆盖所有安全配置。资源服务器运行良好。但是我使用 Spring Security 的基于表单的身份验证不起作用 - 它返回 HTTP 404 错误。

我的 WebSecurityConfigurerAdapter

中有以下代码

@Override
    protected void configure(HttpSecurity http) throws Exception 
        http
                .authorizeRequests()
                .antMatchers("/admin/**").access("hasRole('ADMINISTRATOR')")
                .antMatchers("/1/admin/**").access("hasRole('ADMINISTRATOR')")
                .antMatchers("/profile**").authenticated()
                .antMatchers("/oauth/authorize").authenticated()

                .and()
                .formLogin()
                .loginPage("/login")
                .failureUrl("/login?error=1")
                .loginProcessingUrl("/login-attempt")
                .defaultSuccessUrl("/", false)

                .and()
                .csrf();

这是我来自 ResourceServerConfigurerAdapter

的配置

@Override
        public void configure(HttpSecurity http) throws Exception 
            http
                    .authorizeRequests()
                    .regexMatchers("/api/v0/.*").authenticated();

日志

AntPathRequestMatcher:151 - Checking match of request : '/login-attempt'; against '/html/**'
AntPathRequestMatcher:151 - Checking match of request : '/login-attempt'; against '/webapi/**'
OrRequestMatcher:65 - Trying to match using Ant [pattern='/oauth/token']
AntPathRequestMatcher:151 - Checking match of request : '/login-attempt'; against '/oauth/token'
OrRequestMatcher:65 - Trying to match using Ant [pattern='/oauth/token_key']
AntPathRequestMatcher:151 - Checking match of request : '/login-attempt'; against '/oauth/token_key'
OrRequestMatcher:65 - Trying to match using Ant [pattern='/oauth/check_token']
AntPathRequestMatcher:151 - Checking match of request : '/login-attempt'; against '/oauth/check_token'
OrRequestMatcher:72 - No matches found
FilterChainProxy:324 - /login-attempt at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
FilterChainProxy:324 - /login-attempt at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
FilterChainProxy:324 - /login-attempt at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
HstsHeaderWriter:128 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@2fa4c8cd
FilterChainProxy:324 - /login-attempt at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
AntPathRequestMatcher:151 - Checking match of request : '/login-attempt'; against '/logout'
FilterChainProxy:324 - /login-attempt at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
BearerTokenExtractor:54 - Token not found in headers. Trying request parameters.
BearerTokenExtractor:57 - Token not found in request parameters.  Not an OAuth2 request.
OAuth2AuthenticationProcessingFilter:141 - No token in request, will continue chain.
FilterChainProxy:324 - /login-attempt at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
FilterChainProxy:324 - /login-attempt at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
FilterChainProxy:324 - /login-attempt at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
AnonymousAuthenticationFilter:100 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9056f12c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1;SessionId:672t27n01ruouli4a041a0xq;Granted Authorities: ROLE_ANONYMOUS'
FilterChainProxy:324 - /login-attempt at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
FilterChainProxy:324 - /login-attempt at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
FilterChainProxy:324 - /login-attempt at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
RegexRequestMatcher:106 - Checking match of request : '/login-attempt'; against '/api/v0/.*'
FilterSecurityInterceptor:209 - Public object - authentication not attempted
FilterChainProxy:309 - /login-attempt reached end of additional filter chain; proceeding with original chain

我做错了什么？提前致谢！

【问题讨论】：

【参考方案1】：

不确定它是否能解决您的问题。让我们试一试。添加

@Order(1) 
@Order(2)

到您的配置类，然后重试。

【讨论】：

以上是关于Oauth 2.0 配置与 Spring Security 冲突的主要内容，如果未能解决你的问题，请参考以下文章

Spring Security 5 OAuth 2.0 ResourceServer 如何与 AuthorizationServer 通信？

spring-security-oauth2.0 SSO大体流程图

没有 Spring 安全性的 Grails 的 OAuth 2.0

Spring Boot OAuth 2.0 客户端

Spring-OAUTH2.0：调用 /oauth/token 时没有可用资源错误

为啥spring-security-oauth oauth 2.0实现中需要scope参数