저는 Spring Security OAuth를 사용하여 REST 어플리케이션을 구축하고 있습니다. 지금까지 나는기본 인증 대신 OAuth를 사용하도록 Spring Security를 구성하는 방법은 무엇입니까?
curl http://localhost:8080/oauth/token -d "username=user&password=pass&client_id=client&client_secret=secret&grant_type=password"
액세스 토큰을 얻을 수있는 requets을 그리고 성공적인 응답
{"access_token":"b9590e0c-dc2c-4578-9246-ab46ab626b2c","token_type":"bearer","refresh_token":"56b73a2c-9993-4bbe-90db-58d207aeb3f1","expires_in":3599,"scope":"read"}
을 받고 그러나 보안 자원을 요청하기 위해 액세스 토큰을 사용할 때 로그인 페이지로 리디렉션지고있어 수 봄 보안 구성의 bacause.
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().hasRole("USER").and().httpBasic();
//super.configure(http);
}
그러나 대신이로 리디렉션 : 구성 요청을 확보 자원 내가 봄 보안 구성을 변경 티르
curl -H "Authorization: Bearer b9590e0c-dc2c-4578-9246-ab46ab626b2c" -v http://localhost:8080/resources/demo
* Adding handle: conn: 0x7fec92003000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fec92003000) send_pipe: 1, recv_pipe: 0
* About to connect() to localhost port 8080 (#0)
* Trying ::1...
* Connected to localhost (::1) port 8080 (#0)
> GET /resources/demo HTTP/1.1
> User-Agent: curl/7.30.0
> Host: localhost:8080
> Accept: */*
> Authorization: Bearer b9590e0c-dc2c-4578-9246-ab46ab626b2c
>
< HTTP/1.1 302 Found
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Set-Cookie: JSESSIONID=AD13E5504E72BDFED23E4C253A584D68; Path=/; HttpOnly
< Location: http://localhost:8080/login
< Content-Length: 0
< Date: Wed, 23 Jul 2014 17:23:12 GMT
<
* Connection #0 to host localhost left intact
가
@Configuration
public class OAuth2ServerConfig {
protected static final String RESOURCE_ID = "oauthdemo";
@Configuration
@EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatchers().antMatchers("/resources/**").and()
.authorizeRequests()
.anyRequest().access("#oauth2.hasScope('read')");
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId(RESOURCE_ID);
}
}
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.allowFormAuthenticationForClients();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("client")
.authorizedGrantTypes("password", "refresh_token")
.authorities("ROLE_USER")
.scopes("read")
.resourceIds(RESOURCE_ID)
.secret("secret").accessTokenValiditySeconds(3600);
}
}
}
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("pass").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
}
}
봄 보안 OAuth2를페이지 HTTP/1.1 401 Unauthorized
이 나옵니다.
하지만 최악의 경우 인증 헤더와 access_token이라는 사용자 자격 증명을 추가하면 보안 리소스에 액세스 할 수 있습니다.
curl http://user:[email protected]:8080/resources/demo && echo
WELCOME TO /demo!!
내가 잘못하고있는 것으로 봄 구성에 뭔가가 있습니까? https://github.com/gee0292/OAuth2Demo