4

我已经使用 spring boot 创建了一个授权服务器,我想在资源服务器中使用它的资源所有者角色。我有一个扩展WebSecurityConfigurerAdapter的类SecurityConfig,我在其中检查了来自 mongodb 的资源所有者的凭据以进行身份​​验证。为此,我有一个实现AuthenticationProvider的类MongoAuthProvider ,我从中返回一个带有用户名、密码和角色的UsernamePasswordAuthenticationToken实例,例如“ROLE_ADMIN”、“ROLE_APPUSER”。

@SpringBootApplication
@RestController
@EnableResourceServer
public class AuthserverApplication extends WebMvcConfigurerAdapter {

public static void main(String[] args) {
    SpringApplication.run(AuthserverApplication.class, args);
}

@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends
        AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {
        endpoints.authenticationManager(authenticationManager);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients)
            throws Exception {
        clients.inMemory()
                .withClient("acme")
                .secret("acmesecret")
                .authorizedGrantTypes("authorization_code","implicit",
                        "refresh_token", "password").scopes("openid");

    }
}

@Configuration
protected static class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private MongoAuthProvider mongoAuthProvider;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.authenticationProvider(mongoAuthProvider);
    }


    @Bean
    public MongoAuthProvider getMongoAuthProvider(){
        return new MongoAuthProvider();
    }

}

@RequestMapping("/user")
public Principal user(OAuth2Authentication user) {
    return user;
}
}

class MongoAuthProvider implements AuthenticationProvider {

@Autowired
UserRepo userrepo;

@Override
public Authentication authenticate(Authentication authentication)
        throws AuthenticationException {

    String userName = authentication.getName().trim();
    String password = authentication.getCredentials().toString().trim();

    User user = userrepo.findByUserNameAndPassword(userName, password);

    if(user != null){
        return new UsernamePasswordAuthenticationToken(userName, password,
                AuthorityUtils.createAuthorityList("ROLE_ADMIN" , "ROLE_APPUSER"));
    } else {
        return null;
    }
}

@Override
public boolean supports(Class<?> authentication) {
    return authentication.equals(UsernamePasswordAuthenticationToken.class);
}

}

在身份验证服务器中,我还有一个用户信息休息端点:

@RequestMapping("/user")
public Principal user(OAuth2Authentication user) {
    return user;
}

我想在资源服务器中使用授权服务器数据库中资源所有者的角色。为此,我有一个类ResourceServer扩展ResourceServerConfigurerAdapter,我试图在其中检查来自身份验证服务器的用户角色。资源服务器工作正常。问题是它无法从身份验证服务器检查角色。

@SpringBootApplication
@EnableResourceServer
@EnableOAuth2Sso
public class AuthserverClientApplication extends WebMvcConfigurerAdapter {

    public static void main(String[] args) {
        SpringApplication.run(AuthserverClientApplication.class, args);
    }

    @Configuration
    protected static class ResourceServer extends ResourceServerConfigurerAdapter  {

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
            .authorizeRequests()
            .antMatchers("**")             
            //.hasAuthority("ROLE_ADMIN")
            .hasRole("ADMIN")
            .anyRequest().authenticated();

        }
    }
  }
}

请帮助我如何使用资源服务器中授权服务器的角色进行基于角色的访问。

4

0 回答 0