2

我正在使用 1.3.2.RELEASE BOM 将Spring Security Auth0集成到 Spring Web 应用程序中。我一直在使用提供的 auth0-security-context.xml 文件来配置身份验证,它的工作原理如下:

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <bean id="auth0EntryPoint" class="com.auth0.spring.security.auth0.Auth0AuthenticationEntryPoint" />

    <!-- all urls starting with unsecured are -->
    <security:http pattern="${auth0.securedRoute}" create-session="stateless"  entry-point-ref="auth0EntryPoint">
        <security:intercept-url pattern="${auth0.securedRoute}" access="ROLE_USER" />
        <security:custom-filter ref="auth0Filter" after="SECURITY_CONTEXT_FILTER" ></security:custom-filter>
    </security:http>

    <!-- Otherwise by default everything is secured -->
    <security:http auto-config="true" use-expressions="true"  pattern="/**" create-session="stateless"  entry-point-ref="auth0EntryPoint">
        <security:intercept-url pattern="/**" access='permitAll' />
    </security:http>

    <bean id="auth0Filter" class="com.auth0.spring.security.auth0.Auth0AuthenticationFilter">
        <property name="entryPoint" ref="auth0EntryPoint"></property>
    </bean>

    <bean id="auth0AuthenticationProvider" class="com.auth0.spring.security.auth0.Auth0AuthenticationProvider">
        <property name="clientSecret" value="${auth0.clientSecret}" ></property>
        <property name="clientId" value="${auth0.clientId}" ></property>
        <property name="securedRoute" value="${auth0.securedRoute}" ></property>
    </bean>

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="auth0AuthenticationProvider" />
    </security:authentication-manager>

</beans>

我需要自定义配置(我需要关闭 CSRF 保护),所以我删除了导入上述 XML 文件的注释,并尝试将上述内容转换为 Java Config,使用以下类:

Auth0Configuration.java

package co.masslab.shiba;

import com.auth0.spring.security.auth0.*;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.*;

@Configuration
@ComponentScan(basePackages={"com.auth0"})
@PropertySource("classpath:auth0.properties")
public class Auth0Configuration {

    @Value("${auth0.clientSecret}")
    private String clientSecret;

    @Value("${auth0.clientId}")
    private String clientId;

    @Value("${auth0.securedRoute}")
    private String securedRoute;

    @Bean
    public Auth0AuthenticationEntryPoint auth0EntryPoint() {
        return new Auth0AuthenticationEntryPoint();
    }

    @Bean
    @Autowired
    public Auth0AuthenticationFilter auth0Filter(Auth0AuthenticationEntryPoint auth0EntryPoint) {
        Auth0AuthenticationFilter authFilter = new Auth0AuthenticationFilter();
        authFilter.setEntryPoint(auth0EntryPoint);
        return authFilter;
    }

    @Bean
    public Auth0AuthenticationProvider auth0AuthenticationProvider() {
        Auth0AuthenticationProvider authProvider = new Auth0AuthenticationProvider();
        authProvider.setClientSecret(clientSecret);
        authProvider.setClientId(clientId);
        authProvider.setSecuredRoute(securedRoute);
        return authProvider;
    }
}

WebSecurityConfig.java

package co.masslab.shiba;

import com.auth0.spring.security.auth0.*;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.context.SecurityContextPersistenceFilter;

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private final static Logger log = LoggerFactory.getLogger(WebSecurityConfig.class);

    @Value("${auth0.securedRoute}")
    private String securedRoute;

    @Autowired
    private Auth0AuthenticationEntryPoint auth0EntryPoint;

    @Autowired
    private Auth0AuthenticationFilter auth0Filter;

    @Autowired
    private Auth0AuthenticationProvider auth0AuthenticationProvider;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        log.info("Configuring HttpSecurity");

        http
            .authorizeRequests().antMatchers(securedRoute).hasRole("USER")
            .and()
            .exceptionHandling().authenticationEntryPoint(auth0EntryPoint)
            .and()
            .addFilterAfter(auth0Filter, SecurityContextPersistenceFilter.class)
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        log.info("Configuring AuthenticationManagerBuilder");
        auth.authenticationProvider(auth0AuthenticationProvider);
    }
}

所有这些都可以毫无例外地编译和运行,当我没有提供任何身份验证时,它会正确地告诉我我需要这样做,但是当我在授权标头中使用有效的不记名令牌进行身份验证时,我会收到消息No AuthenticationProvider found for com.auth0.spring.security.auth0.Auth0JWTToken。要完全清楚,我在使用这个问题顶部给出的 auth0-security-context.xml 文件时没有这个问题。

从 XML 配置转换为 Java 配置时我错过了什么?

4

1 回答 1

2

秘诀在于配置方法AuthenticationManagerBuilder需要用@Autowired.

于 2016-02-11T19:28:27.867 回答