0

我有以下 3 个微服务

  • 配置服务器
  • Auth Server 使用 MongoDB 引用链接。我成功将项目从 1.2.4 迁移到 1.3.3
  • 用户服务。一个带有 3 个 Get 方法的 Rest Controller 和一个资源服务器。(每个用于 ADMIN、MERCHANT 和 CONSUMER)

我希望根据用户的角色限制对 REST 控制器的 GET 方法的访问。资源配置如下

 @Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

    @Override 
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
        .antMatchers(HttpMethod.GET, "/**").hasAuthority("ROLE_ADMIN")
            .anyRequest()
                .authenticated();
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
         resources.resourceId("admin-api");
    }
}

为了测试,我只是尝试为除角色 ADMIN 之外的所有用户锁定用户服务。但是,我得到 401 Access Denied。我也尝试了 hasRole("ADMIN") 具有相同的结果。如果我删除了该授权标准,则用户已正确通过身份验证(不接受错误的访问令牌)。来自认证服务器的 userInfoUri 的响应如下

{
  "details": {
    "remoteAddress": "0:0:0:0:0:0:0:1",
    "sessionId": null,
    "tokenValue": "a4244b33-80b2-48db-909d-f8aaaaf45985",
    "tokenType": "Bearer",
    "decodedDetails": null
  },
  "authorities": [
    {
      "authority": "ROLE_ADMIN"
    }
  ],
  "authenticated": true,
  "userAuthentication": {
    "details": null,
    "authorities": [
      {
        "authority": "ROLE_ADMIN"
      }
    ],
    "authenticated": true,
    "principal": "admin@ikarma.com",
    "credentials": null,
    "client": false,
    "name": "admin@ikarma.com"
  },
  "credentials": "",
  "clientOnly": false,
  "oauth2Request": {
    "clientId": "admin-web",
    "scope": [
      "trust",
      "read",
      "write"
    ],
    "requestParameters": {
      "grant_type": "password",
      "username": "admin@ikarma.com"
    },
    "resourceIds": null,
    "authorities": [],
    "approved": true,
    "refresh": false,
    "redirectUri": null,
    "responseTypes": [],
    "extensions": {},
    "refreshTokenRequest": null,
    "grantType": "password"
  },
  "principal": "admin@ikarma.com",
  "name": "admin@ikarma.com"
}

我无法弄清楚为什么基于角色的授权不起作用。任何帮助都将不胜感激。

4

2 回答 2

0

确保 JWT 编码/解码的实现在双方资源服务器和认证服务器上是相同的。另外请尝试在 oauth 服务器上创建具有 3 个角色的 3 个用户的 inMemory:

@Configuration
public class BasicSecurityConfig extends WebSecurityConfigurerAdapter {
...
    @Autowired
        public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth.inMemoryAuthentication()
                    .withUser("user").password("user").authorities("read").roles("USER")
                .and()
                    .withUser("admin").password("admin").authorities("read","write").roles("ADMIN");
        }
...
}

尝试为这些用户接收 access_token,然后向资源服务器发出请求,包括请求标头 Authorization: Bearer [access_token] 如果您将收到相同的错误,则表示您的 JWT 实现不正确...请查看关于智威汤逊这里 https://bshaffer.github.io/oauth2-server-php-docs/overview/jwt-access-tokens/

于 2017-10-14T08:26:57.263 回答
0

将 spring-security-oauth2 依赖项更改为此

<dependency>
<groupId>org.springframework.security.oauth</groupId>
 <artifactId>spring-security-oauth2</artifactId>
 <version>2.0.7.RELEASE</version>
</dependency>
于 2016-06-25T21:08:30.783 回答