我有一个 Spring Security 应用程序,我希望能够验证多个令牌 - 我希望能够Authorization
从 Google 或内部服务传递带有不记名令牌的标头,并让后端尝试依次验证每个服务。
我的问题是我只看到第一个(基于较低的resource.setOrder(x)
x 值)。换句话说,我有 2 个资源服务器配置,但它只使用第一个而不是第二个。
如果我将 google 设置为 3,将另一个设置为 4,则可以找到 google 令牌验证,但是当我尝试访问/
它时,我看到 Google 过滤器工作(BTE for Google
在输出中)但不是我配置的第二个过滤器(BTE for App
) .
我正在尝试像这样配置 2 个 ResourceServers:
@Bean
protected ResourceServerConfiguration googleLoginResources() {
ResourceServerConfiguration resource = new ResourceServerConfiguration() {
public void setConfigurers(List<ResourceServerConfigurer> configurers) {
super.setConfigurers(configurers);
}
};
resource.setConfigurers(Collections.<ResourceServerConfigurer>singletonList(new ResourceServerConfigurerAdapter() {
ResourceServerTokenServices googleLoginTokenServices(OAuthProperties oAuthProperties, AccessTokenValidator tokenValidator) {
LOGGER.info("Configuring Google ResourceServerTokenServices");
GoogleTokenServices googleTokenServices = new GoogleTokenServices(tokenValidator);
googleTokenServices.setUserInfoUrl(oAuthProperties.getUserInfoUrl());
return googleTokenServices;
}
AccessTokenValidator googleLoginTokenValidator(OAuthProperties oAuthProperties) {
LOGGER.info("Configuring Google AccessTokenValidator");
GoogleAccessTokenValidator accessTokenValidator = new GoogleAccessTokenValidator();
accessTokenValidator.setClientId(oAuthProperties.getClientId());
accessTokenValidator.setCheckTokenUrl(oAuthProperties.getCheckTokenUrl());
return accessTokenValidator;
}
class BTEG extends BearerTokenExtractor {
@Override
protected String extractToken(HttpServletRequest request) {
LOGGER.info("BTE for Google");
return super.extractToken(request);
}
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
LOGGER.info("Configuring Google ResourceServerSecurityConfigurer");
resources.resourceId(oAuthProperties.getClientId());
ResourceServerTokenServices gts = googleLoginTokenServices(oAuthProperties, googleLoginTokenValidator(oAuthProperties));
// DelegatingTokenServices dts = new DelegatingTokenServices();
// dts.addResourceServerTokenServices(gts);
resources.tokenServices(gts);
resources.tokenExtractor(new BTEG());
}
@Override
public void configure(HttpSecurity http) throws Exception {
LOGGER.info("Configuring HTTP");
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http
.cors().and()
//.csrf().ignoringAntMatchers("/h2-console/**").and()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/login/google").permitAll()
//.antMatchers("/h2-console/**").permitAll()
.antMatchers("/login/google").hasRole("GOOGLE_USER")
//.antMatchers("/").permitAll()
;
}
}));
resource.setOrder(3);
return resource;
}
@Bean
protected ResourceServerConfiguration appLoginResources() {
ResourceServerConfiguration resource = new ResourceServerConfiguration() {
public void setConfigurers(List<ResourceServerConfigurer> configurers) {
super.setConfigurers(configurers);
}
};
resource.setConfigurers(Collections.<ResourceServerConfigurer>singletonList(new ResourceServerConfigurerAdapter() {
class BTEA extends BearerTokenExtractor {
@Override
protected String extractToken(HttpServletRequest request) {
LOGGER.info("BTE for App");
return super.extractToken(request);
}
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
LOGGER.info("Configuring App ResourceServerSecurityConfigurer");
resources.resourceId("app");
resources.tokenExtractor(new BTEA());
}
@Override
public void configure(HttpSecurity http) throws Exception {
LOGGER.info("Configuring App HTTP");
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http
//.cors().and()
.authorizeRequests()
//.antMatchers(HttpMethod.OPTIONS, "/").permitAll()
.antMatchers("/").hasRole("ASDF")
;
}
}));
resource.setOrder(4);
return resource;
}
我如何使这两者都适用(或更多,如果需要)?