我正在从升级springfox-swagger2到springdoc-openapi-ui. 我使用前端的 swagger 定义来自动生成类型。中/oauth/token缺少端点springdoc-openapi-ui。这是我的配置:
@Configuration
@OpenAPIDefinition(info = @Info(title = "title",
description = "description", version = "v1"))
@SecurityScheme(name = "security_auth", type = SecuritySchemeType.OAUTH2,
flows = @OAuthFlows(password = @OAuthFlow(
authorizationUrl = "${oauth.auth.url}",
tokenUrl = "${oauth.auth.url}/oauth/token", refreshUrl = "${oauth.auth.url}",
scopes = {@OAuthScope(name = "all", description = "all scope")})))
public class OpenApiConfig {}
我有一个身份验证服务器,它是同一应用程序的一部分(pom.xml与我的资源服务器共享相同。身份验证服务器spring-security-oauth2如下:
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private DataSource dataSource;
@Autowired
private BCryptPasswordEncoder passwordEncoder;
public AuthorizationServerConfiguration() {
super();
}
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
// config
@Override
public void configure(final AuthorizationServerSecurityConfigurer oauthServer) {
oauthServer.passwordEncoder(this.passwordEncoder)
.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
endpoints.tokenStore(tokenStore())
.authenticationManager(authenticationManager)
.userDetailsService(userDetailsService);
}
}
我的资源服务器如下所示:
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
@Override
public void configure(ResourceServerSecurityConfigurer security) throws Exception {
security.tokenStore(tokenStore);
}
@Override
public void configure(HttpSecurity http) throws Exception {
//@formatter:off
http
.authorizeRequests()
.antMatchers("/roles/**").hasRole("INTERNAL")
.antMatchers("/priveleges/**").hasRole("INTERNAL")
.antMatchers("/gameSync/**").hasAnyRole("ADMIN", "INTERNAL")
.antMatchers(HttpMethod.POST, "/user").permitAll()
.antMatchers(HttpMethod.OPTIONS, "/oauth/token").permitAll()
.antMatchers("/v3/**", "/v2/api-docs", "/configuration/**", "/swagger*/**", "/webjars/**", "/").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().exceptionHandling().accessDeniedHandler(accessDeniedHandler());
//@formatter:on
}
@Bean
public AccessDeniedHandler accessDeniedHandler() {
return new OAuth2AccessDeniedHandler();
}
}
因此,安全配置非常基础,因为资源服务器定义了大部分内容:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private IUserService userService;
@Override
public void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(passwordEncoder());
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
PasswordEncoder encoder = new BCryptPasswordEncoder();
return encoder;
}
}
