spring - Spring OAuth @EnableResourceServer阻止来自OAuth服务器的登录页面

本地主机:9999/uaa/oauth/authorize的浏览器响应？response_type = code＆client_id = acme＆redirect_uri = http://example.com为302，但本地主机:9999/uaa/login的响应为401未经授权。

在添加@EnableResourceServer之前，我可以获取登录 token 。我正在使用Spring Boot并扩展WebSecurityConfigurerAdapter以将身份验证管理器与数据源一起使用。当我尝试添加ResourceServerConfigurerAdapter时，它将无法构建。允许登录页面的最简单方法是什么？

@SpringBootApplication
@RestController
@EnableResourceServer
public class OAuthSvcApplication extends WebMvcConfigurerAdapter {

private static final Logger log = LoggerFactory.getLogger(OAuthSvcApplication.class);

   @RequestMapping("/user")
   public Principal user(Principal user) {
    return user;
   }
   public static void main(String[] args) {
      SpringApplication.run(OAuthSvcApplication.class, args);
   }

}

@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {


@Autowired
public void configureAuth(AuthenticationManagerBuilder auth,DataSource dataSource, Environment env)
        throws Exception {

    auth.jdbcAuthentication().dataSource(dataSource);
}


@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {


    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private DataSource dataSource;


    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {
        endpoints.authenticationManager(authenticationManager);
    }


    @Override
    public void configure(AuthorizationServerSecurityConfigurer security)
            throws Exception {
            security.checkTokenAccess("hasAuthority('USER')");
        }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients)
            throws Exception {
        clients.inMemory()
                .withClient("acme")
                .secret("acmesecret")
                .authorizedGrantTypes("authorization_code",
                        "refresh_token", "password").scopes("openid");
        }

    }
}

最佳答案

SpringSecurityFilterChain应该总是在其他过滤器之前订购。
如果要为所有或某些终结点添加自己的身份验证，最好的做法是添加自己的WebSecurityConfigurerAdapter，顺序较低。如下修改WebSecurityConfigurerAdapter子类，可以使ResourceServer与jdbc身份验证mgr一起使用:

@Configuration
@Order(-10)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {


    @Autowired
    private AuthenticationManager authenticationManager;


    @Autowired
    private DataSource dataSource;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .formLogin().loginPage("/login").permitAll()
        .and()
            .requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
        .and()
            .authorizeRequests().anyRequest().authenticated();
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.parentAuthenticationManager(authenticationManager).jdbcAuthentication().dataSource(dataSource);

    }

}