这是我的代码: SecurityConfiguration.java @Configuration @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired private DataSource dataSource; @Autowired private ClientDetailsService clientDetailsService; @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/resources/**"); } @Autowired public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception { auth.jdbcAuthentication().dataSource(dataSource); } @Override public void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/", "/patients").permitAll() .antMatchers("/oauth/token").permitAll() .anyRequest().authenticated() .and().httpBasic(); http.csrf().disable(); } @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth.jdbcAuthentication().dataSource(dataSource) .usersByUsernameQuery("select username, password, 1 as enabled from user where username=?") .authoritiesByUsernameQuery("select username, authority from authorities where username=?"); } @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Bean public JdbcTokenStore tokenStore() { return new JdbcTokenStore(dataSource); } @Bean @Autowired public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore) { TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler(); handler.setTokenStore(tokenStore); handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService)); handler.setClientDetailsService(clientDetailsService); return handler; } @Bean @Autowired public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception { TokenApprovalStore store = new TokenApprovalStore(); store.setTokenStore(tokenStore); return store; }} SecurityOAuth2Configuration.java @Configuration@EnableAuthorizationServer@EnableGlobalMethodSecurity(prePostEnabled = true)@Import(SecurityConfiguration.class)public class SecurityOAuth2Configuration extends AuthorizationServerConfigurerAdapter { private static String REALM = "CRM_REALM"; private static final int ONE_DAY = 60 * 60 * 24; private static final int THIRTY_DAYS = 60 * 60 * 24 * 30; @Autowired private TokenStore tokenStore; @Autowired private DataSource dataSource; @Autowired private UserApprovalHandler userApprovalHandler; @Autowired @Qualifier("authenticationManagerBean") private AuthenticationManager authenticationManager; @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer.realm(REALM); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.jdbc(dataSource); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler) .authenticationManager(authenticationManager); }} ResourceServer.java @Configuration@EnableResourceServerpublic class ResourceServer extends ResourceServerConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http.anonymous().disable() .requestMatchers().antMatchers("/patients/**").and().authorizeRequests() .antMatchers("/patient/**").access("hasRole('USER')") .and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler()); }}我已使用此教程供参考.我能够使用基本身份验证凭据获取访问令牌. 但是当我使用相同的访问令牌获取资源时，它失败了. 我已经为oauth添加了所有必需的表.我有什么想念的吗? 更新:我删除了.and().httpBasic();并且在WebsecurityConfigurerAdapter中添加了@Order(3)并使用security.oauth2.resource.filter-order = 3 更新了属性文件现在出现错误{ "timestamp": 1543500350487, "status": 403, "error": "Forbidden", "message": "Access Denied", "path": "/patient/1/"} 更新2 这是我的用户和授权架构: 用户+----------+-----------------+------+-----+---------+----------------+| Field | Type | Null | Key | Default | Extra |+----------+-----------------+------+-----+---------+----------------+| id | int(6) unsigned | NO | PRI | NULL | auto_increment || username | varchar(50) | NO | UNI | NULL | || password | varchar(100) | NO | | NULL | |+----------+-----------------+------+-----+---------+----------------+ 当局+-----------+-----------------+------+-----+---------+----------------+| Field | Type | Null | Key | Default | Extra |+-----------+-----------------+------+-----+---------+----------------+| id | int(6) unsigned | NO | PRI | NULL | auto_increment || username | varchar(50) | NO | MUL | NULL | || authority | varchar(50) | NO | | NULL | |+-----------+-----------------+------+-----+---------+----------------+ 解决方案您应该直接在antmatcher上使用hasRole而不是access()函数中的字符串.这样可以正确评估hasRole并正确确定用户有权访问所请求的资源.这将导致ResourceServer.java的以下代码:@Configuration@EnableResourceServerpublic class ResourceServer extends ResourceServerConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http.anonymous().disable() .requestMatchers().antMatchers("/patients/**").and().authorizeRequests() .antMatchers("/patient/**").hasRole('USER') .and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler()); }}I am trying to implement Oauth2 in my existing application.Initially I have added spring security and then tried to add oauth2, After adding configuration I am able to generate access_token but by using access_token i am not able to access resources.Here is my code:SecurityConfiguration.java @Configuration @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired private DataSource dataSource; @Autowired private ClientDetailsService clientDetailsService; @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/resources/**"); } @Autowired public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception { auth.jdbcAuthentication().dataSource(dataSource); } @Override public void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/", "/patients").permitAll() .antMatchers("/oauth/token").permitAll() .anyRequest().authenticated() .and().httpBasic(); http.csrf().disable(); } @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth.jdbcAuthentication().dataSource(dataSource) .usersByUsernameQuery("select username, password, 1 as enabled from user where username=?") .authoritiesByUsernameQuery("select username, authority from authorities where username=?"); } @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Bean public JdbcTokenStore tokenStore() { return new JdbcTokenStore(dataSource); } @Bean @Autowired public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore) { TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler(); handler.setTokenStore(tokenStore); handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService)); handler.setClientDetailsService(clientDetailsService); return handler; } @Bean @Autowired public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception { TokenApprovalStore store = new TokenApprovalStore(); store.setTokenStore(tokenStore); return store; }}SecurityOAuth2Configuration.java@Configuration@EnableAuthorizationServer@EnableGlobalMethodSecurity(prePostEnabled = true)@Import(SecurityConfiguration.class)public class SecurityOAuth2Configuration extends AuthorizationServerConfigurerAdapter { private static String REALM = "CRM_REALM"; private static final int ONE_DAY = 60 * 60 * 24; private static final int THIRTY_DAYS = 60 * 60 * 24 * 30; @Autowired private TokenStore tokenStore; @Autowired private DataSource dataSource; @Autowired private UserApprovalHandler userApprovalHandler; @Autowired @Qualifier("authenticationManagerBean") private AuthenticationManager authenticationManager; @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer.realm(REALM); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.jdbc(dataSource); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler) .authenticationManager(authenticationManager); }}ResourceServer.java@Configuration@EnableResourceServerpublic class ResourceServer extends ResourceServerConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http.anonymous().disable() .requestMatchers().antMatchers("/patients/**").and().authorizeRequests() .antMatchers("/patient/**").access("hasRole('USER')") .and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler()); }}I have used this tutorial for reference.I am able to get access token using basic auth credentials.But when i used the same access token to get resources, it is failing.I have added all required tables for oauth.Is there anything am i missing?Update:I removed .and().httpBasic(); andadded @Order(3) in WebsecurityConfigurerAdapter and updated properties file with security.oauth2.resource.filter-order = 3now getting error as{ "timestamp": 1543500350487, "status": 403, "error": "Forbidden", "message": "Access Denied", "path": "/patient/1/"}Update 2here is my user and authorities schema:user+----------+-----------------+------+-----+---------+----------------+| Field | Type | Null | Key | Default | Extra |+----------+-----------------+------+-----+---------+----------------+| id | int(6) unsigned | NO | PRI | NULL | auto_increment || username | varchar(50) | NO | UNI | NULL | || password | varchar(100) | NO | | NULL | |+----------+-----------------+------+-----+---------+----------------+authorities+-----------+-----------------+------+-----+---------+----------------+| Field | Type | Null | Key | Default | Extra |+-----------+-----------------+------+-----+---------+----------------+| id | int(6) unsigned | NO | PRI | NULL | auto_increment || username | varchar(50) | NO | MUL | NULL | || authority | varchar(50) | NO | | NULL | |+-----------+-----------------+------+-----+---------+----------------+ 解决方案 You should use hasRole directly on your antmatcher instead of a string inside the access() function. This will evaluate the hasRole correctly and correctly determine that the user has access to the requested resource.This will result in the following code for ResourceServer.java:@Configuration@EnableResourceServerpublic class ResourceServer extends ResourceServerConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http.anonymous().disable() .requestMatchers().antMatchers("/patients/**").and().authorizeRequests() .antMatchers("/patient/**").hasRole('USER') .and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler()); }} 这篇关于无法使用access_token访问资源:spring boot Oauth2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！