根据文档上的说明,此处是赋予client的authorities,经过测试,重写了UserDetailsService之后,因为UserDetails中有getAuthorities方法可以返回数据库中定义好的role,以上的配置可以不要。
数据库中的role name为ROLE_ADMIN,但上面这里不能写成ROLE_ADMIN,否则会报下面的错,
java.lang.IllegalArgumentException: role should not start with 'ROLE_' since it is automatically inserted. Got 'ROLE_ADMIN'
http .authorizeRequests() // .antMatchers("/login.jsp").permitAll() .anyRequest().authenticated() .antMatchers("/admin/**").hasRole(SysConstants.RoleType.ADMIN.getCode());
注意这里的 anyRequest,antMatchers 是按顺序来的,如果按以上的写法,任何登陆用户都可以访问/admin/**,因为顺序在前。
A redirect_uri can only be used by implicit or authorization_code grant types.
Your ResourceServerTokenServices
is the other half of a contract with the Authorization Server. If the Resource Server and Authorization Server are in the same application and you use DefaultTokenServices
then you don't have to think too hard about this because it implements all the necessary interfaces so it is automatically consistent. If your Resource Server is a separate application then you have to make sure you match the capabilities of the Authorization Server and provide a ResourceServerTokenServices
that knows how to decode the tokens correctly. As with the Authorization Server, you can often use the DefaultTokenServices
and the choices are mostly expressed through the TokenStore
(backend storage or local encoding). An alternative is the RemoteTokenServices
which is a Spring OAuth features (not part of the spec) allowing Resource Servers to decode tokens through an HTTP resource on the Authorization Server (/oauth/check_token
). RemoteTokenServices
are convenient if there is not a huge volume of traffic in the Resource Servers (every request has to be verified with the Authorization Server), or if you can afford to cache the results. To use the /oauth/check_token
endpoint you need to expose it by changing its access rule (default is "denyAll()") in the AuthorizationServerSecurityConfigurer
, e.g.
``` @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer.tokenKeyAccess("isAnonymous() || hasAuthority('ROLETRUSTEDCLIENT')").checkTokenAccess( "hasAuthority('ROLETRUSTEDCLIENT')"); }
```
In this example we are configuring both the /oauth/check_token
endpoint and the /oauth/token_key
endpoint (so trusted resources can obtain the public key for JWT verification). These two endpoints are protected by HTTP Basic authentication using client credentials.
在Oauth2 SSO的例子中,由于是分布在两个不同的server,在Auth server端配置了一个/user接口,然后在UI端配置如下路由,resource server就知道怎么去从Auth server取得用户授权信息
Oauth SSO这个例子,和后面的用spring session配合redis的gateway的例子的不同在于,SSO的例子在UI端发送登陆请求到auth server,在auth server认证以后通过上面提到的配置resource server,ui就可以访问resource了,而gateway的例子虽然是共享session数据但是在其他的地方还是需要做认证,相当于每个地方都要配置数据库,然后会自动从session取到用户信息到数据库里面认证。
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于