Spring Security Resource Server 在添加自定义 SecurityFilterChain 时给出 401

问题描述 投票:0回答:1

我正在使用 Spring Boot 运行示例资源服务器,当我在不添加自定义 SecurityFilterChain bean 的情况下运行它时,一切正常。当我提供自定义 SecurityFilterChain 时,它给出 401,有时给出 403。

这是我的 Gradle 文件:

plugins {
    java
    id("org.springframework.boot") version "3.2.0"
    id("io.spring.dependency-management") version "1.1.4"
}

group = "com.resource.server"
version = "0.0.1-SNAPSHOT"

java {
    sourceCompatibility = JavaVersion.VERSION_17
}

repositories {
    mavenCentral()
}

dependencies {  
    implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server")
    implementation("org.springframework.boot:spring-boot-starter-web")
    testImplementation("org.springframework.boot:spring-boot-starter-test")
}

tasks.withType<Test> {
    useJUnitPlatform()
}

这是我的 application.properties 中的内容:

spring.security.oauth2.resourceserver.jwt.issuer-uri=https://mydomain.auth0.com/
spring.security.oauth2.resourceserver.jwt.issuer-audience=aud-name

这是我的 SecurityFilterChain 类

package com.resource.server.resourceserver;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

import static org.springframework.security.config.Customizer.withDefaults;

@Configuration
public class SecurityConfiguration {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests((authz) -> authz
                        .anyRequest().authenticated()
                )
                .httpBasic(withDefaults());
        return http.build();
    }

}

这是我用来测试应用程序的基本控制器:

package com.resource.server.resourceserver;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class HelloController {
    @RequestMapping("/hello")
    public String sayHi(){
        return "Hi";
    }
}

这是我在日志中得到的内容:

2023-12-21T08:13:55.404+02:00  INFO 181669 --- [nio-8082-exec-1] o.s.web.servlet.DispatcherServlet        : Initializing Servlet 'dispatcherServlet'
2023-12-21T08:13:55.405+02:00  INFO 181669 --- [nio-8082-exec-1] o.s.web.servlet.DispatcherServlet        : Completed initialization in 1 ms
2023-12-21T08:13:55.408+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /
2023-12-21T08:13:55.409+02:00  WARN 181669 --- [nio-8082-exec-1] o.s.w.s.h.HandlerMappingIntrospector     : Cache miss for REQUEST dispatch to '/' (previous null). Performing CorsConfiguration lookup. This is logged once only at WARN level, and every time at TRACE.
2023-12-21T08:13:55.414+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2023-12-21T08:13:55.420+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.s.w.s.HttpSessionRequestCache        : Saved request http://localhost:8082/?continue to session
2023-12-21T08:13:55.420+02:00 DEBUG 181669 --- [nio-8082-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
2023-12-21T08:13:55.420+02:00 DEBUG 181669 --- [nio-8082-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@6dd20239
2023-12-21T08:13:55.422+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /error
2023-12-21T08:13:55.422+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2023-12-21T08:13:55.422+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.s.w.s.HttpSessionRequestCache        : Saved request http://localhost:8082/error?continue to session
2023-12-21T08:13:55.422+02:00 DEBUG 181669 --- [nio-8082-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
2023-12-21T08:13:55.423+02:00 DEBUG 181669 --- [nio-8082-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@6dd20239

我尝试了一些教程并尝试从头开始。我也尝试过谷歌搜索日志错误消息,但我没有找到任何真正有意义的东西。

我进行了此更新,它帮助修复了它 - 代码来自此处:https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html。 我不太明白初始版本的问题是什么。如果有人能帮助我理解,那就太好了

@Configuration
@EnableWebSecurity
public class DirectlyConfiguredJwkSetUri {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(authorize -> authorize
                .anyRequest().authenticated()
            )
            .oauth2ResourceServer(oauth2 -> oauth2
                .jwt(jwt -> jwt
                    .jwkSetUri("https://idp.example.com/.well-known/jwks.json")
                )
            );
        return http.build();
    }
}```
spring-security spring-security-oauth2
1个回答
0
投票

第一种方式和第二种配置的主要区别在于

.httpBasic(withDefaults());
这意味着您为应用程序启用了 HTTP 
Basic
身份验证,这在您的情况下是错误的,因为您必须根据 gradle 依赖项导入配置 
资源服务器

implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server")

第二个配置修复了它,因为你声明了如何威胁它。

oauth2ResourceServer()

还有你如何指出你有一个 

JWT
令牌,它是这种配置中的默认令牌。有关它的更多详细信息资源服务器 JWT

还有

.jwt(jwt -> jwt
                    .jwkSetUri("https://idp.example.com/.well-known/jwks.json")
                )

如果授权服务器不支持任何配置 端点,或者资源服务器是否必须能够启动 独立于授权服务器

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.