在本来spring security的基础上使用了spring security oauth2，控制/api下的请求。浏览了很多网上的配置，但是测试时发现spring security的资源控制和spring securtiy oauth2的资源控制会互相覆盖，没法做到分离控制。如果配置添加了security.oauth2.resource.filter-order=3，则使用spring security的控制，反之则为oauth2的控制。 代码中我的配置如下： Spring security配置： @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserManagerService userManagerService; @Override @Bean //分享到oauth2 public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } /** * 密码加密 */ @Bean public BCryptPasswordEncoder passwordEncoder(){ return new BCryptPasswordEncoder(); } @Override protected void configure(HttpSecurity http) throws Exception { http // 关闭csrf保护功能（跨域访问） .csrf().disable() .authorizeRequests() .antMatchers("/oauth/**").permitAll() .antMatchers("/**/*.js", "/**/*.css", "/**/*.png", "/**/*.gif", "/**/*.jpg", "/**/*.jpeg", "/**/*.map", "/**/*.ico").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/user/login_page") .loginProcessingUrl("/login") .usernameParameter("username") .passwordParameter("password") .successHandler(new CustomSimpleUrlAuthenticationSuccessHandler()) .failureHandler(new CustomSimpleUrlAuthenticationFailureHandler()) .permitAll() .and() .logout() .logoutUrl("/logout") .logoutSuccessUrl("/user/login_page") .permitAll(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userManagerService) .passwordEncoder(passwordEncoder()); } } Spring security oatuth2配置： @Configuration @EnableAuthorizationServer public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter { @Autowired AuthenticationManager authenticationManager; @Autowired private UserManagerService userManagerService; @Bean public TokenStore tokenStore() { return new InMemoryTokenStore(); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.tokenStore(tokenStore()) .userDetailsService(userManagerService) .authenticationManager(authenticationManager); } @Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { // 允许表单认证 security .allowFormAuthenticationForClients(); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory() .withClient("cmdb") .authorizedGrantTypes("password", "refresh_token") .secret("api") .scopes("xxx"); } } @Configuration @EnableResourceServer public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/api/**").authenticated(); } } 之前查阅过很多博客，也查过spring oauth2的几种模式的授权流程，但是都没有找到原因