我创建了一个 Spring Boot 2 应用程序,将 SpringFox Swagger 2.8.0 与隐式 Oauth2 授权集成到身份验证和授权中。代码工作正常,但是当我单击授权按钮时,它重定向到http://localhost:8080/oauth/authorize?response_type=token&client_id=test-app-client-id&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fwebjars%2Fspringfox-swagger-ui%2Foauth2-redirect.html&scope=read&state= U3VuIE9jdCAxNCAyMDE4IDIwOjQyOjUwIEdNVCswNTMwIChJbmRpYSBTdGFuZGFyZCBUaW1lKQ%3D%3D但显示拒绝访问,如下所示。我的完整项目在GitHub 上可用主应用程序@EnableSwagger2@SpringBootApplication@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)@RestControllerpublic class MainApplication /*extends WebMvcConfigurerAdapter*/{ public static void main(String[] args) { SpringApplication.run(MainApplication.class, args); } @RequestMapping("/user") public Principal user(Principal user) { return user; } @Bean SecurityConfiguration security() { return SecurityConfigurationBuilder.builder()//<19> .clientId("test-app-client-id") .build(); } @Bean SecurityScheme oauth() { List<GrantType> grantTypes = new ArrayList<>(); ImplicitGrant implicitGrant = new ImplicitGrant(new LoginEndpoint("http://localhost:8080/oauth/authorize"),"access_code"); grantTypes.add(implicitGrant); List<AuthorizationScope> scopes = new ArrayList<>(); scopes.add(new AuthorizationScope("read","Read access on the API")); return new OAuthBuilder() .name("SECURITY_SCHEME_OAUTH2") .grantTypes(grantTypes) .scopes(scopes) .build(); } @Bean public Docket docket() { return new Docket(DocumentationType.SWAGGER_2) .select() .apis(RequestHandlerSelectors.basePackage(getClass().getPackage().getName())) .paths(PathSelectors.any()) .build() .securitySchemes(Collections.singletonList(oauth())) .apiInfo(generateApiInfo()); }
2 回答
慕无忌1623718
TA贡献1744条经验 获得超4个赞
当您启用资源服务器时,您需要配置 check_token URL,以便它可以访问 OAuth2 授权服务器并验证给定的 access_token。
你可以这样做:
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class OAuth2ResourceServerConfig extends GlobalMethodSecurityConfiguration {
@Value("${oauth.url.internal}") // e.g. http://localhost:8082/oauth
private String oauthUrl;
@Value("${oauth.client}")
private String oauthClient;
@Value("${oauth.secret}")
private String oauthSecret;
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return new OAuth2MethodSecurityExpressionHandler();
}
@Primary
@Bean
public RemoteTokenServices tokenService() {
RemoteTokenServices tokenService = new RemoteTokenServices();
tokenService.setCheckTokenEndpointUrl(oauthUrl + "/check_token");
tokenService.setClientId(oauthClient);
tokenService.setClientSecret(oauthSecret);
return tokenService;
}
}
除此之外,您可能想忽略 Swagger 特定的端点:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/v2/api-docs", "/configuration/ui", "/swagger-resources", "/configuration/security", "/swagger-ui.html", "/webjars/**");
}
}
以防万一,这是我为具有 OAuth2 授权的 Swagger 实现的类:
@EnableSwagger2
@Configuration
public class SwaggerConfig implements WebMvcConfigurer {
private static final String BASE_PACKAGE = "com.somepackage.api";
@Value("${oauth.url}") // Make sure this is an external URL, i.e. accessible from Swagger UI
private String oauthUrl;
@Value("${swagger.scopes}")
private String swaggerScopes;
@Value("${swagger.urls}")
private String swaggerUrls; // Your v2/api-docs URL accessible from the UI
@Bean
public Docket api(){
return new Docket(DocumentationType.SWAGGER_2)
.select()
.apis(RequestHandlerSelectors.basePackage(BASE_PACKAGE))
.apis(RequestHandlerSelectors.any())
.paths(PathSelectors.any())
.build()
.securitySchemes(Collections.singletonList(securitySchema()))
.securityContexts(Collections.singletonList(securityContext()));
}
private OAuth securitySchema() {
List<AuthorizationScope> authorizationScopeList = new ArrayList<>();
authorizationScopeList.add(new AuthorizationScope(swaggerScopes, ""));
List<GrantType> grantTypes = new ArrayList<>();
GrantType creGrant = new ResourceOwnerPasswordCredentialsGrant(oauthUrl + "/token");
grantTypes.add(creGrant);
return new OAuth("oauth2schema", authorizationScopeList, grantTypes);
}
private SecurityContext securityContext() {
return SecurityContext.builder().securityReferences(defaultAuth()).forPaths(PathSelectors.ant(swaggerUrls)).build();
}
private List<SecurityReference> defaultAuth() {
final AuthorizationScope[] authorizationScopes = new AuthorizationScope[1];
authorizationScopes[0] = new AuthorizationScope(swaggerScopes, "");
return Collections.singletonList(new SecurityReference("oauth2schema", authorizationScopes));
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("swagger-ui.html")
.addResourceLocations("classpath:/META-INF/resources/");
registry.addResourceHandler("/webjars/**")
.addResourceLocations("classpath:/META-INF/resources/webjars/");
}
}
版本:
springSecurityVersion = '2.0.5.RELEASE'
swaggerVersion = '2.8.0'
springBootVersion = '2.0.5.RELEASE'
茅侃侃
TA贡献1842条经验 获得超21个赞
您需要在代码中进行以下更改
隐式流需要表单登录配置。
此外,如果我们使用隐式流令牌将通过授权 url 而不是令牌 url 生成。所以你需要把“/oauth/token”改成“oauth/authorize”。下面配置方法
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/oauth/authorize").authenticated()
.and()
.authorizeRequests().anyRequest().permitAll()
.and()
.formLogin().permitAll()
.and()
.csrf().disable();
}
在SecurityConfig类中添加密码编码器,并在globalUserDetails方法中调用它对用户密码进行编码。编码器是必需的,因为您在内存中使用密码。所以没有密码编码器应用程序失败并出现错误:
Encoded password does not look like BCrypt
下面的代码片段
@Autowired
public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
PasswordEncoder passwordEncoder = passwordEncoder();
auth.inMemoryAuthentication().passwordEncoder(passwordEncoder()).
withUser("bill").password(passwordEncoder.encode("abc123")).roles("ADMIN").and()
.withUser("$2a$10$TT7USzDvMxMZvf0HUVh9p.er1GGnjNQzlcGivj8CivnaZf9edaz6C")
.password("$2a$10$TT7USzDvMxMZvf0HUVh9p.er1GGnjNQzlcGivj8CivnaZf9edaz6C").roles("USER");
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
希望能帮助到你。我已经为您的项目创建了分支,但由于 403 无法推送它。所以所有必要的代码都在我的答案中。
添加回答
举报
0/150
提交
取消