Spring Oauth2 +用户注册

Question

我又遇到了Spring Oauth2的问题。我知道这个主题不容易提出建议或检查代码，因为我们有太多的配置。我的项目有3个不同的服务器，认证服务器，资源服务器和前端服务器。我想把register.html到用户在前端项目中的注册(在Angularjs文件下)，但当我请求相关的url (http://localhost:7080/app/#register)时，它只重定向到登录页面(http://localhost:9080/auth-service/login)一秒钟，我可以看到我的register.html内容，但之后它将进入登录页面。问题是，我应该把这个register.html放在哪里，它应该放在前端项目还是身份验证服务器下？

我的认证服务器和前端服务器代码是；

    @Configuration
    public class AuthServerSecurityConfiguration extends WebSecurityConfigurerAdapter {

@Autowired
private AuthenticationManager authenticationManager;


@Override
protected void configure(AuthenticationManagerBuilder auth)
        throws Exception {
    auth.parentAuthenticationManager(authenticationManager);
    auth.authenticationProvider(userAuthProviderService());
}
private CsrfMatcher csrfRequestMatcher = new CsrfMatcher();
@Override
protected void configure(final HttpSecurity http) throws Exception {
    /*http.csrf().disable();*/
    http.csrf().requireCsrfProtectionMatcher(csrfRequestMatcher);
    http
            .formLogin().loginPage("/login").defaultSuccessUrl("/")
            /*.failureUrl("")*/.successHandler(new AuthSuccessHandler()).permitAll()
            .and()
            .requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access","/register")
            .and()
            .authorizeRequests().anyRequest().authenticated();

}

@Bean
public UserAuthProviderService userAuthProviderService(){
    return new UserAuthProviderService();
}

private class CsrfMatcher  implements RequestMatcher {
    @Override
    public boolean matches(HttpServletRequest request) {
        return false;
    }
}

}

@Configuration
@EnableAutoConfiguration
@RestController
@EnableZuulProxy
@EnableOAuth2Sso
@EnableOAuth2Client
public class UIServiceMain {

public static void main(String[] args) {
    SpringApplication.run(UIServiceMain.class, args);
}

@Configuration
protected static class SecurityConfiguration  extends OAuth2SsoConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.logout().and()
                .antMatcher("/**").authorizeRequests()
                .antMatchers("/index.html", "/home.html", "/", "/login","/register.html").permitAll().anyRequest()
                .authenticated().and().csrf().disable();
        http.headers().frameOptions().disable(); //FOR EMBED MAP
    }

    //unused
    private Filter csrfHeaderFilter() {
        return new OncePerRequestFilter() {
            @Override
            protected void doFilterInternal(HttpServletRequest request,
                    HttpServletResponse response, FilterChain filterChain)
                    throws ServletException, IOException {
                CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
                        .getName());
                if (csrf != null) {
                    Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
                    String token = csrf.getToken();
                    if (cookie == null || token != null
                            && !token.equals(cookie.getValue())) {
                        cookie = new Cookie("XSRF-TOKEN", token);
                        cookie.setPath("/");
                        response.addCookie(cookie);
                    }
                }
                filterChain.doFilter(request, response);
            }
        };
    }

    //unused
    private CsrfTokenRepository csrfTokenRepository() {
        HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
        repository.setHeaderName("X-XSRF-TOKEN");
        return repository;
    }
}

}

Answer 1

在您的UI服务器中，尝试创建启用了/register.hml的websecurity，如下所示

@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter{

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .requestMatchers()
                    .antMatchers("/register.html")
                    .and()
                    .authorizeRequests()
                    .anyRequest().authenticated();
        }
}

编辑:或者在您当前的配置中删除.antMatcher("/**").authorizeRequests()并添加and() .authorizeRequests().anyRequest().authenticated()

所以最后它可能是这样的：

@Override
public void configure(HttpSecurity http) throws Exception {
        http.logout().and()
                .antMatchers("/index.html", "/home.html", "/", "/login","/register.html").permitAll().anyRequest()
                .authenticated()
                .and().csrf().disable();
        http.headers().frameOptions().disable() //FOR EMBED MAP
                .and()
                .authorizeRequests()
                .anyRequest().authenticated();

    }

Answer 2

有几件事：

• 我想不出一个好的理由不把你的*.html放在前端服务器以外的任何地方。
• 另外，一般来说，你应该允许公开访问你的静态UI组件，就像@bilak提到的：

.antMatchers("/index.html", "/home.html", "/", "/login","/register.html").permitAll()

• 如果您能够看到register.html页面(假设用户未经过身份验证)，则它是公共的，在register.html的load事件上有一个see服务调用，该事件位于触发身份验证流的Spring security后面。