授权码授权

Question

我正在开发一个REST API，它在localhost上侦听，我想包含Spring Security。密码授予和客户端凭证授予工作得很好，我可以去检查来自/smarthouse和/smarthouse2的安全数据。

虽然，当我尝试通过邮递员使用授权码授予时，它给出了相同的错误，并且我已经检查了所有地方。我的项目在这里：https://github.com/sharjak/Smarthouse。所有操作都发生在demoapplication文件夹中。

Authorization code in Postman

我的授权和资源服务器代码：

@Configuration
public class OAuth2ServerConfig {

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                    .anonymous().disable()
                    .csrf().disable()
                    .authorizeRequests()
                    .anyRequest()
                    .authenticated().and()
                    .formLogin();
            }
        }

    @Configuration
    @EnableAuthorizationServer
    protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

        @Autowired
        private TokenStore tokenStore;

        @Autowired
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {

            clients.inMemory().withClient("my-trusted-client")
                    .authorizedGrantTypes("password","authorization_code","refresh_token", "implicit")
                    .authorities("ROLE_CLIENT","ROLE_TRUSTED_CLIENT","ROLE_USER")
                    .scopes("read", "write", "trust")
                    .resourceIds("oauth2-resource")
                    .secret("secret")
                    .accessTokenValiditySeconds(6000)
                    .and()

                    .withClient("my-client")
                    .authorizedGrantTypes("authorization_code", "implicit")
                    .authorities("ROLE_CLIENT", "ROLE_USER")
                    .scopes("read","trust", "write")
                    .resourceIds("oauth2-resource")
                    .accessTokenValiditySeconds(6000)
                    .and()

                    .withClient("my-client-with-secret")
                    .authorizedGrantTypes("client_credentials","password")
                    .authorities("ROLE_CLIENT", "ROLE_USER")
                    .scopes("read", "trust", "write")
                    .resourceIds("oauth2-resource")
                    .secret("secret")
                    .accessTokenValiditySeconds(6000);
        }

        @Bean
        public TokenStore tokenStore() {
            return new InMemoryTokenStore();
        }

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            endpoints
                    .authenticationManager(authenticationManager)
                    .tokenStore(tokenStore);
        }

        @Override
        public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
            oauthServer.checkTokenAccess("permitAll()");
        }
    }
}

Websecurity服务器的代码：

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private ClientDetailsService clientDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
                .anonymous().disable()
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/smarthouse", "smarthouse2", "/user").permitAll()
                .and()
                .formLogin();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("admin").password("password").roles("ADMIN")
                .and()
                .withUser("sander").password("Sander123").roles("USER");
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception{
        return super.authenticationManagerBean();
    }

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Bean
    @Autowired
    public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore){
        TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
        handler.setTokenStore(tokenStore);
        handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
        handler.setClientDetailsService(clientDetailsService);
        return handler;
    }

    @Bean
    @Autowired
    public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception {
        TokenApprovalStore store = new TokenApprovalStore();
        store.setTokenStore(tokenStore);
        return store;
    }
}

Stacktrace当我尝试以用户身份登录时：

    org.springframework.security.authentication.InsufficientAuthenticationException: User must be authenticated with Spring Security before authorization can be completed.
        at org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(AuthorizationEndpoint.java:138)

我是一个初学者，但这似乎是一个需要解决的小问题。有谁可以帮我？

Answer 1

您只需将您的configure方法从WebSecurityConfig更改为以下内容：

http
    .authorizeRequests()
        .antMatchers("/login", "/favicon.ico",
            "/oauth/confirm_access", "/oauth/token", "/smarthouse",
            "smarthouse2", "/user").permitAll()
        .anyRequest().authenticated().and()
    .csrf().disable();

为什么要禁用匿名访问？另一点是，匹配器被声明的顺序很重要。

我已经克隆了你的repo，这样做对我来说很有效。