我正在尝试创建授权服务器和资源服务器。
当尝试从授权服务器获取访问令牌时,其工作并获取具有以下详细信息的访问令牌。
{
"access_token": "5ffbc2d7-2a27-4f08-921f-f7de2410b5f5",
"token_type": "bearer",
"refresh_token": "d0fb85b3-52e0-45e0-84dc-ed38d55176a6",
"expires_in": 599,
"scope": "READ",
"authorities": [
{
"authority": "delete_profile"
},
{
"authority": "update_profile"
},
{
"authority": "read_profile"
},
{
"authority": "create_profile"
},
{
"authority": "ROLE_admin"
}
],
"resource_ids": [
"RESOURCE_ID1"
]
}
尝试访问一项服务时使用 access_token(已配置资源服务器)
得到回应。
但是在 DB oauth_client_details 表 resources_ids 列中,资源 id =RESOURCE_ID1 ,在资源服务器中我提供了资源 id =RESOURCE_ID11
刻意去验证。虽然返回数据,但应该给出权限异常。
我的示例代码片段如下:
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private ClientDetailsService clientDetailsService;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Bean
TokenStore jdbcTokenStore() {
return new JdbcTokenStore(dataSource);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource).passwordEncoder(passwordEncoder);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(jdbcTokenStore())
.tokenEnhancer(tokenEnhancer())
.authenticationManager(authenticationManager)
.userDetailsService(userDetailsService)
;
}
@Bean
public TokenEnhancer tokenEnhancer() {
return new CustomTokenEnhancer();
}
}
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
private static final String RESOURCE_ID = "RESOURCE_ID11"; // resource id is defferent to DB oauth_client_details resource id
@Autowired
private DataSource dataSource;
@Bean
public JdbcTokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/api/**").authenticated();
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId(RESOURCE_ID).tokenStore(tokenStore());
}
}
DB数据理解:
INSERT INTO `OAuthTest`.`oauth_client_details` (`client_id`, `client_secret`, `scope`, `access_token_validity`, `refresh_token_validity`, `resource_ids`, `authorized_grant_types`, `additional_information`) VALUES ('APP1', 'password', 'READ', '600', '10000', 'RESOURCE_ID1', 'authorization_code,password,refresh_token,implicit', '{}');
INSERT INTO `OAuthTest`.`user` (`id`, `username`, `password`, `email`, `enabled`, `accountNonExpired`, `credentialsNonExpired`, `accountNonLocked`, `account_non_expired`, `account_non_locked`, `credentials_non_expired`, `account_expired`, `account_locked`, `credentials_expired`) VALUES ('1', 'admin', 'password', '[email protected] /cdn-cgi/l/email-protection', '1', '1', '1', '1', 0, 0, 0, 0, 0, 0);
