本文旨在解决 Spring Boot Web 应用中同时集成 OAuth2 资源服务器和 Basic 认证的问题。通过配置多个 `WebSecurityConfigurerAdapter` 实例,并自定义 `UserDetailsService`,可以实现对不同端点采用不同的认证方式,确保 `/resource` 端点受 OAuth2 保护,而 `/helloworld` 端点受 Basic 认证保护。本文将提供详细的配置示例和注意事项,帮助开发者顺利实现混合认证方案。
在 Spring Boot 应用中,同时使用 OAuth2 和 Basic 认证可能会遇到一些配置问题。默认情况下,Spring Boot 会自动配置 UserDetailsService,但当存在 OAuth2 相关配置时,自动配置可能会失效,导致 Basic 认证无法正常工作。本教程将详细介绍如何在 Spring Boot 应用中配置多个 WebSecurityConfigurerAdapter 实例,并自定义 UserDetailsService,以实现对不同端点采用不同的认证方式。
为了实现不同端点使用不同的认证方式,我们需要创建多个 WebSecurityConfigurerAdapter 实例,并使用 @Order 注解指定它们的优先级。优先级高的配置会先执行。
@Configuration
@Order(10)
@EnableWebSecurity
public static class HelloWorldBasicSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/helloworld")
.httpBasic()
.and()
.authorizeRequests().antMatchers("/helloworld").authenticated();
}
}
@Configuration
@Order(0)
@EnableWebSecurity
public static class ResourceSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Autowired
private Environment environment;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/resource")
.oauth2ResourceServer(oauth2 -> oauth2.opaqueToken(
opaqueToken -> opaqueToken.introspector(new DemoAuthoritiesOpaqueTokenIntrospector())))
.authorizeRequests().antMatchers("/resource").authenticated();
}
private class DemoAuthoritiesOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
private final OpaqueTokenIntrospector delegate;
private final String demoClientId;
public DemoAuthoritiesOpaqueTokenIntrospector() {
String introSpectionUri = environment
.getProperty("spring.security.oauth2.resourceserver.opaque-token.introspection-uri");
String clientId = environment
.getProperty("spring.security.oauth2.resourceserver.opaque-token.client-id");
String clientSecret = environment
.getProperty("spring.security.oauth2.resourceserver.opaque-token.client-secret");
demoClientId = environment.getProperty("demo.security.oauth2.credentials-grant.client-id");
delegate = new NimbusOpaqueTokenIntrospector(introSpectionUri, clientId, clientSecret);
}
public OAuth2AuthenticatedPrincipal introspect(String token) {
OAuth2AuthenticatedPrincipal principal = this.delegate.introspect(token);
return new DefaultOAuth2AuthenticatedPrincipal(principal.getName(), principal.getAttributes(),
extractAuthorities(principal));
}
private Collection<GrantedAuthority> extractAuthorities(OAuth2AuthenticatedPrincipal principal) {
String userId = principal.getAttribute("client_id");
if (demoClientId.equals(userId)) {
return Collections.singleton(new SimpleGrantedAuthority("ROLE_oauth2"));
}
return Collections.emptySet();
}
}
}在上面的代码中,HelloWorldBasicSecurityConfigurerAdapter 配置了 /helloworld 端点的 Basic 认证,而 ResourceSecurityConfigurerAdapter 配置了 /resource 端点的 OAuth2 资源服务器。
由于 Spring Boot 在存在 OAuth2 配置时可能会回退 UserDetailsService 的自动配置,我们需要手动定义 UserDetailsService bean。
@Bean
public UserDetailsService inMemoryUserDetailsService() {
UserDetails demo = User.withUsername("demo").password("{noop}demo").roles("demo").build();
return new InMemoryUserDetailsManager(demo);
}这段代码创建了一个 InMemoryUserDetailsManager,并添加了一个用户名为 "demo",密码为 "demo",角色为 "demo" 的用户。 {noop} 前缀表示密码未加密,仅用于演示目的。在生产环境中,应该使用更安全的密码编码方式。
下面是完整的配置示例,包括 DemoApplication.java、DemoSecurityConfiguration.java 和 application.yaml。
DemoApplication.java
@SpringBootApplication
@RestController
public class DemoApplication {
@PreAuthorize("hasRole('demo')")
@GetMapping("/helloworld")
public String hello() {
return "Hello World!";
}
@PreAuthorize("hasRole('oauth2')")
@GetMapping("/resource")
public String resource() {
return "Protected resource";
}
public static void main(String... args) {
SpringApplication.run(DemoApplication.class, args);
}
}DemoSecurityConfiguration.java
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.core.env.Environment;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector;
import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
import java.util.Collection;
import java.util.Collections;
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class DemoSecurityConfiguration {
@Bean
public UserDetailsService inMemoryUserDetailsService() {
UserDetails demo = User.withUsername("demo").password("{noop}demo").roles("demo").build();
return new InMemoryUserDetailsManager(demo);
}
@Configuration
@Order(10)
public static class HelloWorldBasicSecurityConfigurerAdapter {
@Bean
public SecurityFilterChain filterChainHelloWorld(HttpSecurity http) throws Exception {
http
.securityMatcher("/helloworld")
.authorizeHttpRequests(authz -> authz
.anyRequest().authenticated()
)
.httpBasic();
return http.build();
}
}
@Configuration
@Order(0)
public static class ResourceSecurityConfigurerAdapter {
@Autowired
private Environment environment;
@Bean
public SecurityFilterChain filterChainResource(HttpSecurity http) throws Exception {
http
.securityMatcher("/resource")
.authorizeHttpRequests(authz -> authz
.anyRequest().authenticated()
)
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
return http.build();
}
@Bean
public OpaqueTokenIntrospector introspector() {
return new DemoAuthoritiesOpaqueTokenIntrospector(environment);
}
private static class DemoAuthoritiesOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
private final OpaqueTokenIntrospector delegate;
private final String demoClientId;
public DemoAuthoritiesOpaqueTokenIntrospector(Environment environment) {
String introSpectionUri = environment
.getProperty("spring.security.oauth2.resourceserver.opaque-token.introspection-uri");
String clientId = environment
.getProperty("spring.security.oauth2.resourceserver.opaque-token.client-id");
String clientSecret = environment
.getProperty("spring.security.oauth2.resourceserver.opaque-token.client-secret");
demoClientId = environment.getProperty("demo.security.oauth2.credentials-grant.client-id");
delegate = new NimbusOpaqueTokenIntrospector(introSpectionUri, clientId, clientSecret);
}
public OAuth2AuthenticatedPrincipal introspect(String token) {
OAuth2AuthenticatedPrincipal principal = this.delegate.introspect(token);
return new DefaultOAuth2AuthenticatedPrincipal(principal.getName(), principal.getAttributes(),
extractAuthorities(principal));
}
private Collection<GrantedAuthority> extractAuthorities(OAuth2AuthenticatedPrincipal principal) {
String userId = principal.getAttribute("client_id");
if (demoClientId.equals(userId)) {
return Collections.singleton(new SimpleGrantedAuthority("ROLE_oauth2"));
}
return Collections.emptySet();
}
}
}
}application.yaml
spring:
security:
basic:
enabled: true
user:
name: demo
password: demo
roles: demo
oauth2:
resourceserver:
opaque-token:
introspection-uri: "https://...oauth2"
client-id: "abba"
client-secret: "secret"
demo:
security:
oauth2:
credentials-grant:
client-id: "rundmc"通过配置多个 WebSecurityConfigurerAdapter 实例,并自定义 UserDetailsService,可以在 Spring Boot 应用中同时使用 OAuth2 和 Basic 认证,实现对不同端点采用不同的认证方式。 确保 /resource 端点受 OAuth2 保护,而 /helloworld 端点受 Basic 认证保护。本教程提供了一个完整的配置示例,并列出了注意事项,希望能帮助开发者顺利实现混合认证方案。
以上就是Spring Boot 中同时使用 OAuth2 和 Basic 认证的详细内容,更多请关注php中文网其它相关文章!
每个人都需要一台速度更快、更稳定的 PC。随着时间的推移,垃圾文件、旧注册表数据和不必要的后台进程会占用资源并降低性能。幸运的是,许多工具可以让 Windows 保持平稳运行。
广告Copyright 2014-2025 https://www.php.cn/ All Rights Reserved | php.cn | 湘ICP备2023035733号
183
收藏
