Spring Security Resource Server在添加自定义SecurityFilterChain时给出401

i2byvkas  于 12个月前  发布在  Spring
关注(0)|答案(1)|浏览(189)

我正在使用Sping Boot 运行一个示例资源服务器,当我在不添加自定义SecurityFilterChain bean的情况下运行它时,一切都很好。当我提供自定义SecurityFilterChain时,它会显示401,有时会显示403。
以下是我的Gradle文件:

plugins {
    java
    id("org.springframework.boot") version "3.2.0"
    id("io.spring.dependency-management") version "1.1.4"
}

group = "com.resource.server"
version = "0.0.1-SNAPSHOT"

java {
    sourceCompatibility = JavaVersion.VERSION_17
}

repositories {
    mavenCentral()
}

dependencies {  
    implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server")
    implementation("org.springframework.boot:spring-boot-starter-web")
    testImplementation("org.springframework.boot:spring-boot-starter-test")
}

tasks.withType<Test> {
    useJUnitPlatform()
}

字符串
以下是我在application.properties上的内容:

spring.security.oauth2.resourceserver.jwt.issuer-uri=https://mydomain.auth0.com/
spring.security.oauth2.resourceserver.jwt.issuer-audience=aud-name


下面是我的SecurityFilterChain类

package com.resource.server.resourceserver;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

import static org.springframework.security.config.Customizer.withDefaults;

@Configuration
public class SecurityConfiguration {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests((authz) -> authz
                        .anyRequest().authenticated()
                )
                .httpBasic(withDefaults());
        return http.build();
    }

}


下面是我用来测试应用程序的基本控制器:

package com.resource.server.resourceserver;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class HelloController {
    @RequestMapping("/hello")
    public String sayHi(){
        return "Hi";
    }
}


以下是我在日志中得到的:

2023-12-21T08:13:55.404+02:00  INFO 181669 --- [nio-8082-exec-1] o.s.web.servlet.DispatcherServlet        : Initializing Servlet 'dispatcherServlet'
2023-12-21T08:13:55.405+02:00  INFO 181669 --- [nio-8082-exec-1] o.s.web.servlet.DispatcherServlet        : Completed initialization in 1 ms
2023-12-21T08:13:55.408+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /
2023-12-21T08:13:55.409+02:00  WARN 181669 --- [nio-8082-exec-1] o.s.w.s.h.HandlerMappingIntrospector     : Cache miss for REQUEST dispatch to '/' (previous null). Performing CorsConfiguration lookup. This is logged once only at WARN level, and every time at TRACE.
2023-12-21T08:13:55.414+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2023-12-21T08:13:55.420+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.s.w.s.HttpSessionRequestCache        : Saved request http://localhost:8082/?continue to session
2023-12-21T08:13:55.420+02:00 DEBUG 181669 --- [nio-8082-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
2023-12-21T08:13:55.420+02:00 DEBUG 181669 --- [nio-8082-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@6dd20239
2023-12-21T08:13:55.422+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /error
2023-12-21T08:13:55.422+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2023-12-21T08:13:55.422+02:00 DEBUG 181669 --- [nio-8082-exec-1] o.s.s.w.s.HttpSessionRequestCache        : Saved request http://localhost:8082/error?continue to session
2023-12-21T08:13:55.422+02:00 DEBUG 181669 --- [nio-8082-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
2023-12-21T08:13:55.423+02:00 DEBUG 181669 --- [nio-8082-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@6dd20239


我尝试了一些教程,并尝试从头开始。我也尝试谷歌日志错误消息,但我没有找到任何真正有意义的。
我做了这个更新,它帮助修复了它-代码从这里:https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html。我不太明白什么是与初始版本的问题,虽然。如果有人能帮助我理解,这将是伟大的

@Configuration
@EnableWebSecurity
public class DirectlyConfiguredJwkSetUri {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(authorize -> authorize
                .anyRequest().authenticated()
            )
            .oauth2ResourceServer(oauth2 -> oauth2
                .jwt(jwt -> jwt
                    .jwkSetUri("https://idp.example.com/.well-known/jwks.json")
                )
            );
        return http.build();
    }
}```

zyfwsgd6

zyfwsgd61#

第一种方法和第二种配置的主要区别在于
.httpBasic(withDefaults());意味着您为应用程序启用了HTTP Basic身份验证,这在您的情况下是错误的,因为您必须基于gradle依赖项导入配置Resource Server

implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server")

字符串
第二个配置修复了它,因为你声明了如何威胁它。

oauth2ResourceServer()


还有你指出的,你有一个JWT令牌,这是这种配置中的默认令牌。关于它的更多详细信息Resource Server JWT

.jwt(jwt -> jwt
                    .jwkSetUri("https://idp.example.com/.well-known/jwks.json")
                )


如果授权服务器不支持任何配置终结点,或者资源服务器必须能够独立于授权服务器启动,

相关问题