关于spring cloud oauth2 资源服务的权限控制疑问
大家好,
在 spring cloud 项目中,我做了认证服务器,用了authorization_code模式。
然后我成功拿到了token,如下。
{
"access_token": "1ab75e3e-c638-4d67-9701-bf69bbf012bc",
"token_type": "bearer",
"refresh_token": "675e4bff-7ce9-44cf-9ef3-f3c721adb728",
"expires_in": 5273,
"scope": "all"
}
{
"aud": [
"res1"
],
"user_name": "pakhm",
"scope": [
"all"
],
"active": true,
"exp": 1578366705,
"authorities": [
"p1"
],
"client_id": "c1"
}然后我创建了资源服务器。资源服务器有一个配置类,一个controller,一个入口程序,一个application.yml配置类
package com.provider.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(securedEnabled = true,prePostEnabled = true)
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
private static final String RESOURCE_ID = "res1";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources
.resourceId(RESOURCE_ID)
//验证令牌的服务
.tokenServices(tokenServices())
.stateless(true)
;
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**").hasAuthority("p2")
.antMatchers("/**").access("#oauth2.hasScope('all')")
.and()
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
;
}
//资源服务令牌解析服务
@Bean
public ResourceServerTokenServices tokenServices() {
//使用远程服务请求授权服务器校验 token ,必须制定校验 token 的 url , client_id , secret_id RemoteTokenServices services = new RemoteTokenServices();
services.setCheckTokenEndpointUrl("http://localhost:9988/oauth/check_token");
services.setClientId("c1");
services.setClientSecret("secret");
return services;
}
}controller
package com.provider.controller;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class HelloProvider {
@Value("${server.port}")
private String port;
@GetMapping("/HelloProvider")
// @PreAuthorize("hasAnyAuthority('p1')")
public String helloProvider() {
return "HelloProvider:" + port;
}
}入口程序
package com.provider;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class ProviderApplication {
public static void main(String[] args) {
SpringApplication.run(ProviderApplication.class,args);
}
}application.yml
server:
port: 8010
spring:
application:
name: provider
eureka:
client:
service-url:
defaultZone: http://localhost:8761/eureka/ #注册中心的访问地址
instance:
prefer-ip-address: true #是否将当前服务的 IP 注册到 Eureka Server我的疑问是:
带token访问资源服务器的controller的时候
在controller中使用@PreAuthorize("hasAnyAuthority('p1')")的话权限控制可以生效,但是在配置类中使用.antMatchers("/**").hasAuthority("p2")的话权限控制不生效。
这是为什么啊?
搞了半天也没搞明白,
有大神可以帮忙看一下嘛?谢谢!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论