Spring Authorization Server暴露REST端点。

huangapple go评论120阅读模式
英文:

Spring Authorization Server expose rest endpoints

问题

我已经使用spring-boot-starter-oauth2-authorization-server实现了一个授权服务器。一切似乎都运行得很完美。然而,我需要公开一些端点来创建用户、获取用户权限等,因此我需要配置授权服务器以充当资源服务器。

我需要“POST /users”是公开的,无需授权,而“GET /users/{userId}/permissions”需要在头部中存在有效的JWT令牌。

我尝试创建了一个SecurityFilterChain bean,像这样允许访问/users端点,但它破坏了授权服务器:

@Bean
public SecurityFilterChain configureSecurityFilterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests(authorizeRequests -> authorizeRequests
        .requestMatchers(HttpMethod.POST, "/users").permitAll()
        .anyRequest().authenticated());
    http.csrf(AbstractHttpConfigurer::disable);
    return http.build();
}

我确信可以为特定的端点创建授权定制,但如何实现呢?

英文:

I have implemented an authorization server using spring-boot-starter-oauth2-authorization-server.
Everything seems to work perfectly. However, I need to expose some endpoints for creating users, getting user permissions etc., so I need to configure the auth server to also act as a resource server.

I need "POST /users" to be public with no authorization, and "GET /users/{userId}/permissions" to require a valid JWT token to be present in the header.

I have tried creating a SecurityFilterChain bean like this, which allows access to the /users endpoint, but it breaks the authorization server:

@Bean
  public SecurityFilterChain configureSecurityFilterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests(authorizeRequests -> authorizeRequests
        .requestMatchers(HttpMethod.POST, "/users").permitAll()
        .anyRequest().authenticated());
    http.csrf(AbstractHttpConfigurer::disable);
    return http.build();
  }

I'm sure it's possible to create authorization customizations for specific endpoints, but how?

答案1

得分: 1

一旦您超越了入门指南的经验,同一文档页面涵盖了如何定义相同的组件,这些组件与Spring Boot提供的相同,因此您可以开始定制配置。由于Spring Boot,每个组件都是可选的。特别要注意它定义了两个带有@Order注解的SecurityFilterChain @Bean,还要注意第一个包含的代码是:

OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);

没有这行代码(或将其中的代码复制到您自己的代码中),授权服务器的协议端点就不会设置好,这就是您观察到的原因

> 但它会破坏授权服务器

英文:

Once you've gone beyond the Getting Started experience, the same docs page covers how to define the same components that Spring Boot provides so you can begin customizing the configuration. Because of Spring Boot each component is optional. In particular, notice that it defines two SecurityFilterChain @Beans with the @Order annotation, and also note that the first one includes:

OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);

Without that line (or copying the code contained within into your own code), the authorization server's protocol endpoints won't be set up, which is why you observed

> but it breaks the authorization server

huangapple
  • 本文由 发表于 2023年7月6日 16:31:12
  • 转载请务必保留本文链接:https://go.coder-hub.com/76626938.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定