英文:
Spring Authorization Server expose rest endpoints
问题
我已经使用spring-boot-starter-oauth2-authorization-server实现了一个授权服务器。一切似乎都运行得很完美。然而,我需要公开一些端点来创建用户、获取用户权限等,因此我需要配置授权服务器以充当资源服务器。
我需要“POST /users”是公开的,无需授权,而“GET /users/{userId}/permissions”需要在头部中存在有效的JWT令牌。
我尝试创建了一个SecurityFilterChain bean,像这样允许访问/users端点,但它破坏了授权服务器:
@Bean
public SecurityFilterChain configureSecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(authorizeRequests -> authorizeRequests
.requestMatchers(HttpMethod.POST, "/users").permitAll()
.anyRequest().authenticated());
http.csrf(AbstractHttpConfigurer::disable);
return http.build();
}
我确信可以为特定的端点创建授权定制,但如何实现呢?
英文:
I have implemented an authorization server using spring-boot-starter-oauth2-authorization-server.
Everything seems to work perfectly. However, I need to expose some endpoints for creating users, getting user permissions etc., so I need to configure the auth server to also act as a resource server.
I need "POST /users" to be public with no authorization, and "GET /users/{userId}/permissions" to require a valid JWT token to be present in the header.
I have tried creating a SecurityFilterChain bean like this, which allows access to the /users endpoint, but it breaks the authorization server:
@Bean
public SecurityFilterChain configureSecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(authorizeRequests -> authorizeRequests
.requestMatchers(HttpMethod.POST, "/users").permitAll()
.anyRequest().authenticated());
http.csrf(AbstractHttpConfigurer::disable);
return http.build();
}
I'm sure it's possible to create authorization customizations for specific endpoints, but how?
答案1
得分: 1
一旦您超越了入门指南的经验,同一文档页面涵盖了如何定义相同的组件,这些组件与Spring Boot提供的相同,因此您可以开始定制配置。由于Spring Boot,每个组件都是可选的。特别要注意它定义了两个带有@Order注解的SecurityFilterChain @Bean,还要注意第一个包含的代码是:
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
没有这行代码(或将其中的代码复制到您自己的代码中),授权服务器的协议端点就不会设置好,这就是您观察到的原因
> 但它会破坏授权服务器
英文:
Once you've gone beyond the Getting Started experience, the same docs page covers how to define the same components that Spring Boot provides so you can begin customizing the configuration. Because of Spring Boot each component is optional. In particular, notice that it defines two SecurityFilterChain @Beans with the @Order annotation, and also note that the first one includes:
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
Without that line (or copying the code contained within into your own code), the authorization server's protocol endpoints won't be set up, which is why you observed
> but it breaks the authorization server
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论