Spring Oauth2单独的资源服务器配置

Question

我想为oauth2配置单独的auth和资源服务器。 我可以成功配置授权服务器，并且能够进行身份验证并生成访问令牌。现在我想配置一个资源服务器，它可以通过api端点与auth服务器通信来验证访问令牌。 以下是我的资源服务器配置。

@Configuration 
@EnableResourceServer 
@EnableWebSecurity 
public class Oauth2SecurityConfiguration extends WebSecurityConfigurerAdapter  { 


@Override 
protected void configure(HttpSecurity http) throws Exception { 
    System.out.println("Oauth2SecurityConfiguration before"); 
    http 
       .authorizeRequests() 
       .antMatchers(HttpMethod.GET, "/api/v1/**").authenticated(); 
    System.out.println("Oauth2SecurityConfiguration after"); 
} 

@Bean 
public AccessTokenConverter accessTokenConverter() { 
    return new DefaultAccessTokenConverter(); 
} 

@Bean 
public RemoteTokenServices remoteTokenServices() { 
    final RemoteTokenServices remoteTokenServices = new RemoteTokenServices(); 
    remoteTokenServices.setCheckTokenEndpointUrl("http://localhost:9000/authserver/oauth/check_token"); 
    remoteTokenServices.setClientId("clientId"); 
    remoteTokenServices.setClientSecret("clientSecret"); 
    remoteTokenServices.setAccessTokenConverter(accessTokenConverter()); 
    return remoteTokenServices; 
} 

@Override 
@Bean 
public AuthenticationManager authenticationManager() throws Exception { 
    OAuth2AuthenticationManager authenticationManager = new OAuth2AuthenticationManager(); 
    authenticationManager.setTokenServices(remoteTokenServices()); 
    return authenticationManager; 
} 
} 


@Configuration 
@EnableResourceServer 
public class ResourceServerConfig extends ResourceServerConfigurerAdapter { 
    @Override 
    public void configure(HttpSecurity http) throws Exception { 
     http.csrf().disable(); 
     System.out.println("http.csrf().disable()"); 
     http.authorizeRequests().antMatchers(HttpMethod.GET, "/api/v1/**").fullyAuthenticated(); 
     System.out.println("http.authorizeRequests().anyRequest().authenticated()"); 
    } 
} 


@Configuration 
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true) 
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration { 

@Override 
protected MethodSecurityExpressionHandler createExpressionHandler() { 
    return new OAuth2MethodSecurityExpressionHandler(); 
} 
} 

问： 1.为什么我的AuthenticationManager在资源服务器，而所有的认证委托给auth服务器。 （我不得不添加它来加载应用程序上下文）

除此之外，我正面临以下问题。

1. 即使我没有通过授权标头和访问令牌与请求。它正在经历。

   http GET "http://localhost:8080/DataPlatform/api/v1/123sw/members" 
   HTTP/1.1 200 OK 
   Content-Type: application/json;charset=UTF-8 
   Date: Mon, 19 Oct 2015 19:45:14 GMT 
   Server: Apache-Coyote/1.1 
   Transfer-Encoding: chunked 
   { 
   "entities": [], 
   "errors": [], 
   "message": null 
   } 
   

2. 过滤器只能立即调用我没有看到以下请求的日志。它在某处缓存授权吗？

我是新来的春天oauth请让我知道如果我做错了什么。我使用

spring-security-oauth2 : 2.0.7.RELEASE 
spring-security-core : 4.0.1.RELEASE 
java : 1.8 

Answer 1

你不需要@EnableWebSecurity上Oauth2SecurityConfiguration@EnableResourceServer就够了。 您还应该用extends ResourceServerConfigurerAdapter替换extends WebSecurityConfigurerAdapter。

如果你想用你的RemoteTokenServices比如我建议你重写ResourceServerConfigurerAdapterpublic void configure(ResourceServerSecurityConfigurer resources) throws Exception与

@Override 
public void configure(ResourceServerSecurityConfigurer resources) throws Exception 
{ 
    resources.tokenServices(serverConfig.getTokenServices()); 
}