本文介绍了如何在Spring Security OAuth2中配置资源服务器,重点讲解了ResourceServerSecurityConfigurer和HttpSecurity的使用,以及OAuth2AuthenticationProcessingFilter在处理携带token访问受限资源时的角色。讨论了TokenExtractor的默认实现BearerTokenExtractor,以及OAuth2AuthenticationManager如何验证token。同时,提到了三种携带token的方式:Header、URL参数和表单参数。
3.携带token访问受限资源
携带token访问资源,这涉及到@EnableResourceServer相关的资源服务的配置。
| @Configuration @EnableResourceServer protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override public void configure(ResourceServerSecurityConfigurer resources) { resources.resourceId(DEMO_RESOURCE_ID).stateless(true); }
@Override public void configure(HttpSecurity http) throws Exception { http .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) .and() .requestMatchers().anyRequest() .and() .anonymous() .and() .authorizeRequests() .antMatchers("/order/**").authenticated();//配置order访问控制,必须认证过后才可以访问 } } |
涉及到ResourceServerSecurityConfigurer和HttpSecurity;前者与资源安全配置相关,后者与http安全配置相关。
ResourceServerSecurityConfigurer主要是这个方法configure
| @Override public void configure(HttpSecurity http) throws Exception {
AuthenticationManager oauthAuthenticationManager = oauthAuthenticationManager(http); resourcesServerFilter = new OAuth2AuthenticationProcessingFilter(); resourcesServerFilter.setAuthenticationEntryPoint(authenticationEntryPoint); resourcesServerFilter.setAuthenticationManager(oauthAuthenticationManager); if (eventPublisher != null) {
|
最低0.47元/天 解锁文章
1416
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
