我正在尝试实现一个API,其中的资源受到Oauth2或Http-Basic身份验证的保护。
当我加载WebSecurityConfigurerAdapter并首先将http-basic身份验证应用于资源时,Oauth2令牌身份验证不被接受。反之亦然。
示例配置: 这将对所有/user/**资源应用http-basic身份验证
@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private LoginApi loginApi;
@Autowired
public void setLoginApi(LoginApi loginApi) {
this.loginApi = loginApi;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(new PortalUserAuthenticationProvider(loginApi));
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/users/**").authenticated()
.and()
.httpBasic();
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
这将在/user/**资源上应用OAuth令牌保护。
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatchers().antMatchers("/users/**")
.and()
.authorizeRequests()
.antMatchers("/users/**").access("#oauth2.clientHasRole('ROLE_CLIENT') and #oauth2.hasScope('read')");
}
}
我确定我错过了一些神奇的代码,告诉Spring尝试第一个失败后再尝试第二个?
任何帮助都将不胜感激。
oAuth2AuthenticationEntryPoint()
定义在哪里? - jax.authenticationEntryPoint(new OAuth2AuthenticationEntryPoint())
中的OAuth2AuthenticationEntryPoint
来自于以下导入:import org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint;
- AntonioOtero