本文旨在解决 Spring Boot Web 应用中同时集成 OAuth2 资源服务器和 Basic 认证的问题。通过配置多个 `WebSecurityConfigurerAdapter` 实例,并自定义 `UserDetailsService`,可以实现对不同端点采用不同的认证方式,确保 `/resource` 端点受 OAuth2 保护,而 `/helloworld` 端点受 Basic 认证保护。本文将提供详细的配置示例和注意事项,帮助开发者顺利实现混合认证方案。
在 Spring Boot 应用中,同时使用 OAuth2 和 Basic 认证可能会遇到一些配置问题。默认情况下,Spring Boot 会自动配置 UserDetailsService,但当存在 OAuth2 相关配置时,自动配置可能会失效,导致 Basic 认证无法正常工作。本教程将详细介绍如何在 Spring Boot 应用中配置多个 WebSecurityConfigurerAdapter 实例,并自定义 UserDetailsService,以实现对不同端点采用不同的认证方式。
配置多个 WebSecurityConfigurerAdapter
为了实现不同端点使用不同的认证方式,我们需要创建多个 WebSecurityConfigurerAdapter 实例,并使用 @Order 注解指定它们的优先级。优先级高的配置会先执行。
@Configuration
@Order(10)
@EnableWebSecurity
public static class HelloWorldBasicSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/helloworld")
.httpBasic()
.and()
.authorizeRequests().antMatchers("/helloworld").
authenticated();
}
}
@Configuration
@Order(0)
@EnableWebSecurity
public static class ResourceSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Autowired
private Environment environment;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/resource")
.oauth2ResourceServer(oauth2 -> oauth2.opaqueToken(
opaqueToken -> opaqueToken.introspector(new DemoAuthoritiesOpaqueTokenIntrospector())))
.authorizeRequests().antMatchers("/resource").authenticated();
}
private class DemoAuthoritiesOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
private final OpaqueTokenIntrospector delegate;
private final String demoClientId;
public DemoAuthoritiesOpaqueTokenIntrospector() {
String introSpectionUri = environment
.getProperty("spring.security.oauth2.resourceserver.opaque-token.introspection-uri");
String clientId = environment
.getProperty("spring.security.oauth2.resourceserver.opaque-token.client-id");
String clientSecret = environment
.getProperty("spring.security.oauth2.resourceserver.opaque-token.client-secret");
demoClientId = environment.getProperty("demo.security.oauth2.credentials-grant.client-id");
delegate = new NimbusOpaqueTokenIntrospector(introSpectionUri, clientId, clientSecret);
}
public OAuth2AuthenticatedPrincipal introspect(String token) {
OAuth2AuthenticatedPrincipal principal = this.delegate.introspect(token);
return new DefaultOAuth2AuthenticatedPrincipal(principal.getName(), principal.getAttributes(),
extractAuthorities(principal));
}
private Collection extractAuthorities(OAuth2AuthenticatedPrincipal principal) {
String userId = principal.getAttribute("client_id");
if (demoClientId.equals(userId)) {
return Collections.singleton(new SimpleGrantedAuthority("ROLE_oauth2"));
}
return Collections.emptySet();
}
}
} 
在上面的代码中,HelloWorldBasicSecurityConfigurerAdapter 配置了 /helloworld 端点的 Basic 认证,而 ResourceSecurityConfigurerAdapter 配置了 /resource 端点的 OAuth2 资源服务器。
自定义 UserDetailsService
由于 Spring Boot 在存在 OAuth2 配置时可能会回退 UserDetailsService 的自动配置,我们需要手动定义 UserDetailsService bean。
@Bean
public UserDetailsService inMemoryUserDetailsService() {
UserDetails demo = User.withUsername("demo").password("{noop}demo").roles("demo").build();
return new InMemoryUserDetailsManager(demo);
}这段代码创建了一个 InMemoryUserDetailsManager,并添加了一个用户名为 "demo",密码为 "demo",角色为 "demo" 的用户。 {noop} 前缀表示密码未加密,仅用于演示目的。在生产环境中,应该使用更安全的密码编码方式。
完整配置示例
下面是完整的配置示例,包括 DemoApplication.java、DemoSecurityConfiguration.java 和 application.yaml。
DemoApplication.java
@SpringBootApplication
@RestController
public class DemoApplication {
@PreAuthorize("hasRole('demo')")
@GetMapping("/helloworld")
public String hello() {
return "Hello World!";
}
@PreAuthorize("hasRole('oauth2')")
@GetMapping("/resource")
public String resource() {
return "Protected resource";
}
public static void main(String... args) {
SpringApplication.run(DemoApplication.class, args);
}
}DemoSecurityConfiguration.java
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.core.env.Environment;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector;
import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
import java.util.Collection;
import java.util.Collections;
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class DemoSecurityConfiguration {
@Bean
public UserDetailsService inMemoryUserDetailsService() {
UserDetails demo = User.withUsername("demo").password("{noop}demo").roles("demo").build();
return new InMemoryUserDetailsManager(demo);
}
@Configuration
@Order(10)
public static class HelloWorldBasicSecurityConfigurerAdapter {
@Bean
public SecurityFilterChain filterChainHelloWorld(HttpSecurity http) throws Exception {
http
.securityMatcher("/helloworld")
.authorizeHttpRequests(authz -> authz
.anyRequest().authenticated()
)
.httpBasic();
return http.build();
}
}
@Configuration
@Order(0)
public static class ResourceSecurityConfigurerAdapter {
@Autowired
private Environment environment;
@Bean
public SecurityFilterChain filterChainResource(HttpSecurity http) throws Exception {
http
.securityMatcher("/resource")
.authorizeHttpRequests(authz -> authz
.anyRequest().authenticated()
)
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
return http.build();
}
@Bean
public OpaqueTokenIntrospector introspector() {
return new DemoAuthoritiesOpaqueTokenIntrospector(environment);
}
private static class DemoAuthoritiesOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
private final OpaqueTokenIntrospector delegate;
private final String demoClientId;
public DemoAuthoritiesOpaqueTokenIntrospector(Environment environment) {
String introSpectionUri = environment
.getProperty("spring.security.oauth2.resourceserver.opaque-token.introspection-uri");
String clientId = environment
.getProperty("spring.security.oauth2.resourceserver.opaque-token.client-id");
String clientSecret = environment
.getProperty("spring.security.oauth2.resourceserver.opaque-token.client-secret");
demoClientId = environment.getProperty("demo.security.oauth2.credentials-grant.client-id");
delegate = new NimbusOpaqueTokenIntrospector(introSpectionUri, clientId, clientSecret);
}
public OAuth2AuthenticatedPrincipal introspect(String token) {
OAuth2AuthenticatedPrincipal principal = this.delegate.introspect(token);
return new DefaultOAuth2AuthenticatedPrincipal(principal.getName(), principal.getAttributes(),
extractAuthorities(principal));
}
private Collection extractAuthorities(OAuth2AuthenticatedPrincipal principal) {
String userId = principal.getAttribute("client_id");
if (demoClientId.equals(userId)) {
return Collections.singleton(new SimpleGrantedAuthority("ROLE_oauth2"));
}
return Collections.emptySet();
}
}
}
} application.yaml
spring:
security:
basic:
enabled: true
user:
name: demo
password: demo
roles: demo
oauth2:
resourceserver:
opaque-token:
introspection-uri: "https://...oauth2"
client-id: "abba"
client-secret: "secret"
demo:
security:
oauth2:
credentials-grant:
client-id: "rundmc"注意事项
- 密码编码: 在生产环境中,不要使用 {noop} 编码方式。应该使用更安全的密码编码方式,如 BCryptPasswordEncoder。
- 角色权限: 确保用户具有访问相应端点所需的角色权限。
- 配置优先级: @Order 注解的优先级顺序很重要,需要根据实际需求进行调整。
- Spring Boot 版本: 不同版本的 Spring Boot 在配置方式上可能存在差异,请参考官方文档。
- SecurityFilterChain: 使用 Spring Security 5.7+ 版本时,推荐使用 SecurityFilterChain bean 的方式配置HttpSecurity。
总结
通过配置多个 WebSecurityConfigurerAdapter 实例,并自定义 UserDetailsService,可以在 Spring Boot 应用中同时使用 OAuth2 和 Basic 认证,实现对不同端点采用不同的认证方式。 确保 /resource 端点受 OAuth2 保护,而 /helloworld 端点受 Basic 认证保护。本教程提供了一个完整的配置示例,并列出了注意事项,希望能帮助开发者顺利实现混合认证方案。
