使用多个resourceserverconfigureradapter基于端点的Spring Security

gcmastyq  于 2021-07-06  发布在  Java
关注(0)|答案(0)|浏览(378)

我想授权我的两套终端
具有模式的提供程序url(/provider/api/
带模式的客户url(/customer/api/

可以忽略所有其他端点。我使用awscognito作为授权服务器,并为提供者和客户构建了两个不同的用户池。我已经从指南中设置了Spring Boot安全https://medium.com/@arjunsk/resource-服务器-with-cognito-b7fbee0155
这是我的两个安全配置

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@RequiredArgsConstructor(onConstructor = @__(@Autowired))
public class CustomerResourceServerSecurityConfiguration extends ResourceServerConfigurerAdapter {

  private final ResourceServerProperties resource;

  @Override
  public void configure(HttpSecurity http) throws Exception {

    // Very important
    http.cors();

    http.csrf().disable();

    http.requestMatchers()
          .antMatchers("/customer/api/**")
        .and()
        .authorizeRequests()
        .antMatchers("/customer/api/**").authenticated();
  }

  // Enabling Cognito Converter
  @Bean
  public TokenStore jwkTokenStore() {
    return new JwkTokenStore(
        Collections.singletonList(resource.getJwk().getKeySetUri()),
        new CognitoAccessTokenConverter(),
        null);
  }
}
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@RequiredArgsConstructor(onConstructor = @__(@Autowired))
public class ProviderResourceServerSecurityConfiguration extends ResourceServerConfigurerAdapter {

  @Qualifier("providerResourceServerProperties")
  private final ResourceServerProperties resource;

  @Override
  public void configure(HttpSecurity http) throws Exception {

    // Very important
    http.cors();

    http.csrf().disable();

    http.requestMatchers()
          .antMatchers("/provider/api/**")
        .and()
        .authorizeRequests()
        .antMatchers("/provider/api/**").authenticated();
  }

  // Enabling Cognito Converter
  @Bean
  public TokenStore jwkTokenStore() {
    return new JwkTokenStore(
        Collections.singletonList(resource.getJwk().getKeySetUri()),
        new CognitoAccessTokenConverter(),
        null);
  }
}

我的不同配置是由配置决定的

@Configuration
public class ResourceServerPropertiesConfig {

  @Bean
  @Primary
  @ConfigurationProperties("security.customer.oauth2.resource")
  public ResourceServerProperties customerResourceServerProperties() {
    return new ResourceServerProperties();
  }

  @Bean
  @ConfigurationProperties("security.provider.oauth2.resource")
  public ResourceServerProperties providerResourceServerProperties() {
    return new ResourceServerProperties();
  }
}

如果我使用单一配置,它可以正常工作。但是如果同时使用这两种配置,我会看到我的提供者配置总是被忽略,并且所有提供者端点都由客户安全配置授权。我试着设置订单,但没能解决。
请帮助基于端点设置两种不同的配置,以便提供程序url仅由providerresourceserversecurityconfiguration进行身份验证,而客户url仅由customerresourceserversecurityconfiguration进行身份验证。

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题