Spring oauth2 hasRole 访问被拒绝

我对 OAuth2 非常陌生，并尝试在角色 auth.server 中构建一台服务器来授权用户，并构建一台保留受保护资源的服务器......

我在使用 ResourceServerConfigurerAdapter 时遇到了一些问题。看起来他忽略了从 userInfoUrl 获取的所有角色......

所以这里的代码：

认证服务器

@SpringBootApplication
@EnableAuthorizationServer
@EnableResourceServer
@RestController
public class Oa2AuthServerApplication {

    @RequestMapping("/user")
    public Principal user(Principal user) {
        return user;
    }
    public static void main(String[] args) {
        SpringApplication.run(Oa2AuthServerApplication.class, args);
    }
}

__

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("admin")
                .password("admin")
                .roles("ADMIN", "USER")
                .and()
                .withUser("user")
                .password("user")
                .roles("USER");
    }
}

__

@Configuration
public class OA2AuthConfig extends AuthorizationServerConfigurerAdapter {
    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(authenticationManager);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("default")
                .secret("kx")
                .scopes("AUTH", "TRUST")
                .autoApprove(true)
                .authorities("ROLE_GUEST", "ROLE_USER", "ROLE_ADMIN")
                .authorizedGrantTypes("authorization_code", "implicit", "refresh_token");
    }
}

资源服务器

@SpringBootApplication
@RestController
@EnableResourceServer
public class Oa2ResourceServerApplication {
    @RequestMapping("/")
    public String greet() {
        return UUID.randomUUID().toString() + "\r\n";
    }

    @RequestMapping("/forAdmin")
    public String admin() {
        return "hi admin!";
    }


    public static void main(String[] args) {
        SpringApplication.run(Oa2ResourceServerApplication.class, args);
    }
}

因此，从 authserver 获取令牌 + 调用“localhost:9091/”和“/forAdmin”可以使用此令牌。

但是当我这样做时：

public class WebSecurityConfig extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/forAdmin").hasRole("USER");
    }

我的访问被拒绝....

可以肯定的是，角色正在到达资源服务器，我已将上面的 foot() 更改为

@RequestMapping("/")
    public String greet(Principal user) {
        if (user instanceof OAuth2Authentication) {
            log.info("having roles: {}", ((OAuth2Authentication) user).getAuthorities());
        }
        return UUID.randomUUID().toString() + "\r\n";
    }

控制台显示

d.k.auth.Oa2ResourceServerApplication ：具有角色：[{authority=ROLE_USER}]

因此，当“Principal”是当前经过身份验证的用户时，我认为资源服务器配置程序存在错误......或者我正在做一些致命的错误......

或者两者......我不知道

有人可以帮助我解决这个问题吗？

所以JWT是必要的，没有它不行。

我用组合解决了它：

@PreAuthorize("#oauth2.hasScope('openid') and hasRole('ROLE_ADMIN')")

您可以找到受保护资源的示例here https://github.com/mavogel/uaa-behind-zuul-sample/blob/master/dummy-service/src/main/java/com/kakawait/DummyServiceApplication.java.