I have a simple OAuth2 application. I started off by creating a SecurityConfig extending WebSecurityConfigurerAdapter and annotated with @EnableOAuth2Sso. I've created an API as well in a controller to test if authentication is working. Principal gets injected into the controller and it gives the correct name.
I'm now trying to add some authorities to the principal by implementing AuthoritiesExtractor and creating it as bean. I also did the same with PrincipalExtractor to check if it is working. None of them are getting called while making any request from the browser.
Edit: This is actually doing only authentication with OIDC and hence my client and resources are on the same application.
// This is my security configuration class.
@Configuration
@EnableOAuth2Sso
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/**")
.authorizeRequests()
.antMatchers("/login**","/error**")
.permitAll()
.anyRequest()
.authenticated();
}
@Bean
public PrincipalExtractor principalExtractor() {
return map -> {
System.out.println("Principal extracted.");
User user = new User();
user.setUsername((String)map.get("username"));
return user;
};
}
@Bean
public AuthoritiesExtractor authoritiesExtractor() {
return new PrismAuthoritiesExtractor();
}
}
// And this is my AuthoritiesExtractor class defined separately just to check if doing so works.
public class PrismAuthoritiesExtractor implements AuthoritiesExtractor {
@Override
public List<GrantedAuthority> extractAuthorities(Map<String, Object> map) {
return AuthorityUtils.commaSeparatedStringToAuthorityList("AUTH1,AUTH2");
}
}
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
