当使用@EnableOauth2Resource标志应用为spring cloud OAuth 的资源服务器时,发现日志打印了:
Using default security password: aa20bbc8-00ec-4584-8351-d7c9aa60d534
这是因为当classpath中有Spring Security时,web应用会启用一个默认的安全配置,即AuthenticationManager会配置一个默认用户,用户名为user,密码为一个随机的uuid,并在应用启动时打印INFO级别的日志。
这个user用户虽然建了但是在资源服务器里是不会启用的,当没有access token访问api时,仍然会报401(没有权限).
相关的spring cloud源码:
org.springframework.boot.autoconfigure.security.AuthenticationManagerConfiguration
@Order(Ordered.LOWEST_PRECEDENCE - 100)
private static class SpringBootAuthenticationConfigurerAdapter
extends GlobalAuthenticationConfigurerAdapter {
private final SecurityProperties securityProperties;
SpringBootAuthenticationConfigurerAdapter(SecurityProperties securityProperties) {
this.securityProperties = securityProperties;
}
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth.apply(new DefaultInMemoryUserDetailsManagerConfigurer(
this.securityProperties));
}
}
DefaultInMemoryUserDetailsManagerConfigurer里初始化了一个默认用户user:
private static class DefaultInMemoryUserDetailsManagerConfigurer
extends InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> {
private final SecurityProperties securityProperties;
DefaultInMemoryUserDetailsManagerConfigurer(
SecurityProperties securityProperties) {
this.securityProperties = securityProperties;
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
if (auth.isConfigured()) {
return;
}
User user = this.securityProperties.getUser();
if (user.isDefaultPassword()) {
logger.info(String.format("%n%nUsing default security password: %s%n",
user.getPassword()));
}
Set<String> roles = new LinkedHashSet<String>(user.getRole());
withUser(user.getName()).password(user.getPassword())
.roles(roles.toArray(new String[roles.size()]));
setField(auth, "defaultUserDetailsService", getUserDetailsService());
super.configure(auth);
}
}
参考:
