问题:
在SecurityContext中找不到Spring Oauth2:Authentication对象
瞿和硕
我有一个实现Spring Security和Spring OAuth2安全的项目。当我请求访问令牌时,它工作得很好,但当我使用访问令牌请求资源时,我得到了“在SecurityContext中没有找到身份验证对象”。
我的项目的SecurityContext是:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<global-method-security jsr250-annotations="enabled" />
<http pattern="/**/*.css" security="none" />
<http pattern="/**/*.css.map" security="none" />
<http pattern="/**/*.gif" security="none" />
<http pattern="/**/*.html" security="none" />
<http pattern="/**/*.ttf" security="none" />
<http pattern="/**/*.eot" security="none" />
<http pattern="/**/*.svg" security="none" />
<http pattern="/**/*.woff" security="none" />
<http pattern="/**/*.woff2" security="none" />
<http pattern="/**/*.xls" security="none" />
<http pattern="/**/*.ico" security="none" />
<http pattern="/**/*.jpg" security="none" />
<http pattern="/**/*.js" security="none" />
<http pattern="/**/*.png" security="none" />
<http pattern="/**/*.xml" security="none" />
<http pattern="/**/*.mp4" security="none" />
<http pattern="editCustomerTrnx" security="none"/>
<!--<http pattern="/embed/*" security="none"/> -->
<!-- Default URL provided by spring to get the token(access and refresh) from oauth -->
<http pattern="/oauth/token" create-session="never"
authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
<http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
<!-- Using this to authenticate client using request parameter -->
<custom-filter ref="clientCredentialsTokenEndPointFilter" after="BASIC_AUTH_FILTER"/>
<access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>
<!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling
separately. This isn't mandatory, but it makes it easier to control the behaviour -->
<http pattern="/Api/**" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false"/>
<intercept-url pattern="/Api/**" access="ROLE_ADMIN"/>
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>
<!-- 2 -->
<http auto-config="true">
<intercept-url pattern="/Admin/**"
access="ROLE_ADMINISTRATOR,ROLE_AUTHENTICATED" requires-channel="any" />
<intercept-url pattern="/Seller/**" access="ROLE_AUTHENTICATED,ROLE_SELLER"
requires-channel="any" />
<intercept-url pattern="/login/**" access="IS_AUTHENTICATED_ANONYMOUSLY"
requires-channel="any" />
<intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"
requires-channel="any" />
<!-- <remember-me key="remittancerm" /> -->
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="customSessionFilter" />
<form-login login-page="/main"
authentication-failure-handler-ref="failureHandler"
always-use-default-target="false" default-target-url="/"
authentication-success-handler-ref="ash" />
<logout logout-url="/logout" logout-success-url="/" />
<access-denied-handler ref="" error-page="/" />
<!-- authentication-failure-url="/main?errormessage=authentication.login.failed" -->
<session-management
session-authentication-strategy-ref="sls" />
<port-mappings>
<port-mapping http="8080" https="8443" />
</port-mappings>
</http>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider> <!-- user-service-ref="userDetailService" -->
<user-service>
<user name="subash" authorities="ROLE_ADMIN" password="123456"/>
</user-service>
<!-- <password-encoder ref="passwordEncoder">
</password-encoder> -->
</authentication-provider>
</authentication-manager>
<beans:bean id="ash"
class="com.remittance.session.CustomSavedRequestAwareAuthenticationSuccessHandler">
</beans:bean>
<beans:bean id="failureHandler" class="com.remittance.session.CustomAuthenticationFailureHandler">
</beans:bean>
<beans:bean id="forbiddenEntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<beans:bean id="customSessionFilter" class="com.remittance.session.CustomSessionFilter">
<beans:constructor-arg ref="sessionRegistry" />
</beans:bean>
<beans:bean id="sls"
class="com.remittance.session.SessionLoggingStrategy">
<beans:constructor-arg ref="sas" />
<beans:constructor-arg ref="sessionLogApi" />
</beans:bean>
<beans:bean id="sas"
class="com.remittance.session.PersistingConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry"
ref="sessionRegistry" />
<beans:constructor-arg name="sessionApi" ref="sessionApi" />
<beans:property name="maximumSessions" value="-1" />
</beans:bean>
<beans:bean id="sessionRegistry"
class="com.remittance.session.PersistingSessionRegistry">
<beans:constructor-arg ref="sessionApi" />
</beans:bean>
<beans:bean id="userDetailService"
class="com.remittance.session.UserDetailsServiceImpl">
<beans:constructor-arg ref="userRepository" />
</beans:bean>
<beans:bean id="passwordEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<beans:bean id="userTest" class="com.remittance.session.UserTest">
<beans:constructor-arg ref="userRepository" />
</beans:bean>
<!-- OAuth2 Security -->
<!-- Resource protected by oauth2 security -->
<!-- OAuth Client Details -->
<oauth2:client-details-service id="clientDetails">
<oauth2:client client-id="android5.5" secret="1234567890" authorized-grant-types="password,authorization_code,refresh_token,implicit,client_credentials"
authorities="ROLE_CLIENT,ROLE_TRUSTED_CLIENT" scope="read,write,trust"/>
<oauth2:client client-id="nokia3320" secret="0987654321" authorized-grant-types="password,authorization_code,refresh_token,implicit,client_credentials"
authorities="ROLE_CLIENT,ROLE_TRUSTED_CLIENT" scope="read,write,trust"/>
</oauth2:client-details-service>
<!-- This defined token store, we have used in memory token store for now but this can be changed to a user defined one -->
<beans:bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore"/>
<!-- Load User By User name -->
<beans:bean id="clientDetailsUserDetailsService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<beans:constructor-arg ref="clientDetails"/>
</beans:bean>
<!-- This is where we defined token based configurations, token validity and other things -->
<beans:bean id="tokenService" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<beans:property name="tokenStore" ref="tokenStore"/>
<beans:property name="accessTokenValiditySeconds" value="500"/>
<beans:property name="clientDetailsService" ref="clientDetails"/>
<beans:property name="supportRefreshToken" value="true"/>
</beans:bean>
<!-- It Determine whether a given client authentication request has been approved by user or not -->
<!-- ToeknStoreUserApprovalHandler : A user approval handler that remembers approval decisions by consulting existing tokens -->
<beans:bean id="userApprovalHandler" class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler">
<beans:property name="tokenStore" ref="tokenStore"/>
<beans:property name="requestFactory" ref="oauth2RequestFactory"/>
</beans:bean>
<!-- Server issuing access token to the client after successfully authenticating the resource owner and obtaining authorization -->
<oauth2:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenService"
user-approval-handler-ref="userApprovalHandler">
<!-- <oauth2:authorization-code/> -->
<!-- <oauth2:client-credentials/> -->
<!-- <oauth2:implicit/> -->
<oauth2:password/>
<!-- <oauth2:refresh-token/> -->
</oauth2:authorization-server>
<authentication-manager id="clientAuthenticationManager">
<authentication-provider user-service-ref="clientDetailsUserDetailsService"/>
</authentication-manager>
<!-- Include this if you need to authenticate client via request parameter -->
<beans:bean id="clientCredentialsTokenEndPointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<beans:property name="authenticationManager" ref="clientAuthenticationManager" />
</beans:bean>
<!-- Server hosting the protected resource ,capable of accepting and responding to protected resource request using access tokens -->
<oauth2:resource-server id="resourceServerFilter" resource-id="test" token-services-ref="tokenService"/>
<!-- Authentication Entry Point -->
<beans:bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<beans:property name="realmName" value="test" />
</beans:bean>
<beans:bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<beans:property name="realmName" value="test/client" />
<beans:property name="typeName" value="Basic" />
</beans:bean>
<!-- Access Denied Handler -->
<beans:bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>
<!-- This beans prepares oauth2Request using incoming request parameter -->
<beans:bean id="oauth2RequestFactory" class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
<beans:constructor-arg ref="clientDetails"/>
</beans:bean>
<!-- Access Decision Manager -->
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</beans:list>
</beans:constructor-arg>
</beans:bean>
我使用http://localhost:8060/oauth/token请求令牌?grant_type=password&client_id=nokia3320&client_secret=0987654321&username=subash&password=123456,得到以下响应
{
"access_token": "9f5a89ce-a0d9-4d65-8e83-5d3b16d8c025",
"token_type": "bearer",
"refresh_token": "c2ac82ec-9f41-46dd-b7c2-4772c018505c",
"expires_in": 499,
"scope": "read trust write"
}
当我试图使用http://localhost:8060/api/currencylist访问资源时,在authorizatioin中使用访问令牌,我得到了以下响应
{
"error": "unauthorized",
"error_description": "An Authentication object was not found in the
SecurityContext"
}
我想使用spring oauth2保护下面的资源
@RequestMapping(value="/currencyList",method=RequestMethod.GET,produces={MediaType.APPLICATION_JSON_VALUE})
@ResponseBody
public List<CurrencyDTO> getCurrencyList(){
List<CurrencyDTO> currencyList=new ArrayList<CurrencyDTO>();
CurrencyDTO currency1 = new CurrencyDTO();
currency1.setCurrencyCode("NEP");
currency1.setCurrencyName("Rupees");
currency1.setId((long)1);
currency1.setSymbol("Rs");
CurrencyDTO currency2 = new CurrencyDTO();
currency2.setCurrencyCode("AM");
currency2.setCurrencyName("Dollar");
currency2.setId((long)2);
currency2.setSymbol("$");
currencyList.add(currency1);
currencyList.add(currency2);
return currencyList;
}
我被这个问题困了大约两天。我该如何解决这个问题?
共有1个答案
东典
在我的例子中,我将api URL添加为公共URL。我的受oauth保护的REST服务URL以/resource/api/**开始,但我在安全配置类中添加了
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/css/**","/js/**","/resource/**");
}
因此,OAuth2AuthenticationProcessingFilter没有调用,我得到了异常,因为在我的api服务器的SecurityContext中没有找到Authentication对象。
类似资料:
-
问题内容: 我试图从成功登录后实现接口的类(Spring 3.2.2和Spring Security 3.2.0 M1)中调用受保护的方法。这是我以前的问题。 该应用程序在以下环境下运行。 Spring 3.2.2 Spring Security 3.2.0 JPA 2.0 JSF 2.1.9 MySQL 5.6.11 JDK-7u11 NetBeans 7.2.1 我已经将以下与Spring安全
-
我有一个使用spring security oauth2进行安全连接的项目。下面是我的spring配置文件。 Spring-安全.xml : 当我使用以下请求请求oauth访问令牌时,我将获得如下访问和刷新令牌。 请求是 回应是: 然后,当我使用下面的请求请求受保护的资源时,我收到“在SecurityContext中找不到身份验证对象”作为错误。 请求是 : 我使用“2.0.7.RELEASE”作
-
我是Spring Boot和Spring Security的新手,继承了一个使用它们的webapp项目。我们将把webapp迁移到新的部署环境中。我们要改变的事情之一是认证机制,以便它能在新环境中运行。同时,我想使用一些现有的PostMan测试来测试RESTendpoint,绕过安全性。基本上,我想暂时禁用安全。 我有一个提供全局方法级安全性的类: 我有多个控制器类,例如,一个类 如果我尝试运行邮
-
在Spring Boot应用程序中,我有一个内存中的Spring Security设置。它可以按照期望工作。 现在,我用以下代码将其转换为基于数据库的方法。 存储库: UserDetailsService: 以及对WebSecurity配置适配器配置的修改: 当我发送与内存版本相同的用户名和密码作为基本身份验证的请求时,我会得到401错误: 在阅读了一些相关文档和示例代码后,我看不出错误的原因。错
-
我试图在Angular应用程序中调用我的登录服务,但我遇到了CORS错误。我已经在WebSecurity配置适配器上添加了cors配置。我已经尝试了下面的一些配置。邮递员一切都很好。 授权服务器配置RADAPTER 资源服务器配置RADAPTER Web安全配置r适配器
-
嗨,我正在尝试学习hashcode()和equals()方法的目的。我尝试了以下程序。 输出: 我有两个疑问: 1) 我认为HashMap将包含一个条目,因为两个对象(ob1和ob2)的hascode是相同的。有人能解释为什么HashMap中有两个条目吗? 2)为什么返回false?