我正在使用一个简单的应用程序测试SpringAuthorizationServer0.2.1,该应用程序使用REST控制器在GET(“/message”)上返回字符串。
带有基本Auth头的POST to“/oauth2/token”将成功检索JWT令牌,但当客户端使用该令牌时,应用程序将以403禁止回复。
流程如下所示:
access_token_a
授权:承载account_token_a
access_token_b
授权:承载account_token_b
你好有
检查日志,我可以看到,在获得access_token(1)的第一个POST中,没有创建HTTP会话,因此SecurityContext没有存储在会话中。
2022-01-10 15:27:53.971 DEBUG 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Securing POST /oauth2/token
2022-01-10 15:27:53.973 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (1/20)
2022-01-10 15:27:53.979 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextPersistenceFilter (2/20)
2022-01-10 15:27:53.980 TRACE 25384 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2022-01-10 15:27:53.981 TRACE 25384 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : Created SecurityContextImpl [Null authentication]
2022-01-10 15:27:53.983 DEBUG 25384 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-01-10 15:27:53.984 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (3/20)
2022-01-10 15:27:53.984 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking CsrfFilter (4/20)
2022-01-10 15:27:53.986 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.csrf.CsrfFilter : Did not protect against CSRF since request did not match And [CsrfNotRequired [TRACE, HEAD, GET, OPTIONS], Not [Or [org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer$$Lambda$603/0x000000080043d040@3811510]]]
2022-01-10 15:27:53.986 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (5/20)
2022-01-10 15:27:53.987 TRACE 25384 --- [nio-8080-exec-1] o.s.s.w.a.logout.LogoutFilter : Did not match request to Ant [pattern='/logout', POST]
2022-01-10 15:27:53.987 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking OAuth2AuthorizationEndpointFilter (6/20)
2022-01-10 15:27:53.987 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking OidcProviderConfigurationEndpointFilter (7/20)
2022-01-10 15:27:53.987 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking NimbusJwkSetEndpointFilter (8/20)
2022-01-10 15:27:53.987 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking OAuth2AuthorizationServerMetadataEndpointFilter (9/20)
2022-01-10 15:27:53.988 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking OAuth2ClientAuthenticationFilter (10/20)
2022-01-10 15:27:53.991 TRACE 25384 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager : Authenticating request with OAuth2ClientAuthenticationProvider (1/9)
2022-01-10 15:27:53.991 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (11/20)
2022-01-10 15:27:53.991 TRACE 25384 --- [nio-8080-exec-1] o.s.s.w.s.HttpSessionRequestCache : No saved request
2022-01-10 15:27:53.991 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (12/20)
2022-01-10 15:27:53.993 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (13/20)
2022-01-10 15:27:53.993 TRACE 25384 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Did not set SecurityContextHolder since already authenticated OAuth2ClientAuthenticationToken [Principal=prometheus-client, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.20.1.192, SessionId=null], Granted Authorities=[]]
2022-01-10 15:27:53.993 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (14/20)
2022-01-10 15:27:53.993 TRACE 25384 --- [nio-8080-exec-1] s.CompositeSessionAuthenticationStrategy : Preparing session with ChangeSessionIdAuthenticationStrategy (1/2)
2022-01-10 15:27:53.994 TRACE 25384 --- [nio-8080-exec-1] s.CompositeSessionAuthenticationStrategy : Preparing session with CsrfAuthenticationStrategy (2/2)
2022-01-10 15:27:53.997 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (15/20)
2022-01-10 15:27:53.997 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking FilterSecurityInterceptor (16/20)
2022-01-10 15:27:53.997 TRACE 25384 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Did not re-authenticate OAuth2ClientAuthenticationToken [Principal=prometheus-client, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.20.1.192, SessionId=null], Granted Authorities=[]] before authorizing
2022-01-10 15:27:53.998 TRACE 25384 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Authorizing filter invocation [POST /oauth2/token] with attributes [authenticated]
2022-01-10 15:27:54.003 DEBUG 25384 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Authorized filter invocation [POST /oauth2/token] with attributes [authenticated]
2022-01-10 15:27:54.004 TRACE 25384 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Did not switch RunAs authentication since RunAsManager returned null
2022-01-10 15:27:54.004 TRACE 25384 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Invoking OAuth2TokenEndpointFilter (17/20)
2022-01-10 15:27:54.010 TRACE 25384 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager : Authenticating request with OAuth2ClientCredentialsAuthenticationProvider (1/9)
2022-01-10 15:27:54.147 TRACE 25384 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
2022-01-10 15:27:54.152 DEBUG 25384 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
HTTP会话将在GET请求(3)上创建,但找不到SecurityContext,因此请求将失败,403禁止
2022-01-10 15:27:59.854 DEBUG 25384 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : Securing GET /message
2022-01-10 15:27:59.855 TRACE 25384 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (1/11)
2022-01-10 15:27:59.855 TRACE 25384 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : Invoking SecurityContextPersistenceFilter (2/11)
2022-01-10 15:27:59.876 DEBUG 25384 --- [nio-8080-exec-2] s.s.w.c.SecurityContextPersistenceFilter : Created session FC68E4563F8E775A591D1632F2C7456E eagerly
2022-01-10 15:27:59.876 TRACE 25384 --- [nio-8080-exec-2] w.c.HttpSessionSecurityContextRepository : Did not find SecurityContext in HttpSession FC68E4563F8E775A591D1632F2C7456E using the SPRING_SECURITY_CONTEXT session attribute
2022-01-10 15:27:59.876 TRACE 25384 --- [nio-8080-exec-2] w.c.HttpSessionSecurityContextRepository : Created SecurityContextImpl [Null authentication]
2022-01-10 15:27:59.876 DEBUG 25384 --- [nio-8080-exec-2] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-01-10 15:27:59.876 TRACE 25384 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (3/11)
2022-01-10 15:27:59.876 TRACE 25384 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : Invoking CsrfFilter (4/11)
2022-01-10 15:27:59.876 TRACE 25384 --- [nio-8080-exec-2] o.s.security.web.csrf.CsrfFilter : Did not protect against CSRF since request did not match CsrfNotRequired [TRACE, HEAD, GET, OPTIONS]
2022-01-10 15:27:59.877 TRACE 25384 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (5/11)
2022-01-10 15:27:59.877 TRACE 25384 --- [nio-8080-exec-2] o.s.s.w.a.logout.LogoutFilter : Did not match request to Ant [pattern='/logout', POST]
2022-01-10 15:27:59.877 TRACE 25384 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (6/11)
2022-01-10 15:27:59.877 TRACE 25384 --- [nio-8080-exec-2] o.s.s.w.s.HttpSessionRequestCache : No saved request
2022-01-10 15:27:59.877 TRACE 25384 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (7/11)
2022-01-10 15:27:59.877 TRACE 25384 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (8/11)
2022-01-10 15:27:59.877 TRACE 25384 --- [nio-8080-exec-2] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.20.1.192, SessionId=FC68E4563F8E775A591D1632F2C7456E], Granted Authorities=[ROLE_ANONYMOUS]]
2022-01-10 15:27:59.878 TRACE 25384 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (9/11)
2022-01-10 15:27:59.878 DEBUG 25384 --- [nio-8080-exec-2] o.s.s.w.session.SessionManagementFilter : Request requested invalid session id A75734F37AD5AA7C76AA39F041B1C505
2022-01-10 15:27:59.878 TRACE 25384 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (10/11)
2022-01-10 15:27:59.878 TRACE 25384 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (11/11)
2022-01-10 15:27:59.880 TRACE 25384 --- [nio-8080-exec-2] estMatcherDelegatingAuthorizationManager : Authorizing SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@764a97f0]
2022-01-10 15:27:59.880 TRACE 25384 --- [nio-8080-exec-2] estMatcherDelegatingAuthorizationManager : Checking authorization on SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@764a97f0] using org.springframework.security.authorization.AuthenticatedAuthorizationManager@a2fdca
2022-01-10 15:27:59.889 TRACE 25384 --- [nio-8080-exec-2] o.s.s.w.a.ExceptionTranslationFilter : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.20.1.192, SessionId=FC68E4563F8E775A591D1632F2C7456E], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied
org.springframework.security.access.AccessDeniedException: Access Denied
at org.springframework.security.authorization.AuthorizationManager.verify(AuthorizationManager.java:44) ~[spring-security-core-5.6.1.jar:5.6.1]
at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilterInternal(AuthorizationFilter.java:57) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.14.jar:5.3.14]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:122) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:116) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:126) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:81) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:109) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:149) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:103) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:89) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.14.jar:5.3.14]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.14.jar:5.3.14]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.14.jar:5.3.14]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:211) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) ~[spring-security-web-5.6.1.jar:5.6.1]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) ~[spring-web-5.3.14.jar:5.3.14]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) ~[spring-web-5.3.14.jar:5.3.14]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.3.14.jar:5.3.14]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.14.jar:5.3.14]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.3.14.jar:5.3.14]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.14.jar:5.3.14]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.3.14.jar:5.3.14]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.14.jar:5.3.14]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:895) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1732) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.56.jar:9.0.56]
at java.base/java.lang.Thread.run(Thread.java:829) ~[na:na]
2022-01-10 15:27:59.898 DEBUG 25384 --- [nio-8080-exec-2] o.s.s.w.s.HttpSessionRequestCache : Saved request http://10.20.1.192:8080/message to session
2022-01-10 15:27:59.898 DEBUG 25384 --- [nio-8080-exec-2] o.s.s.w.a.Http403ForbiddenEntryPoint : Pre-authenticated entry point called. Rejecting access
2022-01-10 15:27:59.898 TRACE 25384 --- [nio-8080-exec-2] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
2022-01-10 15:27:59.898 DEBUG 25384 --- [nio-8080-exec-2] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2022-01-10 15:27:59.898 DEBUG 25384 --- [nio-8080-exec-2] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2022-01-10 15:27:59.898 DEBUG 25384 --- [nio-8080-exec-2] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
在获取新JWT令牌(5)的第二篇文章中,存在HTTP会话,因此SecurityContext将保存在那里,并在以后重新使用。因此,GET请求(7)将成功。
2022-01-10 15:28:08.152 DEBUG 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Securing POST /oauth2/token
2022-01-10 15:28:08.152 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (1/20)
2022-01-10 15:28:08.152 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking SecurityContextPersistenceFilter (2/20)
2022-01-10 15:28:08.153 TRACE 25384 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : Did not find SecurityContext in HttpSession FC68E4563F8E775A591D1632F2C7456E using the SPRING_SECURITY_CONTEXT session attribute
2022-01-10 15:28:08.153 TRACE 25384 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : Created SecurityContextImpl [Null authentication]
2022-01-10 15:28:08.153 DEBUG 25384 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-01-10 15:28:08.153 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (3/20)
2022-01-10 15:28:08.153 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking CsrfFilter (4/20)
2022-01-10 15:28:08.153 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.csrf.CsrfFilter : Did not protect against CSRF since request did not match And [CsrfNotRequired [TRACE, HEAD, GET, OPTIONS], Not [Or [org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer$$Lambda$603/0x000000080043d040@3811510]]]
2022-01-10 15:28:08.153 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (5/20)
2022-01-10 15:28:08.153 TRACE 25384 --- [nio-8080-exec-3] o.s.s.w.a.logout.LogoutFilter : Did not match request to Ant [pattern='/logout', POST]
2022-01-10 15:28:08.154 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking OAuth2AuthorizationEndpointFilter (6/20)
2022-01-10 15:28:08.154 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking OidcProviderConfigurationEndpointFilter (7/20)
2022-01-10 15:28:08.154 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking NimbusJwkSetEndpointFilter (8/20)
2022-01-10 15:28:08.154 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking OAuth2AuthorizationServerMetadataEndpointFilter (9/20)
2022-01-10 15:28:08.154 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking OAuth2ClientAuthenticationFilter (10/20)
2022-01-10 15:28:08.155 TRACE 25384 --- [nio-8080-exec-3] o.s.s.authentication.ProviderManager : Authenticating request with OAuth2ClientAuthenticationProvider (1/9)
2022-01-10 15:28:08.155 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (11/20)
2022-01-10 15:28:08.155 TRACE 25384 --- [nio-8080-exec-3] o.s.s.w.s.HttpSessionRequestCache : Did not match request /oauth2/token to the saved one DefaultSavedRequest [http://10.20.1.192:8080/message]
2022-01-10 15:28:08.155 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (12/20)
2022-01-10 15:28:08.155 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (13/20)
2022-01-10 15:28:08.155 TRACE 25384 --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Did not set SecurityContextHolder since already authenticated OAuth2ClientAuthenticationToken [Principal=prometheus-client, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.20.1.192, SessionId=FC68E4563F8E775A591D1632F2C7456E], Granted Authorities=[]]
2022-01-10 15:28:08.155 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (14/20)
2022-01-10 15:28:08.155 TRACE 25384 --- [nio-8080-exec-3] s.CompositeSessionAuthenticationStrategy : Preparing session with ChangeSessionIdAuthenticationStrategy (1/2)
2022-01-10 15:28:08.156 DEBUG 25384 --- [nio-8080-exec-3] .s.ChangeSessionIdAuthenticationStrategy : Changed session id from FC68E4563F8E775A591D1632F2C7456E
2022-01-10 15:28:08.158 TRACE 25384 --- [nio-8080-exec-3] s.CompositeSessionAuthenticationStrategy : Preparing session with CsrfAuthenticationStrategy (2/2)
2022-01-10 15:28:08.159 DEBUG 25384 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : Stored SecurityContextImpl [Authentication=OAuth2ClientAuthenticationToken [Principal=prometheus-client, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.20.1.192, SessionId=FC68E4563F8E775A591D1632F2C7456E], Granted Authorities=[]]] to HttpSession [org.apache.catalina.session.StandardSessionFacade@7f25256d]
2022-01-10 15:28:08.159 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (15/20)
2022-01-10 15:28:08.159 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking FilterSecurityInterceptor (16/20)
2022-01-10 15:28:08.159 TRACE 25384 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Did not re-authenticate OAuth2ClientAuthenticationToken [Principal=prometheus-client, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.20.1.192, SessionId=FC68E4563F8E775A591D1632F2C7456E], Granted Authorities=[]] before authorizing
2022-01-10 15:28:08.159 TRACE 25384 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Authorizing filter invocation [POST /oauth2/token] with attributes [authenticated]
2022-01-10 15:28:08.160 DEBUG 25384 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Authorized filter invocation [POST /oauth2/token] with attributes [authenticated]
2022-01-10 15:28:08.160 TRACE 25384 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Did not switch RunAs authentication since RunAsManager returned null
2022-01-10 15:28:08.160 TRACE 25384 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking OAuth2TokenEndpointFilter (17/20)
2022-01-10 15:28:08.160 TRACE 25384 --- [nio-8080-exec-3] o.s.s.authentication.ProviderManager : Authenticating request with OAuth2ClientCredentialsAuthenticationProvider (1/9)
2022-01-10 15:28:08.181 TRACE 25384 --- [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
2022-01-10 15:28:08.182 DEBUG 25384 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : Stored SecurityContextImpl [Authentication=OAuth2ClientAuthenticationToken [Principal=prometheus-client, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.20.1.192, SessionId=FC68E4563F8E775A591D1632F2C7456E], Granted Authorities=[]]] to HttpSession [org.apache.catalina.session.StandardSessionFacade@7f25256d]
2022-01-10 15:28:08.182 DEBUG 25384 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : Stored SecurityContextImpl [Authentication=OAuth2ClientAuthenticationToken [Principal=prometheus-client, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.20.1.192, SessionId=FC68E4563F8E775A591D1632F2C7456E], Granted Authorities=[]]] to HttpSession [org.apache.catalina.session.StandardSessionFacade@7f25256d]
2022-01-10 15:28:08.182 DEBUG 25384 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
我使用配置https://github.com/spring-projects/spring-security-samples/blob/main/servlet/spring-boot/java/oauth2/authorization-server/src/main/java/example/OAuth2AuthorizationServerSecurityConfiguration.java但禁用登录页面。
这是一个错误还是配置有问题?
谢谢
由于您使用的是客户端\u凭据
,因此不应依赖会话。您也不需要禁用formLogin()
的第二个筛选器链。
在调查您的示例时,您似乎正在尝试在授权服务器中包含资源服务器(简单的控制器)。这是一个不正确的设置。它应该是一个单独部署的应用程序,并正确配置为资源服务器,如项目中提供的示例所示。
我在下面设置Spring配置: 和Maven设置如下:
顺便说一句,这些微服务只会通过中间件层互相交谈,我的意思是不需要用户凭据来允许授权(用户登录过程如Facebook)。 我在Internet上寻找了一些示例,展示了如何创建一个授权和资源服务器来管理这种通信。然而,我只是找到了一些例子,解释了如何使用用户凭据(三条腿)来实现它。 有没有人有在Spring Boot和Oauth2中如何做的样例?如果有可能提供更多关于所用范围的详细信息,令牌交换将不胜
直截了当的问题,希望有一个直截了当的答案。我试图使用request通过Node.js实现客户端凭证流。这是我的代码 无论我做什么,响应体总是 我尝试过使用 curl 提出请求,结果相同。 这意味着这是凭据的问题。我肯定为我的应用程序使用了正确的客户端ID和客户端秘密,这让我相信是编码导致了问题。 我的编码正确吗?如果是这样,还有什么原因呢?
问题内容: 我正在尝试了解和实现新的REST服务器与现有的客户端应用程序之间的客户端凭证流。我已经像这样设置了spring-security OAuth2 。从到目前为止的理解来看,我的服务器现在应该支持以下请求: 但我明白了 由引起的是这里(弹簧安全码): 看来,我需要首先 针对服务器 进行 身份验证 。但这 不是我想做的 。我希望我的两个服务器使用共享密钥相互通信。OAuth提供者服务器应应请
我试图使用spring OAuth2在Spring Boot服务中实现服务到服务的安全性。我希望一个服务访问另一个服务的安全资源,而不涉及任何用户操作。 我可以设置auth服务器并使用curl请求获取令牌。我发现的测试使用Http对象来检查状态代码。 如何在具有RestTemplate和spring OAuth2的java客户机中使用客户机凭据授权类型? 我想它一定像添加一个依赖项、一个注释和一个
我的应用程序中出现“未授权”错误。我使用的是Spring Security和oauth2。我的客户端和用户存储在数据库中。当我开始使用数据库中的客户端时,PostMan中出现了错误401。客户端正在保存到数据库中,但当我想从localhost:8080/oauth/token获取令牌访问时,仍然出现错误。以下是我的来源: 授权服务器配置: public class AuthorizationSer