当前位置: 首页 > 知识库问答 >
问题:

在oauth2的SecurityContext中找不到身份验证对象

林魁
2023-03-14

我有一个使用spring security oauth2进行安全连接的项目。下面是我的spring配置文件。

Spring-安全.xml :

        <?xml version="1.0" encoding="UTF-8" ?>
    <beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
        xmlns:sec="http://www.springframework.org/schema/security" xmlns:mvc="http://www.springframework.org/schema/mvc"
        xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
            http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
            http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd ">

    <!-- @author Nagesh.Chauhan(neel4soft@gmail.com) -->
        <!-- This is default url to get a token from OAuth -->
        <http pattern="/oauth/token" create-session="stateless"
            authentication-manager-ref="clientAuthenticationManager"
            xmlns="http://www.springframework.org/schema/security">
            <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
            <anonymous enabled="false" />
            <http-basic entry-point-ref="clientAuthenticationEntryPoint" />
            <!-- include this only if you need to authenticate clients via request 
                parameters -->
            <custom-filter ref="clientCredentialsTokenEndpointFilter"
                after="BASIC_AUTH_FILTER" />
            <access-denied-handler ref="oauthAccessDeniedHandler" />
        </http>

        <!-- This is where we tells spring security what URL should be protected 
            and what roles have access to them -->
        <http pattern="/protected/**" create-session="never"
            entry-point-ref="oauthAuthenticationEntryPoint"
            access-decision-manager-ref="accessDecisionManager"
            xmlns="http://www.springframework.org/schema/security">
            <anonymous enabled="false" />
            <intercept-url pattern="/protected/**" access="ROLE_APP" />
            <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
            <access-denied-handler ref="oauthAccessDeniedHandler" />
        </http>


        <bean id="oauthAuthenticationEntryPoint"
            class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
            <property name="realmName" value="test" />
        </bean>

        <bean id="clientAuthenticationEntryPoint"
            class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
            <property name="realmName" value="test/client" />
            <property name="typeName" value="Basic" />
        </bean>

        <bean id="oauthAccessDeniedHandler"
            class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

        <bean id="clientCredentialsTokenEndpointFilter"
            class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
            <property name="authenticationManager" ref="clientAuthenticationManager" />
        </bean>

        <bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
            xmlns="http://www.springframework.org/schema/beans">
            <constructor-arg>
                <list>
                    <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
                    <bean class="org.springframework.security.access.vote.RoleVoter" />
                    <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
                </list>
            </constructor-arg>
        </bean>

        <authentication-manager id="clientAuthenticationManager"
            xmlns="http://www.springframework.org/schema/security">
            <authentication-provider user-service-ref="clientDetailsUserService" />
        </authentication-manager>


        <!-- This is simple authentication manager, with a hardcoded user/password 
            combination. We can replace this with a user defined service to get few users 
            credentials from DB -->
        <authentication-manager alias="authenticationManager"
            xmlns="http://www.springframework.org/schema/security">
            <authentication-provider>
                <user-service>
                    <user name="user1" password="user1" authorities="ROLE_APP" />
                </user-service>
            </authentication-provider>
        </authentication-manager>

        <bean id="clientDetailsUserService"
            class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
            <constructor-arg ref="clientDetails" />
        </bean>


        <!-- This defined token store, we have used inmemory tokenstore for now 
            but this can be changed to a user defined one -->
        <bean id="tokenStore"
            class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />

        <!-- This is where we defined token based configurations, token validity 
            and other things -->
        <bean id="tokenServices"
            class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
            <property name="tokenStore" ref="tokenStore" />
            <property name="supportRefreshToken" value="true" />
            <property name="accessTokenValiditySeconds" value="3600" />
            <property name="refreshTokenValiditySeconds" value="5270400"></property>
            <property name="clientDetailsService" ref="clientDetails" />
        </bean>

        <bean id="oAuth2RequestFactory"
              class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
            <constructor-arg ref="clientDetails"/>
        </bean>
        <bean id="userApprovalHandler"
            class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler">
            <property name="tokenStore" ref="tokenStore" />
            <property name="requestFactory" ref="oAuth2RequestFactory"/>
        </bean>
        <oauth:authorization-server
            client-details-service-ref="clientDetails" token-services-ref="tokenServices"
            user-approval-handler-ref="userApprovalHandler" authorization-endpoint-url="/protected" token-endpoint-url="/oauth/token">
            <oauth:authorization-code />
            <oauth:implicit />
            <oauth:refresh-token />
            <oauth:client-credentials />
            <oauth:password />
        </oauth:authorization-server>

        <oauth:resource-server id="resourceServerFilter"
            resource-id="test" token-services-ref="tokenServices" />

        <oauth:client-details-service id="clientDetails">
            <!-- client -->
                        <oauth:client client-id="client1"
                authorized-grant-types="authorization_code,client_credentials"
                authorities="ROLE_APP" scope="read,write,trust" secret="secret" />        

        <oauth:client client-id="client1"
                authorized-grant-types="password,authorization_code,refresh_token,implicit"
                secret="client1" authorities="ROLE_APP" />

        </oauth:client-details-service>

        <sec:global-method-security
            pre-post-annotations="enabled" proxy-target-class="true">
            <!--you could also wire in the expression handler up at the layer of the 
                http filters. See https://jira.springsource.org/browse/SEC-1452 -->
            <sec:expression-handler ref="oauthExpressionHandler" />
        </sec:global-method-security>

        <oauth:expression-handler id="oauthExpressionHandler" />
        <oauth:web-expression-handler id="oauthWebExpressionHandler" />
    </beans>

当我使用以下请求请求oauth访问令牌时,我将获得如下访问和刷新令牌。

请求是

curl -X POST http://localhost:8080/SaveItMoneyOauth/oauth/token -H “Accept: application/json” -d "grant_type=password&client_id=client1&client_secret=client1&username=user1&password=user1&scope=read,write,trust"

回应是:

{"value":"4796a04a-2266-4184-a1be-e4248cea7ba8","expiration":"Jul 11, 2016 12:15:34 PM","tokenType":"bearer","refreshToken":{"expiration":"Sep 10, 2016 11:15:34 AM","value":"87509989-0ea9-4372-87aa-22290ae0c98e"},"scope":["read,write,trust"],"additionalInformation":{}}curl: (6) Could not resolve host: application

然后,当我使用下面的请求请求受保护的资源时,我收到“在SecurityContext中找不到身份验证对象”作为错误。

请求是 :

curl -H "access_token=4796a04a-2266-4184-a1be-e4248cea7ba8"  "http://localhost:8080/SaveItMoneyOauth/protected/users/api"

我使用“2.0.7.RELEASE”作为oauth2库。如何解决这个错误。请帮助我。

共有1个答案

公孙森
2023-03-14

CURL 命令错误,需要在授权标头中提供访问令牌。试试这个:

curl -H "Authorization: Bearer 4796a04a-2266-4184-a1be-e4248cea7ba8"  "http://localhost:8080/SaveItMoneyOauth/protected/users/api"
 类似资料:
  • 问题内容: 我试图从成功登录后实现接口的类(Spring 3.2.2和Spring Security 3.2.0 M1)中调用受保护的方法。这是我以前的问题。 该应用程序在以下环境下运行。 Spring 3.2.2 Spring Security 3.2.0 JPA 2.0 JSF 2.1.9 MySQL 5.6.11 JDK-7u11 NetBeans 7.2.1 我已经将以下与Spring安全

  • 我是Spring Boot和Spring Security的新手,继承了一个使用它们的webapp项目。我们将把webapp迁移到新的部署环境中。我们要改变的事情之一是认证机制,以便它能在新环境中运行。同时,我想使用一些现有的PostMan测试来测试RESTendpoint,绕过安全性。基本上,我想暂时禁用安全。 我有一个提供全局方法级安全性的类: 我有多个控制器类,例如,一个类 如果我尝试运行邮

  • 在Spring Boot应用程序中,我有一个内存中的Spring Security设置。它可以按照期望工作。 现在,我用以下代码将其转换为基于数据库的方法。 存储库: UserDetailsService: 以及对WebSecurity配置适配器配置的修改: 当我发送与内存版本相同的用户名和密码作为基本身份验证的请求时,我会得到401错误: 在阅读了一些相关文档和示例代码后,我看不出错误的原因。错

  • 我有一个实现Spring Security和Spring OAuth2安全的项目。当我请求访问令牌时,它工作得很好,但当我使用访问令牌请求资源时,我得到了“在SecurityContext中没有找到身份验证对象”。 我的项目的SecurityContext是: 我使用http://localhost:8060/oauth/token请求令牌?grant_type=password&client_i

  • 我使用Spring Security Oauth2和JWT将客户端应用程序登录/授权到授权服务器应用程序,这两个应用程序都是用Spring Boot2构建的。 在客户端应用程序中,我手动执行登录,从授权服务器检索JWT令牌,然后在代码中执行 然后我想在客户端应用程序流的稍后部分检索令牌: 但oauth对象为空。

  • 我目前正在使用Spring Security Oauth2 2.0.7版的一个相当普通的设置。与JdbcTokenStore一起发布,最近遇到了一个有趣的问题。 我知道,当访问令牌被创建和存储时,对象被序列化,并持久化到数据库中。我知道这是必要的,并且在以后在请求中使用访问令牌时使用。问题是,我的对象(Spring Security的用户详细信息接口的自定义iml)与我的应用程序域中的其他对象相关