问题:
使用传统Spring MVC的Spring Security OAuth 2
隆钊
为传统的非引导spring mvc应用程序设置spring-security-oauth2(密码授予类型)时会出现问题。
>
获取访问令牌:
curl-x post--user clientapp:123456 http://localhost:8080/oauth/token-h“accept:application/json”-h“content-type:application/x-www-form-urlencoded”-d“grant_type=password&username=adolfo&password=123&scope=read_profile”
回应:
{"access_token":"50c7c311-c73a-4a32-bc7e-6801bc64bbe0","token_type":"bearer","expires_in":41545,"scope":"read_profile"}
The request has not been applied because it lacks valid authentication credentials for the target resource.
配置
//资源服务器配置
@Configuration
@EnableResourceServer
public class OAuth2ResourceServer extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
//@formatter:off
http.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.requestMatchers()
.antMatchers("/api/**");
//@formatter:on
}
}
授权服务器配置
@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationServer extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients)
throws Exception {
clients.inMemory()
.withClient("clientapp")
.secret("123456")
//.autoApprove(true)
.redirectUris("http://localhost:9000/callback")
.authorizedGrantTypes("password")
.scopes("read_profile", "read_contacts");
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.passwordEncoder(NoOpPasswordEncoder.getInstance());
}
}
Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/api/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.usernameParameter("username")
.passwordParameter("password")
.loginPage("/signin")
.loginProcessingUrl("/authenticate")
.defaultSuccessUrl("/")
.failureUrl("/signin-error")
.permitAll();
}
@Bean(name = BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().passwordEncoder(NoOpPasswordEncoder.getInstance())
//.passwordEncoder(passwordEncoder())
.withUser("adolfo")
.password("123")
.roles("USER");
}
}
@Controller
public class UserController {
@RequestMapping("/api/profile")
public ResponseEntity<UserProfile> profile() {
String username = (String) SecurityContextHolder.getContext()
.getAuthentication().getPrincipal();
String email = username + "@mailinator.com";
UserProfile profile = new UserProfile();
profile.setName(username);
profile.setEmail(email);
return ResponseEntity.ok(profile);
}
public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[]{ SecurityConfig.class, OAuth2AuthorizationServer.class, OAuth2ResourceServer.class,};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class<?>[]{DispatcherConfig.class};
}
@Override
protected String[] getServletMappings() {
return new String[]{"/"};
}
@Override
protected Filter[] getServletFilters() {
DelegatingFilterProxy delegatingFilterProxy = new DelegatingFilterProxy("springSecurityFilterChain");
HiddenHttpMethodFilter hiddenHttpMethodFilter = new HiddenHttpMethodFilter();
return new Filter[] {delegatingFilterProxy,hiddenHttpMethodFilter};
}
}
2018-08-13 15:50:29,333 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.OrRequestMatcher [OrRequestMatcher.java:65] Trying to match using Ant [pattern='/oauth/token']
2018-08-13 15:50:29,334 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.AntPathRequestMatcher [AntPathRequestMatcher.java:157] Checking match of request : '/api/profile'; against '/oauth/token'
2018-08-13 15:50:29,334 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.OrRequestMatcher [OrRequestMatcher.java:65] Trying to match using Ant [pattern='/oauth/token_key']
2018-08-13 15:50:29,334 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.AntPathRequestMatcher [AntPathRequestMatcher.java:157] Checking match of request : '/api/profile'; against '/oauth/token_key'
2018-08-13 15:50:29,334 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.OrRequestMatcher [OrRequestMatcher.java:65] Trying to match using Ant [pattern='/oauth/check_token']
2018-08-13 15:50:29,334 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.AntPathRequestMatcher [AntPathRequestMatcher.java:157] Checking match of request : '/api/profile'; against '/oauth/check_token'
2018-08-13 15:50:29,334 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.OrRequestMatcher [OrRequestMatcher.java:72] No matches found
2018-08-13 15:50:29,334 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.OrRequestMatcher [OrRequestMatcher.java:65] Trying to match using Ant [pattern='/api/**']
2018-08-13 15:50:29,335 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.AntPathRequestMatcher [AntPathRequestMatcher.java:157] Checking match of request : '/api/profile'; against '/api/**'
2018-08-13 15:50:29,335 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.OrRequestMatcher [OrRequestMatcher.java:68] matched
2018-08-13 15:50:29,335 DEBUG [http-nio-8080-exec-10] o.s.s.w.FilterChainProxy [FilterChainProxy.java:328] /api/profile at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-08-13 15:50:29,335 DEBUG [http-nio-8080-exec-10] o.s.s.w.FilterChainProxy [FilterChainProxy.java:328] /api/profile at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-08-13 15:50:29,335 DEBUG [http-nio-8080-exec-10] o.s.s.w.FilterChainProxy [FilterChainProxy.java:328] /api/profile at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-08-13 15:50:29,335 DEBUG [http-nio-8080-exec-10] o.s.s.w.FilterChainProxy [FilterChainProxy.java:328] /api/profile at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2018-08-13 15:50:29,335 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.OrRequestMatcher [OrRequestMatcher.java:65] Trying to match using Ant [pattern='/logout', GET]
2018-08-13 15:50:29,335 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.AntPathRequestMatcher [AntPathRequestMatcher.java:157] Checking match of request : '/api/profile'; against '/logout'
2018-08-13 15:50:29,336 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.OrRequestMatcher [OrRequestMatcher.java:65] Trying to match using Ant [pattern='/logout', POST]
2018-08-13 15:50:29,336 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.AntPathRequestMatcher [AntPathRequestMatcher.java:137] Request 'GET /api/profile' doesn't match 'POST /logout
2018-08-13 15:50:29,336 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.OrRequestMatcher [OrRequestMatcher.java:65] Trying to match using Ant [pattern='/logout', PUT]
2018-08-13 15:50:29,336 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.AntPathRequestMatcher [AntPathRequestMatcher.java:137] Request 'GET /api/profile' doesn't match 'PUT /logout
2018-08-13 15:50:29,336 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.OrRequestMatcher [OrRequestMatcher.java:65] Trying to match using Ant [pattern='/logout', DELETE]
2018-08-13 15:50:29,336 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.AntPathRequestMatcher [AntPathRequestMatcher.java:137] Request 'GET /api/profile' doesn't match 'DELETE /logout
2018-08-13 15:50:29,337 DEBUG [http-nio-8080-exec-10] o.s.s.w.u.m.OrRequestMatcher [OrRequestMatcher.java:72] No matches found
2018-08-13 15:50:29,337 DEBUG [http-nio-8080-exec-10] o.s.s.w.FilterChainProxy [FilterChainProxy.java:328] /api/profile at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
2018-08-13 15:50:29,347 DEBUG [http-nio-8080-exec-10] o.s.s.o.p.a.OAuth2AuthenticationProcessingFilter [OAuth2AuthenticationProcessingFilter.java:165] Authentication request failed: error="invalid_token", error_description="Invalid access token: d86d8105-9edf-44dd-94b6-36542cade80f"
2018-08-13 15:50:29,365 DEBUG [http-nio-8080-exec-10] o.s.s.w.h.w.HstsHeaderWriter [HstsHeaderWriter.java:129] Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@5337f7a
2018-08-13 15:50:29,365 DEBUG [http-nio-8080-exec-10] o.s.s.o.p.e.DefaultOAuth2ExceptionRenderer [DefaultOAuth2ExceptionRenderer.java:101] Written [error="invalid_token", error_description="Invalid access token: d86d8105-9edf-44dd-94b6-36542cade80f"] as "application/json;charset=UTF-8" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@734d0eb7]
2018-08-13 15:50:29,366 DEBUG [http-nio-8080-exec-10] o.s.s.w.c.SecurityContextPersistenceFilter [SecurityContextPersistenceFilter.java:119] SecurityContextHolder now cleared, as request processing completed
共有1个答案
姜明贤
我在StackTrace中看不到OAuth2AuthenticationProcessingFilter。我认为这是因为@order(2)注释放置在SecurityConfig类上。您的web安全配置与Spring的内部配置冲突(org.springframework.security.oauth2.config.annotation.web.configuration.resourceserverconfiguration)。尝试从SecurityConfig类中删除@order注释。
编辑
获得401响应的另一个原因是使用org.springframework.security.oauth2.provider.token.tokenstore的不同实例:一个用于存储新创建的令牌,另一个用于身份验证。当org.springframework.web.servlet.config.annotation.webmvcconfigurer的实现引用(例如,通过componentscan注释)已经声明为根配置类的其他配置时,servlet初始化器的错误配置可能会导致这种情况。它导致创建两个相互冲突的应用程序上下文。
ServletConfig实现org.springframework.web.servlet.config.annotation.webmvcconfigurer;AuthorizationServerConfig;ResourceServerConfig.
有两种方法可以配置servlet初始化器。第一个是从GetServletConfigClasses方法返回ServletConfig类:
public class MyServletInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[] {AuthorizationServerConfig.class, AuthorizationServerConfig.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class<?>[] {ServletConfig.class};
}
}
通过选择这种方式,您应该确保不将根配置中的类包含到servlet配置中(不要对根配置类所在的包从ServletConfig类运行组件扫描)。
第二种方法是将ServletConfig移动到从GetServletConfigClasss返回null的根配置类:
public class MyServletInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[] {ServletConfig.class, AuthorizationServerConfig.class, AuthorizationServerConfig.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return null;
}
}
只要不需要多个dispatcher servlets,选择第二种方式是完全可以的。
类似资料:
-
本文向大家介绍SpringMVC 文件上传配置,多文件上传,使用的MultipartFile的实例,包括了SpringMVC 文件上传配置,多文件上传,使用的MultipartFile的实例的使用技巧和注意事项,需要的朋友参考一下 基本的SpringMVC的搭建在我的上一篇文章里已经写过了,这篇文章主要说明一下如何使用SpringMVC进行表单上的文件上传以及多个文件同时上传的步骤 文件上传项目的
-
本文向大家介绍SpringMVC ModelAndView的用法使用详解,包括了SpringMVC ModelAndView的用法使用详解的使用技巧和注意事项,需要的朋友参考一下 (一)使用ModelAndView类用来存储处理完后的结果数据,以及显示该数据的视图。从名字上看ModelAndView中的Model代表模型,View代表视图,这个名字就很好地解释了该类的作用。业务处理器调用模型层处理
-
本文向大家介绍SpringMVC @ControllerAdvice使用场景,包括了SpringMVC @ControllerAdvice使用场景的使用技巧和注意事项,需要的朋友参考一下 这篇文章主要介绍了SpringMVC @ControllerAdvice使用场景,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友可以参考下 @ControllerAdvic
-
传统的色彩组合常常是从那些具有历史意义的色彩那里仿来的。蓝、暗红、褐和绿等保守的颜色加上了灰色或是加深了色彩,都可表达传统的主题。 例如,绿,不管是纯色或是加上灰色的暗色,都象征财富。 狩猎绿(hunter green)配上浓金或是暗红或是黑色表示稳定与富有。这种色彩常出现在银行和律师事务所的装潢上,因为它们代表恒久与价值。 补色色彩组合 二次色色彩组合 单色色彩组合 5 49 1 49 49 1
-
我不是在构建一个单页应用程序,而是在某些地方使用AngularJS的“传统”站点。我遇到了以下问题(使用1.3.0-beta.6): 标准,工作锚链接: 那很好。现在我在某处介绍一个模板: 可通过以下方式调用: 部分已正确包含,但锚链接不再工作。点击链接文本现在将显示的URL更改为而不是并且页面位置不会更改。 我的理解是,使用隐式地告诉Angular我想要使用routes系统并覆盖浏览器的本机锚链
-
本文向大家介绍SpringMVC的简单传值(实现代码),包括了SpringMVC的简单传值(实现代码)的使用技巧和注意事项,需要的朋友参考一下 之前学习SpringMVC时感觉他的传值很神奇:简便,快捷,高效。 今天写几个简单的传值与大家分享,希望能对大家有帮助。 一、 从后往前传: (1) 把想要传递的东西放在addObject(String,Object)里,值是Object类型,什么都可以放