Spring Oauth2 Authorization_Grant-无法访问令牌后的资源-用户匿名
我试图用Spring的授权授予流来保护我的REST Api。
2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository[186] - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository[116] - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@6e24700e. A new one will be created.
2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.s.w.h.writers.HstsHeaderWriter[130] - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@3e385c64
2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.security.web.FilterChainProxy[325] - /api/user at position 11 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter[100] - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B1FF11055AA4F347AB8AA7B6E467D93F; Granted Authorities: ROLE_ANONYMOUS'
2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor[219] - Secure object: FilterInvocation: URL: /api/user; Attributes: [authenticated]
2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor[348] - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B1FF11055AA4F347AB8AA7B6E467D93F; Granted Authorities: ROLE_ANONYMOUS
2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.s.access.vote.AffirmativeBased[66] - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@53b3549c, returned: -1
2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.s.w.a.ExceptionTranslationFilter[173] - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class ResourceServerConfig extends ResourceServerConfigurerAdapter{
private final Logger logger = LoggerFactory.getLogger(ResourceServerConfig.class);
@Autowired
DataSource dataSource;
@Override
public void configure(HttpSecurity http) throws Exception {
logger.debug("Api security configured");
http
.antMatcher("/api/**")
.authorizeRequests()
.anyRequest().access("hasRole('USER')")
.and().exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint())
.and().httpBasic();
}
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenStore(tokenStore());
}
}
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
DataSource dataSource;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authManager;
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore()).authenticationManager(authManager);
}
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
}
我正试图使用这个auth承载77A226BF-74A4-4A89-B2A6-E130C215566B访问/api/user,它来自用户登录后的auth服务器令牌请求...
怎么了?
共有1个答案
在将spring boot从1.4更新到1.5之后,我也遇到了同样的问题。这个问题通过禁用引导的自动配置黑魔法得到了解决。
@EnableAutoConfiguration(exclude = {OAuth2AutoConfiguration.class})
我相信他们增加了一些新的~~bug~~特性,打破了旧的应用程序配置。
-
我想将OAuth2用于我的RESTSpring启动项目。使用一些示例,我为OAuth2创建了配置: 这是我的SecurityConfiguration类: 我尝试用两个简单的请求来检查我的应用程序: 首先,我检查了两个请求: /api/free返回代码200和字符串“免授权” /api/secured返回{"timestamp":1487451065106," status":403," erro
-
目前访问类型处于联机状态。当我需要访问驱动器上的文件/文件夹时,我将浏览器重定向到Google URL并获得访问代码: 一切运转良好!但我只需要第一次重定向。 当我谷歌时,在google Drive API文档中,我发现我可以通过浏览器重定向获得刷新令牌,并将其保存在数据库中。(换句话说,我可以使用脱机访问)。 而且每次当我需要从google drive读取数据时,我使用刷新令牌获得访问令牌,而无
-
我目前正在尝试使用ADFS 2016认证angular 7应用程序(使用angular-oauth2-oidc)。到目前为止,它工作得很好。当我访问应用程序时,我被重定向到ADFS登录页面,在那里输入我的凭据并获得令牌。 现在,当应用程序调用web API时,它在请求头中发送访问令牌。ADFS返回的访问令牌如下所示: 问题是web API必须知道进行调用的用户的ID(因为在应用程序级别定义了一些权
-
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=your_app_client_id&response_type=code&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2foauth2%2fnativeclient&res
-
我知道有些人会发表评论,比如这篇文章重复了很多问题,但是我已经尝试了很多方法来在领英Oauth中实现访问令牌。解释我所尝试的。 1)我正在关注它的官方文档LinkedIn Oauth2 2) 我已成功从步骤 2 获取授权代码,并将该代码传递给步骤 3,以交换身份验证代码以获取访问令牌。但是我收到以下错误{“error_description”:“缺少必需参数,包含无效的参数值,参数不止一次。 :无
-
我试图使用从Spring应用程序中的公共客户端获取访问令牌。 谁能帮我弄清楚我做错了什么吗?