堆栈内存溢出
  简体   繁体   English

Spring OAuth2“访问此资源需要完全身份验证”

[英]Spring OAuth2 “Full authentication is required to access this resource”

 原文  2014-05-30 08:20:38       java/ spring/ authentication/ spring-security-oauth2

问题描述

I'm trying to use Spring OAuth2 for my rest app. 我正在尝试将Spring OAuth2用于我的应用程序。 But looks like I made a mistake and I can find where I did it. 但看起来我犯了一个错误,我可以找到我做的地方。 The flow should be: 1. get token from /oauth/token with username and password 2. make request to /security with provided token 流程应该是:1。使用用户名和密码从/ oauth / token获取令牌2.使用提供的令牌向/ security发出请求

MethodSecurityConfig: MethodSecurityConfig: 

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

    @Autowired
    private SecurityConfiguration securityConfig;

    @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {
        return new OAuth2MethodSecurityExpressionHandler();
    }
}

OAuth2ServerConfig: OAuth2ServerConfig: 

@Configuration
public class OAuth2ServerConfig {

    private static final String RESOURCE_ID = "nessnity";

    @Configuration
    @Order(10)
    protected static class UiResourceConfiguration extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .requestMatchers().antMatchers("/security")
                    .and()
                    .authorizeRequests()
                    .antMatchers("/security").access("hasRole('USER')");
        }
    }

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) {
            resources.resourceId(RESOURCE_ID);
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                    .requestMatchers().antMatchers("/security/")
                    .and()
                    .authorizeRequests()
                    .antMatchers("/security").access("#oauth2.hasScope('read')");
      }

    }

    @Configuration
    @EnableAuthorizationServer
    protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

        @Autowired
        private TokenStore tokenStore;

        @Autowired
        private UserApprovalHandler userApprovalHandler;

        @Autowired
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients.inMemory()
                    .withClient("my-client")
                    .resourceIds(RESOURCE_ID)
                    .authorizedGrantTypes("client_credentials")
                    .authorities("ROLE_CLIENT")
                    .scopes("read")
                    .secret("password")
                    .accessTokenValiditySeconds(60);
        }

        @Bean
        public TokenStore tokenStore() {
            return new InMemoryTokenStore();
        }

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            endpoints
                    .tokenStore(tokenStore)
                    .userApprovalHandler(userApprovalHandler)
                    .authenticationManager(authenticationManager);
        }

        @Override
        public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
            oauthServer.realm("sparklr2/client");
        }

    }

    protected static class Stuff {

        @Autowired
        private ClientDetailsService clientDetailsService;

        @Autowired
        private TokenStore tokenStore;

        @Bean
        public ApprovalStore approvalStore() throws Exception {
            TokenApprovalStore store = new TokenApprovalStore();
            store.setTokenStore(tokenStore);
            return store;
        }

        @Bean
        @Lazy
        @Scope(proxyMode=ScopedProxyMode.TARGET_CLASS)
        public SparklrUserApprovalHandler userApprovalHandler() throws Exception {
            SparklrUserApprovalHandler handler = new SparklrUserApprovalHandler();
            handler.setApprovalStore(approvalStore());
            handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
            handler.setClientDetailsService(clientDetailsService);
            handler.setUseApprovalStore(true);
            return handler;
        }
    }

}

SecurityConfiguration: SecurityConfiguration: 

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("root")
                .password("password")
                .roles("USER");
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/oauth/uncache_approvals", "/oauth/cache_approvals");
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .anyRequest().hasRole("USER");
    }
}

Problem: when I tried to get token 问题:当我试图获得令牌时 

curl --user root:password --data "grant_type=client_credentials" http://localhost:8080/oauth/token

I got message: 我得到了消息:

{"error":"invalid_client","error_description":"Bad client credentials"} {“error”:“invalid_client”,“error_description”:“客户端凭据错误”}

The second question is how to pass username/password in the url params like /oauth/token?username=root&password=password ? 第二个问题是如何在url params中传递用户名/密码,如/ oauth / token?username = root&password = password?

Thanks. 谢谢。

UPDATE UPDATE

I decided to start from scratch and use xml configuration. 我决定从头开始使用xml配置。

The following configuration works perfect: 以下配置完美: 

<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
       xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd

        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">


    <http pattern="/oauth/token" create-session="stateless"
          authentication-manager-ref="authenticationManager"
          xmlns="http://www.springframework.org/schema/security">
        <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
        <anonymous enabled="false"/>
        <http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
        <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER"/>
        <access-denied-handler ref="oauthAccessDeniedHandler"/>
    </http>

    <bean id="clientCredentialsTokenEndpointFilter"
          class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
        <property name="authenticationManager" ref="authenticationManager"/>
    </bean>

    <authentication-manager alias="authenticationManager"
                            xmlns="http://www.springframework.org/schema/security">
        <authentication-provider user-service-ref="clientDetailsUserService"/>
    </authentication-manager>

    <bean id="clientDetailsUserService"
          class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
        <constructor-arg ref="clientDetails"/>
    </bean>

    <bean id="clientDetails" class="com.nessnity.api.security.OAuthClienDetailsService">
        <property name="id" value="testuser"/>
        <property name="secretKey" value="secret" />
    </bean>

    <bean id="clientAuthenticationEntryPoint"
          class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
        <property name="realmName" value="springsec/client"/>
        <property name="typeName" value="Basic"/>
    </bean>

    <bean id="oauthAccessDeniedHandler"
          class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>

    <oauth:authorization-server
            client-details-service-ref="clientDetails"
            token-services-ref="tokenServices">
        <oauth:authorization-code/>
        <oauth:implicit/>
        <oauth:refresh-token/>
        <oauth:client-credentials/>
        <oauth:password authentication-manager-ref="userAuthenticationManager"/>
    </oauth:authorization-server>

    <authentication-manager id="userAuthenticationManager"
                            xmlns="http://www.springframework.org/schema/security">
        <authentication-provider ref="customUserAuthenticationProvider">
        </authentication-provider>
    </authentication-manager>

    <bean id="customUserAuthenticationProvider"
          class="com.nessnity.api.security.OAuthUserAuthenticationProvider">
    </bean>

    <bean id="tokenServices"
          class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
        <property name="tokenStore" ref="tokenStore"/>
        <property name="supportRefreshToken" value="true"/>
        <property name="accessTokenValiditySeconds" value="900000000"/>
        <property name="clientDetailsService" ref="clientDetails"/>
    </bean>

    <bean id="tokenStore"
          class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore"/>

    <bean id="oauthAuthenticationEntryPoint"
          class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    </bean>

    <http pattern="/resources/**" create-session="never"
          entry-point-ref="oauthAuthenticationEntryPoint"
          xmlns="http://www.springframework.org/schema/security">
        <anonymous enabled="false"/>
        <intercept-url pattern="/resources/**" method="GET"/>
        <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER"/>
        <access-denied-handler ref="oauthAccessDeniedHandler"/>
    </http>

    <oauth:resource-server id="resourceServerFilter"
                           resource-id="springsec" token-services-ref="tokenServices"/>

</beans>

2 个解决方案

解决方案1
 6  2015-01-21 12:07:03

I have faced similar for me it worked after doing the following change 在进行以下更改之后,我遇到了类似的问题

In your AuthorizationServerConfiguration class replace 在您的AuthorizationServerConfiguration类中替换 

        @Override
        public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
            oauthServer.realm("sparklr2/client");
        }

with the below code 使用以下代码 

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        //oauthServer.realm("sparklr2/client");
        oauthServer.allowFormAuthenticationForClients();
    }

and request should like 和请求应该喜欢

/oauth/token?grant_type=password&scope=read+write&client_id=yourclientId&client_secret=secret&username=userName&password=pwd /的OAuth /令牌?grant_type =密码&范围=读+写及的client_id = yourclientId&client_secret =秘密和用户名=用户名和密码= PWD

解决方案2
 0  2015-01-30 07:46:41

In your access token request you are using client credentials grant type. 在您的访问令牌请求中,您正在使用客户端凭据授予类型。 OAuth spec says that in case of client_credentials grant type you need to provide base64 encoded client_id:client_secret as Basic Authorization header. OAuth规范说,在client_credentials grant类型的情况下,您需要提供base64编码的client_id:client_secret作为Basic Authorization标头。 For example if your client_id is google and client_secret is x23r-ss56-rfg8-6yt6 , then you need to add these string as google:x23r-ss56-rfg8-6yt6 , encode it using Base64 encoder and make request as 例如,如果你的client_id是google而client_secret是x23r-ss56-rfg8-6yt6 ,那么你需要将这些字符串添加为google:x23r-ss56-rfg8-6yt6 ,使用Base64编码器对其进行编码并提出请求 

 curl --header "Authorization: Basic <base64 encoded_string>" --data "grant_type=client_credentials" http://localhost:8080/oauth/token

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在 Oauth2 Spring Boot 中访问此资源需要完全身份验证 - Getting Unauthorised Full authentication is required to access this resource in Oauth2 Spring Boot Spring-Security-Oauth2:访问此资源需要完全身份验证 - Spring-Security-Oauth2: Full authentication is required to access this resource spring oauth错误,需要完全认证才能访问此资源 - spring oauth error Full authentication is required to access this resource Spring Security OAuth - 访问此资源需要完全身份验证 - Spring Security OAuth - Full authentication is required to access this resource 使用Spring Security和Keycloak访问此资源需要完全认证 - Full authentication is required to access this resource with Spring Security and Keycloak 测试弹簧安全站。 需要完全认证才能访问此资源 - Testing spring security post. Full authentication is required to access this resource Jhipster gateway 需要完整的身份验证才能访问此资源 - Jhipster gateway Full authentication is required to access this resource 未经授权的错误:需要完全身份验证才能访问此资源 - Unauthorized error: Full authentication is required to access this resource InsufficientAuthenticationException:访问此资源需要完全身份验证 - InsufficientAuthenticationException: Full authentication is required to access this resource 错误未经授权,需要完全验证才能访问此资源 - Error Unauthorized, Full authentication is required to access this resource
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM