令牌URL因Spring Security OAuth2而失败
[英]Token URL fails with spring security oauth2
问题描述
I'm trying to get a oauth2 configuration for securing my webapp and only allowing trusted clients with provided user credentials to access the app. 
我正在尝试获取oauth2配置以保护我的Web应用程序,并仅允许具有提供的用户凭据的受信任客户端访问该应用程序。
This is what I have so far 这就是我到目前为止
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2" xmlns:sec="http://www.springframework.org/schema/security"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling
separately. This isn't mandatory, but it makes it easier to control the behaviour. -->
<http request-matcher="regex" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<!-- <anonymous enabled="false" /> -->
<intercept-url pattern="/api/register/.*" access="ROLE_CLIENT" />
<intercept-url pattern="/api/.*" access="ROLE_USER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<expression-handler ref="oauthWebExpressionHandler" />
</http>
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="qeep" />
</bean>
<bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="qeep/client" />
</bean>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="qeepUserDetailsService" />
</authentication-manager>
<bean id="myUserDetailsService" class="com.example.core.web.rest.auth.QeepUserDetailsService"/>
<bean id="tokenStore" class="com.example.core.web.rest.auth.QeepTokenStore" />
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="clientDetailsService" ref="clientDetails" />
</bean>
<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails" />
</bean>
<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager" />
</bean>
<oauth:client-details-service id="clientDetails">
<oauth:client client-id="my-trusted-client-with-secret" authorized-grant-types="password,authorization_code,refresh_token,implicit"
secret="somesecret" authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT" />
</oauth:client-details-service>
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices">
<oauth:authorization-code />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password />
</oauth:authorization-server>
<sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
<!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
<sec:expression-handler ref="oauthExpressionHandler" />
</sec:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
</beans>
If I access /oauth/token using curl, I get a client authorization request which I get through using the configured client credentials. 如果我使用curl访问/oauth/token ,我将收到一个客户端授权请求,该请求通过使用配置的客户端凭据来完成。 But after this /oauth/token only returns 404 - Not found . 但是在此之后/oauth/token仅返回404 - Not found 。 I've tried different stuff for the last hours without any success. 在过去的几个小时里,我尝试了不同的方法,但没有成功。
I extracted the configuration from the sparklr/tonr sample of oauth2 1.0.5 which I used because we are still on spring 3.2. 我从oauth2 1.0.5的sparklr / tonr样本中提取了配置,我使用了它,因为我们仍在Spring 3.2上。
The same test works fine in the sparklr-Sample-webapp. 相同的测试在sparklr-Sample-webapp中可以正常工作。
EDIT 编辑
The actual curl url is the following: 实际的curl网址如下:
curl -v -H "Authorization: Basic bXktdHJ1c3RlZC1jbGllbnQtd2l0aC1zZWNyZXQ6c29tZXNlY3JldA==" "http://localhost:8084/core/oauth/token"
Without the Authorization-Header I get a 401 asking for the client authentication as configured ("my-trusted-client-with-secret" and "somesecret") but with the added authorization header I just get the 404 - Not found. 如果没有Authorization-Header,我会收到一个401,要求进行配置的客户端身份验证(“ my-trusted-client-with-secret”和“ somesecret”),但是添加了授权头后,我只会得到404-Not found。 If I test the same with the sparklr-Sample I get an error asking for the grant-type after adding the Basic-Auth-Header like above which is what I would expect. 如果我使用sparklr-Sample进行相同的测试,则在添加了如上所述的Basic-Auth-Header之后,出现了询问授权类型的错误,这是我所期望的。
I hope this makes a bit clearer. 我希望这可以使事情变得更清楚。
Any ideas what's wrong with my configuration? 任何想法我的配置有什么问题吗?
1 个解决方案
解决方案1
0 已采纳 2014-12-15 13:29:51
The DispatcherServlet was mapped to the wrong url, I broke it while trying to fix an issue which I had first. DispatcherServlet映射到错误的URL,在尝试解决我最初遇到的问题时将其断开。 The Dispatcher-Servlet is mapped to core/api and the token service first was mapped to core/api/oauth/token which I later changed to core/oauth/token but I forgot to change the DispatcherServlet. Dispatcher-Servlet映射到core/api ,令牌服务首先映射到core/api/oauth/token ,后来我更改为core/oauth/token但我忘记更改DispatcherServlet。 Thanks, Dave for the hint! 谢谢,戴夫的提示!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.