具有弹簧安全性的OAuth2-InsufficientAuthenticationException
[英]OAuth2 with Spring Security - InsufficientAuthenticationException
问题描述
i am currently working on a project involving spring security (for OAuth2). 
我目前正在从事一个涉及Spring Security(用于OAuth2)的项目。
We are using the authorization_code flow. 我们正在使用authorization_code流。
However when the client hits the AuthorizationEndpoint (/oauth/authorize) we get an "InsufficientAuthenticationException". 但是,当客户端访问AuthorizationEndpoint(/ oauth / authorize)时,我们会收到“ InsufficientAuthenticationException”。 This may be due to an external system which is also involved in this flow which performs a redirect for the client, sending him to the /oauth/authorize endpoint. 这可能是由于此流程中还涉及外部系统,该系统为客户端执行重定向,将其发送到/ oauth / authorize端点。
From what I understand by looking through the debug logfile and from reading the source code, the principal is null which is used in the AuthorizationEndpoint.authorize method (specifically line 138, we are using spring-security-oauth2-2.0.7.RELEASE). 通过查看调试日志文件和阅读源代码,我了解到,principal为null,它在AuthorizationEndpoint.authorize方法中使用(特别是第138行,我们使用的是spring-security-oauth2-2.0.7.RELEASE) 。
I understand what spring's problem is at this point (it does not "know" the user who is already authenticated with the system) but I do not understand which information specifically spring uses to identify the user (I guess this would be my central question) 我了解此时的弹簧问题(它不“知道”已经通过系统验证的用户),但是我不了解弹簧专门用于识别用户的信息(我想这是我的中心问题)
I tried performing a GET against /oauth/authorize with the correct parameters and sending with the request the authorization header containing the bearer access token but spring always throws the InsufficientAuthenticationException. 我尝试使用正确的参数针对/ oauth / authorize执行GET并与请求一起发送包含承载访问令牌的授权标头,但是spring总是抛出InsufficientAuthenticationException。 I'm hoping somebody can help me with this. 我希望有人可以帮助我。
Best regards ps 最好的问候ps
1 个解决方案
解决方案1
0 已采纳 2015-05-08 21:22:19
I am going to answer my own question here for the sake of documentation. 为了文档起见,我将在这里回答我自己的问题。 TJ basically pointed me in the right direction. TJ基本上向我指出了正确的方向。
In my case, the InsufficientAuthenticationException stems from a slightly wrong setup of the whole stack. 就我而言,InsufficientAuthenticationException源于整个堆栈的设置略有错误。 For delivering the content to users an apache is used which also serves as a reverse proxy, truncating the root context of the application deployed on the tomcat behind it. 为了将内容交付给用户,使用了一个Apache,该Apache还用作反向代理,它截断了部署在其背后的tomcat上的应用程序的根上下文。
The answer which finally solved my problem can be found here . 最终解决了我的问题的答案可以在这里找到。 The problem actually was, that the session cookie contained an invalid path (the path attribute still contained the rootcontext, because tomcat has not been made aware that the apache in front of it is truncating the rootcontext to just "/".) So setting the path on tomcat side via setSessionCookie="/" in tomcat's context.xml did the trick. 问题实际上是,会话cookie包含无效路径(path属性仍包含rootcontext,因为tomcat尚未意识到前面的apache正在将rootcontext截断为“ /”。)通过tomcat的context.xml中的setSessionCookie =“ /”在tomcat侧的路径可以解决问题。
So, when a redirect hit spring's oauth/authorize endpoint it did so with a session cookie containing the wrong path. 因此,当重定向命中spring的oauth / authorize端点时,它使用包含错误路径的会话cookie进行了此操作。 because of this, for spring the request seemed to originate from an unauthenticated source, thus leaving me scratching my head about the InsufficientAuthenticationException. 因此,对于春季,该请求似乎源自未经身份验证的来源,因此使我为InsufficientAuthenticationException scratch之以鼻。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.