spring-oauth2：HTTP状态403-访问被拒绝

Question

I try to send a request to my rest-api with curl and spring security oauth2 but i get this error:

* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /test/oauth/token HTTP/1.1
> User-Agent: curl/7.35.0
> Host: localhost:8080
> Accept: application/json
> Authorization: Basic bXktdHJ1c3RlZC1jbGllbnQ6MTIzNDU=
> Content-Length: 99
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 99 out of 99 bytes
< HTTP/1.1 403 Forbidden
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Content-Type: text/html;charset=utf-8
< Content-Language: en
< Content-Length: 1030
< Date: Wed, 09 Sep 2015 19:37:49 GMT
< 
<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.20 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 403 - Access Denied</h1><div class="line"></div><p><b>type</b> Status report</p><p><b>message</b> <u>Access Denied</u></p><p><b>description</b> <u>Access to the specified resource has been forbidden.</u></p><hr class="line"><h3>Apache Tomcat/8.0.20</h3></body><* Connection #0 to host localhost left intact

my request:

curl -X GET -k -vu my-trusted-client:12345 http://localhost:8080/test/oauth/token -H "Accept: application/jd "grant_type=password&scope=read&client_secret=12345&client_id=my-trusted-client&resource_id=rest_api"

a part of my code:

my oauth2serverconfiguration:

@Configuration
@EnableResourceServer
public class OAuth2ServerConfiguration {

    @Configuration
    @EnableAuthorizationServer
    protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

        @Autowired
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            endpoints.authenticationManager(authenticationManager);
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            // @formatter:off
            clients.inMemory()
                .withClient("my-trusted-client")
                    .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
                    .authorities("USER")
                    .scopes("read", "write", "trust")
                    .resourceIds("rest_api")
                    .secret("12345")
                    .accessTokenValiditySeconds(600);
            // @formatter:on
        }
    }
}

my securityconfiguration class:

@Configuration
@EnableWebMvcSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder builder) throws Exception {
        //builder.userDetailsService(userService).passwordEncoder(new BCryptPasswordEncoder());
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity security) throws Exception {
        security.authorizeRequests()
            .antMatchers("/oauth/token")
            .hasRole("USER")
            .antMatchers("/greeting").authenticated();
    }
}

My controller:

@Path("/oauth")
@Produces(MediaType.APPLICATION_JSON)
public class TestController {

    public TestController() {
        ApplicationContext applicationContext = new AnnotationConfigApplicationContext(OAuth2ServerConfiguration.class);
        AutowireCapableBeanFactory acbFactory = applicationContext.getAutowireCapableBeanFactory();
        acbFactory.autowireBean(this);
    }

    @GET
    @Path("/token")
    public Response testToken() {

        return Response.status(200).entity("is working \n").build();
    }
}

Spring has already generate the refresh_token but i don't get the access_token can somebody help me? What is false? My code or my request?

Thank.

Answer 1

You are using grant_type=password parameter, means you want to use Resource Owner flow.

     +----------+
     | Resource |
     |  Owner   |
     |          |
     +----------+
          v
          |    Resource Owner
         (A) Password Credentials
          |
          v
     +---------+                                  +---------------+
     |         |>--(B)---- Resource Owner ------->|               |
     |         |         Password Credentials     | Authorization |
     | Client  |                                  |     Server    |
     |         |<--(C)---- Access Token ---------<|               |
     |         |    (w/ Optional Refresh Token)   |               |
     +---------+                                  +---------------+

            Figure 5: Resource Owner Password Credentials Flow

   The flow illustrated in Figure 5 includes the following steps:

   (A)  The resource owner provides the client with its username and
        password.

   (B)  The client requests an access token from the authorization
        server's token endpoint by including the credentials received
        from the resource owner.  When making the request, the client
        authenticates with the authorization server.

   (C)  The authorization server authenticates the client and validates
        the resource owner credentials, and if valid, issues an access
        token.

You have to include the username and password of the user for this flow, not only your client_id and client_secret.

From the code you have not setup autentication manager for the user. Try adding this in your SecurityConfiguration class.

public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
{
    auth
            .inMemoryAuthentication()
            .withUser("user").password("password").roles("USER");
}

Test it

curl -X GET -k -vu user:password http://localhost:8080/test/oauth/token -H "Accept: application/jd "grant_type=password&scope=read&client_secret=12345&client_id=my-trusted-client"