堆栈内存溢出
  简体   繁体   English

没有 JWT,Spring Security OAuth2 无法工作

[英]Spring Security OAuth2 Not Working Without JWT

 原文  2015-11-19 19:33:04       spring/ spring-security-oauth2/ spring-cloud

问题描述

I'm trying to implement the OAuth2 example from the Spring Security and Angular JS tutorial, but I am having an issue getting it working without JWT.我正在尝试实现Spring Security 和 Angular JS教程中的 OAuth2 示例,但是在没有 JWT 的情况下无法正常工作时遇到问题。 The code for the example can be found here .该示例的代码可以在这里找到。

I have made the following modifications to the example to attempt to get it working without JWT.我对示例进行了以下修改,以尝试在没有 JWT 的情况下使其工作。

/resource/src/main/resources/application.properties /resource/src/main/resources/application.properties

server.port: 9998
server.contextPath: /resource
logging.level.org.springframework.security: DEBUG
#spring.oauth2.resource.jwt.keyValue: -----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnGp/Q5lh0P8nPL21oMMrt2RrkT9AW5jgYwLfSUnJVc9G6uR3cXRRDCjHqWU5WYwivcF180A6CWp/ireQFFBNowgc5XaA0kPpzEtgsA5YsNX7iSnUibB004iBTfU9hZ2Rbsc8cWqynT0RyN4TP1RYVSeVKvMQk4GT1r7JCEC+TNu1ELmbNwMQyzKjsfBXyIOCFU/E94ktvsTZUHF4Oq44DBylCDsS1k7/sfZC2G5EU7Oz0mhG8+Uz6MSEQHtoIi6mc8u64Rwi3Z3tscuWG2ShtsUFuNSAFNkY7LkLn+/hxLCu2bNISMaESa8dG22CIMuIeRLVcAmEWEWH5EEforTg+QIDAQAB\n-----END PUBLIC KEY-----

Commented out the property for the jwt keyValue.注释掉 jwt keyValue 的属性。

/ui/src/main/resources/application.yml /ui/src/main/resources/application.yml

security:
  user:
    password: none
  oauth2:
    client:
      accessTokenUri: http://localhost:9999/uaa/oauth/token
      userAuthorizationUri: http://localhost:9999/uaa/oauth/authorize
      clientId: acme
      clientSecret: acmesecret
    resource:
      userInfoUri: http://localhost:9999/uaa/user
#      jwt:
#        keyValue: |
#          -----BEGIN PUBLIC KEY-----
#          #MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnGp/Q5lh0P8nPL21oMMrt2RrkT9AW5jgYwLfSUnJVc9G6uR3cXRRDCjHqWU5WYwivcF180A6CWp/ireQFFBNowgc5XaA0kPpzEtgsA5YsNX7iSnUibB004iBTfU9hZ2Rbsc8cWqynT0RyN4TP1RYVSeVKvMQk4GT1r7JCEC+TNu1ELmbNwMQyzKjsfBXyIOCFU/E94ktvsTZUHF4Oq44DBylCDsS1k7/sfZC2G5EU7Oz0mhG8+Uz6MSEQHtoIi6mc8u64Rwi3Z3tscuWG2ShtsUFuNSAFNkY7LkLn+/hxLCu2bNISMaESa8dG22CIMuIeRLVcAmEWEWH5EEforTg+QIDAQAB
#          -----END PUBLIC KEY-----
zuul:
  routes:
    resource:
      path: /resource/**
      url: http://localhost:9000/resource
    user:
      path: /user/**
      url: http://localhost:9999/uaa/user

logging:
  level:
    org.springframework.security: DEBUG

Commented out the jwt property and replaced with:注释掉 jwt 属性并替换为:

userInfoUri: http://localhost:9999/uaa/user

/authserver/src/main/java/demo/AuthserverApplication.java /authserver/src/main/java/demo/AuthserverApplication.java

@SpringBootApplication
@Controller
@SessionAttributes("authorizationRequest")
@EnableResourceServer
public class AuthserverApplication extends WebMvcConfigurerAdapter {

    @RequestMapping("/user")
    @ResponseBody
    public Principal user(Principal user) {
        return user;
    }

    @Override
    public void addViewControllers(ViewControllerRegistry registry) {
        registry.addViewController("/login").setViewName("login");
        registry.addViewController("/oauth/confirm_access").setViewName("authorize");
    }

    public static void main(String[] args) {
        SpringApplication.run(AuthserverApplication.class, args);
    }

    @Configuration
    @Order(-20)
    protected static class LoginConfig extends WebSecurityConfigurerAdapter {

        @Autowired
        private AuthenticationManager authenticationManager;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            // @formatter:off
            http
                .formLogin().loginPage("/login").permitAll()
            .and()
                .requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
            .and()
                .authorizeRequests().anyRequest().authenticated();
            // @formatter:on
        }

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.parentAuthenticationManager(authenticationManager);
        }
    }

    @Configuration
    @EnableAuthorizationServer
    protected static class OAuth2AuthorizationConfig extends
            AuthorizationServerConfigurerAdapter {

        @Autowired
        private AuthenticationManager authenticationManager;

//        @Bean
//        public JwtAccessTokenConverter jwtAccessTokenConverter() {
//            JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
//            KeyPair keyPair = new KeyStoreKeyFactory(
//                    new ClassPathResource("keystore.jks"), "foobar".toCharArray())
//                    .getKeyPair("test");
//            converter.setKeyPair(keyPair);
//            return converter;
//        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients.inMemory()
                    .withClient("acme")
                    .secret("acmesecret")
                    .authorizedGrantTypes("authorization_code", "refresh_token",
                            "password").scopes("openid");
        }

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints)
                throws Exception {
            endpoints.authenticationManager(authenticationManager);
//            .accessTokenConverter(jwtAccessTokenConverter());
        }

        @Override
        public void configure(AuthorizationServerSecurityConfigurer oauthServer)
                throws Exception {
            oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess(
                    "isAuthenticated()");
        }

    }
}

Commented out the jwtAccessTokenConverter() method and removed it from configure(AuthorizationServerEndpointsConfigurer endpoints) .注释掉jwtAccessTokenConverter()方法并将其从configure(AuthorizationServerEndpointsConfigurer endpoints)删除。

When I try running the application it works fine up until the point where I have to authorize "acme" access to protected resources.当我尝试运行该应用程序时,它运行良好,直到我必须授权“acme”访问受保护资源为止。 When I click Approve I get a 401 and an error page that says "Authentication Failed: Could not obtain access token".当我单击批准时,我收到一个 401 和一个错误页面,上面写着“身份验证失败:无法获取访问令牌”。

This is caused by the POST request to http://localhost:9999/uaa/oauth/authorize which fails and then redirects to http://localhost:8080/login?error=access_denied&error_description=User%20denied%20access&state=lsb7Ik这是由于对http://localhost:9999/uaa/oauth/authorize的 POST 请求失败,然后重定向到http://localhost:8080/login?error=access_denied&error_description=User%20denied%20access&state=lsb7Ik

Here are the following logs from the API Gateway and the OAuth2 servers.以下是来自 API 网关和 OAuth2 服务器的以下日志。

API Gateway Application API网关应用

2015-11-19 12:04:24.561 DEBUG 41956 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /login?error=access_denied&error_description=User%20denied%20access&state=ksNKYy at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-11-19 12:04:24.561 DEBUG 41956 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /login?error=access_denied&error_description=User%20denied%20access&state=ksNKYy at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-11-19 12:04:24.561 DEBUG 41956 --- [nio-8080-exec-6] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2015-11-19 12:04:24.561 DEBUG 41956 --- [nio-8080-exec-6] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@6b29d520. A new one will be created.
2015-11-19 12:04:24.561 DEBUG 41956 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /login?error=access_denied&error_description=User%20denied%20access&state=ksNKYy at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2015-11-19 12:04:24.561 DEBUG 41956 --- [nio-8080-exec-6] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@24905eb7
2015-11-19 12:04:24.561 DEBUG 41956 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /login?error=access_denied&error_description=User%20denied%20access&state=ksNKYy at position 4 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
2015-11-19 12:04:24.561 DEBUG 41956 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /login?error=access_denied&error_description=User%20denied%20access&state=ksNKYy at position 5 of 13 in additional filter chain; firing Filter: 'CsrfHeaderFilter'
2015-11-19 12:04:24.562 DEBUG 41956 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /login?error=access_denied&error_description=User%20denied%20access&state=ksNKYy at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2015-11-19 12:04:24.562 DEBUG 41956 --- [nio-8080-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/logout'
2015-11-19 12:04:24.562 DEBUG 41956 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /login?error=access_denied&error_description=User%20denied%20access&state=ksNKYy at position 7 of 13 in additional filter chain; firing Filter: 'OAuth2ClientAuthenticationProcessingFilter'
2015-11-19 12:04:24.562 DEBUG 41956 --- [nio-8080-exec-6] uth2ClientAuthenticationProcessingFilter : Request is to process authentication
2015-11-19 12:04:24.564 DEBUG 41956 --- [nio-8080-exec-6] g.c.AuthorizationCodeAccessTokenProvider : Encoding and sending form: {response_type=[code], client_id=[acme], scope=[null], state=[ksNKYy], redirect_uri=[http://localhost:8080/login]}
2015-11-19 12:04:24.571  WARN 41956 --- [nio-8080-exec-6] o.s.web.client.RestTemplate              : POST request for "http://localhost:9999/uaa/oauth/authorize" resulted in 403 (Forbidden); invoking error handler
2015-11-19 12:04:24.575 DEBUG 41956 --- [nio-8080-exec-6] uth2ClientAuthenticationProcessingFilter : Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Could not obtain access token
2015-11-19 12:04:24.575 DEBUG 41956 --- [nio-8080-exec-6] uth2ClientAuthenticationProcessingFilter : Updated SecurityContextHolder to contain null Authentication
2015-11-19 12:04:24.575 DEBUG 41956 --- [nio-8080-exec-6] uth2ClientAuthenticationProcessingFilter : Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@489090b4
2015-11-19 12:04:24.575 DEBUG 41956 --- [nio-8080-exec-6] .a.SimpleUrlAuthenticationFailureHandler : No failure URL set, sending 401 Unauthorized error
2015-11-19 12:04:24.575 DEBUG 41956 --- [nio-8080-exec-6] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2015-11-19 12:04:24.575 DEBUG 41956 --- [nio-8080-exec-6] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2015-11-19 12:04:24.576 DEBUG 41956 --- [nio-8080-exec-6] o.s.b.a.e.mvc.EndpointHandlerMapping     : Looking up handler method for path /error
2015-11-19 12:04:24.577 DEBUG 41956 --- [nio-8080-exec-6] o.s.b.a.e.mvc.EndpointHandlerMapping     : Did not find handler method for [/error]

OAuth2 Application OAuth2 应用程序

2015-11-19 12:04:24.546 DEBUG 41954 --- [nio-9999-exec-2] o.s.security.web.FilterChainProxy        : /oauth/authorize at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-11-19 12:04:24.546 DEBUG 41954 --- [nio-9999-exec-2] o.s.security.web.FilterChainProxy        : /oauth/authorize at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-11-19 12:04:24.546 DEBUG 41954 --- [nio-9999-exec-2] w.c.HttpSessionSecurityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@fb75c5f1: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fb75c5f1: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@21a2c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 010CF170666FD7398D2E42E4431924B1; Granted Authorities: ROLE_ADMIN, ROLE_USER'
2015-11-19 12:04:24.547 DEBUG 41954 --- [nio-9999-exec-2] o.s.security.web.FilterChainProxy        : /oauth/authorize at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2015-11-19 12:04:24.547 DEBUG 41954 --- [nio-9999-exec-2] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@335f832b
2015-11-19 12:04:24.547 DEBUG 41954 --- [nio-9999-exec-2] o.s.security.web.FilterChainProxy        : /oauth/authorize at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2015-11-19 12:04:24.547 DEBUG 41954 --- [nio-9999-exec-2] o.s.security.web.FilterChainProxy        : /oauth/authorize at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2015-11-19 12:04:24.547 DEBUG 41954 --- [nio-9999-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/authorize'; against '/logout'
2015-11-19 12:04:24.547 DEBUG 41954 --- [nio-9999-exec-2] o.s.security.web.FilterChainProxy        : /oauth/authorize at position 6 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2015-11-19 12:04:24.547 DEBUG 41954 --- [nio-9999-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/authorize'; against '/login'
2015-11-19 12:04:24.547 DEBUG 41954 --- [nio-9999-exec-2] o.s.security.web.FilterChainProxy        : /oauth/authorize at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2015-11-19 12:04:24.547 DEBUG 41954 --- [nio-9999-exec-2] o.s.security.web.FilterChainProxy        : /oauth/authorize at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2015-11-19 12:04:24.547 DEBUG 41954 --- [nio-9999-exec-2] o.s.security.web.FilterChainProxy        : /oauth/authorize at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2015-11-19 12:04:24.547 DEBUG 41954 --- [nio-9999-exec-2] o.s.s.w.a.AnonymousAuthenticationFilter  : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fb75c5f1: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@21a2c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 010CF170666FD7398D2E42E4431924B1; Granted Authorities: ROLE_ADMIN, ROLE_USER'
2015-11-19 12:04:24.547 DEBUG 41954 --- [nio-9999-exec-2] o.s.security.web.FilterChainProxy        : /oauth/authorize at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2015-11-19 12:04:24.547 DEBUG 41954 --- [nio-9999-exec-2] o.s.security.web.FilterChainProxy        : /oauth/authorize at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2015-11-19 12:04:24.547 DEBUG 41954 --- [nio-9999-exec-2] o.s.security.web.FilterChainProxy        : /oauth/authorize at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2015-11-19 12:04:24.547 DEBUG 41954 --- [nio-9999-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor    : Secure object: FilterInvocation: URL: /oauth/authorize; Attributes: [authenticated]
2015-11-19 12:04:24.547 DEBUG 41954 --- [nio-9999-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor    : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fb75c5f1: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@21a2c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 010CF170666FD7398D2E42E4431924B1; Granted Authorities: ROLE_ADMIN, ROLE_USER
2015-11-19 12:04:24.548 DEBUG 41954 --- [nio-9999-exec-2] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@54fdd60d, returned: 1
2015-11-19 12:04:24.548 DEBUG 41954 --- [nio-9999-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor    : Authorization successful
2015-11-19 12:04:24.548 DEBUG 41954 --- [nio-9999-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor    : RunAsManager did not change Authentication object
2015-11-19 12:04:24.548 DEBUG 41954 --- [nio-9999-exec-2] o.s.security.web.FilterChainProxy        : /oauth/authorize reached end of additional filter chain; proceeding with original chain
2015-11-19 12:04:24.549 DEBUG 41954 --- [nio-9999-exec-2] .s.o.p.e.FrameworkEndpointHandlerMapping : Looking up handler method for path /oauth/authorize
2015-11-19 12:04:24.550 DEBUG 41954 --- [nio-9999-exec-2] .s.o.p.e.FrameworkEndpointHandlerMapping : Returning handler method [public org.springframework.web.servlet.View org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.approveOrDeny(java.util.Map<java.lang.String, java.lang.String>,java.util.Map<java.lang.String, ?>,org.springframework.web.bind.support.SessionStatus,java.security.Principal)]
2015-11-19 12:04:24.552 DEBUG 41954 --- [nio-9999-exec-2] o.s.s.w.a.ExceptionTranslationFilter     : Chain processed normally
2015-11-19 12:04:24.553 DEBUG 41954 --- [nio-9999-exec-2] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2015-11-19 12:04:24.567 DEBUG 41954 --- [nio-9999-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/authorize'; against '/css/**'
2015-11-19 12:04:24.567 DEBUG 41954 --- [nio-9999-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/authorize'; against '/js/**'
2015-11-19 12:04:24.568 DEBUG 41954 --- [nio-9999-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/authorize'; against '/images/**'
2015-11-19 12:04:24.568 DEBUG 41954 --- [nio-9999-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/authorize'; against '/**/favicon.ico'
2015-11-19 12:04:24.568 DEBUG 41954 --- [nio-9999-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/authorize'; against '/error'
2015-11-19 12:04:24.568 DEBUG 41954 --- [nio-9999-exec-4] o.s.security.web.FilterChainProxy        : /oauth/authorize at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-11-19 12:04:24.568 DEBUG 41954 --- [nio-9999-exec-4] o.s.security.web.FilterChainProxy        : /oauth/authorize at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-11-19 12:04:24.568 DEBUG 41954 --- [nio-9999-exec-4] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2015-11-19 12:04:24.568 DEBUG 41954 --- [nio-9999-exec-4] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2015-11-19 12:04:24.568 DEBUG 41954 --- [nio-9999-exec-4] o.s.security.web.FilterChainProxy        : /oauth/authorize at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2015-11-19 12:04:24.568 DEBUG 41954 --- [nio-9999-exec-4] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@335f832b
2015-11-19 12:04:24.568 DEBUG 41954 --- [nio-9999-exec-4] o.s.security.web.FilterChainProxy        : /oauth/authorize at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2015-11-19 12:04:24.568 DEBUG 41954 --- [nio-9999-exec-4] o.s.security.web.csrf.CsrfFilter         : Invalid CSRF token found for http://localhost:9999/uaa/oauth/authorize
2015-11-19 12:04:24.568 DEBUG 41954 --- [nio-9999-exec-4] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2015-11-19 12:04:24.568 DEBUG 41954 --- [nio-9999-exec-4] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

I suspected it was failing because of the "Invalid CSRF token found for http://localhost:9999/uaa/oauth/authorize " on the OAuth server, but after disabling csrf protection in the http security the same error still exists.我怀疑它失败了,因为在 OAuth 服务器上“为http://localhost:9999/uaa/oauth/authorize找到了无效的 CSRF 令牌”,但是在 http 安全中禁用 csrf 保护后,同样的错误仍然存​​在。 Not sure why CSRF would be the problem after removing JWT from the equation.不知道为什么从等式中删除 JWT 后 CSRF 会成为问题。

Any help would be greatly appreciated.任何帮助将不胜感激。 Thanks.谢谢。

1 个解决方案

解决方案1
 0  2015-11-29 19:02:59

I had similar problem and it was that I haven't set context path to /uaa for the auth server.我遇到了类似的问题,因为我没有为身份验证服务器设置/uaa上下文路径。 My suggestion is to start from identical copy of 'Spring Security and Angular JS' and then move in small steps towards your custom solution.我的建议是从“Spring Security 和 Angular JS”的相同副本开始,然后逐步朝着您的自定义解决方案迈进。 After each step, run examples and see whether everything still works.在每一步之后,运行示例并查看是否一切正常。 This way you can easily catch what caused problem.通过这种方式,您可以轻松地发现导致问题的原因。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 带有JWT的Spring Security Oauth2真的是无状态的吗? - Is Spring Security Oauth2 with JWT really stateless? Spring Security OAuth2 JWT 匿名令牌 - Spring Security OAuth2 JWT anonymous token JWT与Spring OAuth2 - JWT with Spring OAuth2 Spring 安全 Oauth2 removeAccessToken 不起作用 - Spring Security Oauth2 removeAccessToken is not working OAuth2 - Spring 安全性:ClientCredentialsTokenEndpointFilter 不起作用 - OAuth2 - Spring security: ClientCredentialsTokenEndpointFilter not working 使用Spring Security在OAuth2 Web客户端上存储JWT令牌 - Storing JWT tokens on OAuth2 web client using Spring Security 带有JWT的Spring Security OAuth2重定向到登录页面 - Spring Security OAuth2 with JWT redirect to login page Spring Security OAuth2-带有客户端和用户数据库的JWT - Spring Security OAuth2 - JWT's with Database for Clients and Users Spring Security-OAuth2-OpenIDConnect和JWT请求参数 - Spring Security - OAuth2 - OpenIDConnect and JWT Request parameter Spring Security OAuth2 JWT令牌中继问题 - Spring Security OAuth2 JWT Token Relay Issue
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM