[英]403 response on a “refresh_token” request with Spring Security Rest in a Grails 3 application
I'm having some trouble making a "refresh_token" request with Spring Security Rest in a Grails 3 application. 我在Grails 3应用程序中使用Spring Security Rest发出“ refresh_token”请求时遇到麻烦。 I have an application with both a web front-end and some Rest endpoints, and everything else seems to be working fine. 我有一个同时具有Web前端和一些Rest终结点的应用程序,其他所有东西似乎都正常运行。 The web app behaves as expected and, when I make a login request via curl with 该Web应用程序的行为符合预期,并且当我通过curl发出登录请求时
curl -i -X POST localhost:8080/api/login \
-H "Content-Type: application/json" \
-d '{"username":"johndoe", "password":"johndoepassword"}'
I get back the expected response (I have truncated the tokens): 我得到了预期的响应(我已将令牌截断了):
{
"username":"johndoe",
"roles":["ROLE_USER"],
"token_type":"Bearer",
"access_token":"eyJhbGciOiJIUzI1NiJ9.xxxxxx",
"expires_in":3600,
"refresh_token":"eyJhbGciOiJIUzI1NiJ9.xxxx"
}
In the actual application, I can add the access_token to the header and authenticate with no problem for the duration of the session. 在实际的应用程序中,我可以将access_token添加到标头中,并在会话持续时间内毫无问题地进行身份验证。 However, I get a 403 when I hit the "refresh token" endpoint with 但是,当我点击“刷新令牌”端点时,我得到403
curl -i -X POST localhost:8080/oauth/access_token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&refresh_token=eyJhbGciOiJIUzI1NiJ9.xxxx"
This all seems pretty straightforward in the docs, but I'm obviously doing something wrong. 在文档中,这一切看起来都非常简单,但是我显然做错了什么。 Here's what I think is the relevant portion of my config file: 我认为这是我的配置文件的相关部分:
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
[pattern: '/error', access: ['permitAll']],
[pattern: '/login', access: ['permitAll']],
[pattern: '/login/**', access: ['permitAll']],
[pattern: '/oauth/**', access: ['permitAll']],
[pattern: '/user/register', access: ['permitAll']],
[pattern: '/user/register/**', access: ['permitAll']],
[pattern: '/user/submitRegistration', access: ['permitAll']],
[pattern: '/logoff', access: ['permitAll']],
[pattern: '/shutdown', access: ['permitAll']],
[pattern: '/assets/**', access: ['permitAll']],
[pattern: '/**/js/**', access: ['permitAll']],
[pattern: '/**/css/**', access: ['permitAll']],
[pattern: '/**/images/**', access: ['permitAll']],
[pattern: '/**/favicon.ico', access: ['permitAll']],
[pattern: '/surveyAdmin/**', access: ['ROLE_ADMIN']] ,
[pattern: '/**', access: ['ROLE_USER']]
]
grails.plugin.springsecurity.filterChain.chainMap = [
[pattern: '/assets/**', filters: 'none'],
[pattern: '/**/js/**', filters: 'none'],
[pattern: '/**/css/**', filters: 'none'],
[pattern: '/**/images/**', filters: 'none'],
[pattern: '/**/favicon.ico', filters: 'none'],
[
pattern: '/api/**',
filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
],
[
pattern: '/rest/**',
filters: 'restTokenValidationFilter,restExceptionTranslationFilter,filterInvocationInterceptor'
],
[pattern: '/**', filters: 'JOINED_FILTERS']
]
Can anyone suggest a way through here? 有人可以建议通过这里的方法吗?
Thanks, Alex 谢谢,亚历克斯
As so often happens, I found the answer shortly after posting the question. 通常,我在发布问题后不久就找到了答案。 I'm using a custom user class that implements org.springframework.security.core.userdetails.UserDetails but does not extend org.springframework.security.core.userdetails.User. 我正在使用实现org.springframework.security.core.userdetails.UserDetails的自定义用户类,但不扩展org.springframework.security.core.userdetails.User。 The plugin assumes the principal can be cast to a "User" object, which was causing the user lookup/token generation to fail. 该插件假定可以将主体转换为“ User”对象,从而导致用户查找/令牌生成失败。 Either changing my custom class to extend User or overriding the refreshToken method in the plugin to accept my custom user class got things working. 更改我的自定义类以扩展User或覆盖插件中的refreshToken方法以接受我的自定义用户类都可以使工作正常。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.