堆栈内存溢出
  简体   繁体   English

Grails 3应用程序中使用Spring Security Rest对“ refresh_token”请求进行403响应

[英]403 response on a “refresh_token” request with Spring Security Rest in a Grails 3 application

 原文  2018-12-09 18:16:09       rest/ grails/ spring-security/ oauth

问题描述

I'm having some trouble making a "refresh_token" request with Spring Security Rest in a Grails 3 application. 我在Grails 3应用程序中使用Spring Security Rest发出“ refresh_token”请求时遇到麻烦。 I have an application with both a web front-end and some Rest endpoints, and everything else seems to be working fine. 我有一个同时具有Web前端和一些Rest终结点的应用程序,其他所有东西似乎都正常运行。 The web app behaves as expected and, when I make a login request via curl with 该Web应用程序的行为符合预期,并且当我通过curl发出登录请求时 

curl -i -X POST localhost:8080/api/login \
-H "Content-Type: application/json" \
-d '{"username":"johndoe", "password":"johndoepassword"}'

I get back the expected response (I have truncated the tokens): 我得到了预期的响应(我已将令牌截断了): 

{
 "username":"johndoe",
 "roles":["ROLE_USER"],
 "token_type":"Bearer",
 "access_token":"eyJhbGciOiJIUzI1NiJ9.xxxxxx",
 "expires_in":3600,
 "refresh_token":"eyJhbGciOiJIUzI1NiJ9.xxxx"
}

In the actual application, I can add the access_token to the header and authenticate with no problem for the duration of the session. 在实际的应用程序中,我可以将access_token添加到标头中,并在会话持续时间内毫无问题地进行身份验证。 However, I get a 403 when I hit the "refresh token" endpoint with 但是,当我点击“刷新令牌”端点时,我得到403 

curl -i -X POST localhost:8080/oauth/access_token \
-H "Content-Type: application/x-www-form-urlencoded"  \
-d "grant_type=refresh_token&refresh_token=eyJhbGciOiJIUzI1NiJ9.xxxx"

This all seems pretty straightforward in the docs, but I'm obviously doing something wrong. 在文档中,这一切看起来都非常简单,但是我显然做错了什么。 Here's what I think is the relevant portion of my config file: 我认为这是我的配置文件的相关部分: 

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    [pattern: '/error',          access: ['permitAll']],
    [pattern: '/login',          access: ['permitAll']],
    [pattern: '/login/**',          access: ['permitAll']],
    [pattern: '/oauth/**',          access: ['permitAll']],
    [pattern: '/user/register',          access: ['permitAll']],
    [pattern: '/user/register/**',          access: ['permitAll']],
    [pattern: '/user/submitRegistration',          access: ['permitAll']],
    [pattern: '/logoff',          access: ['permitAll']],
    [pattern: '/shutdown',       access: ['permitAll']],
    [pattern: '/assets/**',      access: ['permitAll']],
    [pattern: '/**/js/**',       access: ['permitAll']],
    [pattern: '/**/css/**',      access: ['permitAll']],
    [pattern: '/**/images/**',   access: ['permitAll']],
    [pattern: '/**/favicon.ico', access: ['permitAll']],
    [pattern: '/surveyAdmin/**',  access: ['ROLE_ADMIN']] ,
    [pattern: '/**',               access: ['ROLE_USER']]
]

grails.plugin.springsecurity.filterChain.chainMap = [
    [pattern: '/assets/**',      filters: 'none'],
    [pattern: '/**/js/**',       filters: 'none'],
    [pattern: '/**/css/**',      filters: 'none'],
    [pattern: '/**/images/**',   filters: 'none'],
    [pattern: '/**/favicon.ico', filters: 'none'],

    [
            pattern: '/api/**',
            filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
    ],

    [
            pattern: '/rest/**',
            filters: 'restTokenValidationFilter,restExceptionTranslationFilter,filterInvocationInterceptor'
    ],
    [pattern: '/**',             filters: 'JOINED_FILTERS']
]

Can anyone suggest a way through here? 有人可以建议通过这里的方法吗?

Thanks, Alex 谢谢,亚历克斯

1 个解决方案

解决方案1
 1 已采纳  2018-12-10 17:16:31

As so often happens, I found the answer shortly after posting the question. 通常,我在发布问题后不久就找到了答案。 I'm using a custom user class that implements org.springframework.security.core.userdetails.UserDetails but does not extend org.springframework.security.core.userdetails.User. 我正在使用实现org.springframework.security.core.userdetails.UserDetails的自定义用户类,但不扩展org.springframework.security.core.userdetails.User。 The plugin assumes the principal can be cast to a "User" object, which was causing the user lookup/token generation to fail. 该插件假定可以将主体转换为“ User”对象,从而导致用户查找/令牌生成失败。 Either changing my custom class to extend User or overriding the refreshToken method in the plugin to accept my custom user class got things working. 更改我的自定义类以扩展User或覆盖插件中的refreshToken方法以接受我的自定义用户类都可以使工作正常。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Grails Spring Security REST被禁止使用403 - Grails Spring Security REST Getting 403 Forbidden 如何使用属性传递将带有响应的refresh_token从响应传递到具有串联的请求:TestSuite soapui - How to use Property Transfer to pass refresh_token from Response to request with concatenation : TestSuite soapui grails spring安全休息插件 - grails spring security rest plugin Grails Spring Security REST + LDAP - Grails Spring Security REST + LDAP 具有Security&REST端点的Spring MVC给出了403“由于未找到您的会话,因此无法验证提供的CSRF令牌” - Spring MVC with Security & REST endpoint gives a 403 “Could not verify the provided CSRF token because your session was not found” Grails Rest Spring安全性插件不会在数据库中使用GORM存储生成的令牌 - Grails rest spring security plugin does not store generated token using GORM in database Grails - Spring Security REST - 302响应网:: ERR_TOO_MANY_REDIRECTS - Grails - Spring Security REST - 302 Response net::ERR_TOO_MANY_REDIRECTS Grails + Spring Security Rest +如何登录 - Grails + Spring Security Rest + How to login 保护Grails和Spring Security中的REST API - Securing REST API in Grails and Spring Security 用于Grails3的Spring Security Rest插件 - Spring security rest plugin for Grails3
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM